Colleges cram for test of new security plans

Bushwhacked last fall by computer worms, network managers at U.S. colleges have taken steps to make sure it won’t happen again next month when the new academic year begins.

Bushwhacked last fall by computer worms, network managers at U.S. colleges have taken steps to make sure it won’t happen again next month when the new academic year begins.

The steps include embracing Microsoft’s Windows XP Service Pack 2, installing new intrusion-detection software, scanning every PC that tries to connect to the campus network, and working harder to convince faculty and students that they have a stake in network security.

But the steps are part of a larger shift in network security awareness: treating every client as a potential threat and continuously monitoring a client’s behavior once it authenticates.

“The big priority is security. It kind of drowns out everything else,” says Brad Noblet, director of technical services at Dartmouth College in Hanover, N.H. “We continue to get pounded by viruses, and it eats up an awful lot of manpower, as well as disrupting people’s lives.”

The worm attacks of fall 2003 coincided with a new strategic planning effort unfolding at Ohio State University (OSU) to make security a priority. “We’re paying vastly increased attention to security,” says Charles Morrow-Jones, director of security and enterprise networking at the school in Columbus.

The change is reflected in the chain of command: Security used to be part of the enterprise networks group, but now Morrow-Jones reports directly to the CIO.

Other changes include centralized anti-virus and anti-spam software, instead of relying on PC applications. OSU selected Clam AntiVirus, an open source program, which can tie into e-mail applications; and Roaring Penguin’s CanIt anti-spam software, a commercial application. Finally, OSU will launch a half-day training program for non-technical managers in departments such as finance and human resources on how to secure and protect PCs and data.

Changes like this are evidence that security is being seen as an increasingly broad issue, affecting how, and whether, services are delivered to network users. McGill University in Montreal is deploying a full-blown identity management system based on Novell’s Nsure Identity Manager, Novell eDirectory and related products.

“We have students, in-house staff, faculty, alumni,” says Gary Bernstein, McGill’s director of networks and communications services. “We have to keep track of all of them in terms of their [network] rights and privileges, which are often changing. We want to capture this data and make it available for authorization as well as authentication.”

“This is more than convenience,” he says. “This is becoming the foundation for almost all network operations in any organization.”

Dartmouth has not gone that far, but this fall it will introduce Aladdin Knowledge Systems’ eToken, which is a small device that plugs into a USB port on a PC and manages a digital certificate. The certificate is part of an open source public-key infrastructure created by researchers at Dartmouth’s PKI Lab, a big step toward creating a secure, single sign-on for users instead of juggling numerous username/password combinations.

The eToken will be handed out to students with their Dartmouth photo ID cards. Initially, the token will be used for user authentication. Eventually, Noblet wants to upgrade the college’s applications to support digital certificates and eliminate passwords.

Many institutions are introducing specific products for security, either creating new capabilities or beefing up current products.

One of the most popular is intrusion-prevention systems (IPS), which watch network or application use to report on suspected attacks or unauthorized activity. IPS devices can be configured to block traffic patterns that are known or suspected to be problematic.

Northeastern University in Boston is deploying TippingPoint Technologies’ UnityOne IPS. “These devices sit on the net, so we can drop [suspect] traffic before it even becomes a problem,” says Richard Mickool, executive director information services.

“You have to be careful as you put all your traffic through these devices,” Mickool says. “You don’t want to create a single point of failure, and you have to be careful what traffic you block.”

Tufts University in Medford, Mass., is focusing on hardening the edge of the network by installing McAfee IntruShield. There are two goals, says Marc Jimenez, manager of network engineering and security: harden the network edge to block attacks from outside the university and detect internal hosts that have been taken over to launch attacks elsewhere. “This will give us another tool in locating internal hosts that have been compromised,” he says.

Keeping PCs clean of viruses

New products and policies target keeping client PCs clean of viruses. But schools this year are going further: They want to quickly quarantine these machines and keep them off the network until the PCs are equipped with virus definitions and patches.

“That’s absolutely the direction we’re going in: You can’t make your computer work on the net until you get scanned by us and get updated and also sign our acceptable-use policy promising to be a good [network] person,” says Carl Whitman, executive director of e-operations at American University in Washington, D.C.

For now, when American University students first try to log on, they’re redirected to a Web site to register their computers and get a valid IP address.

Dartmouth lets clients power up and get Internet access. But starting this fall, to get to applications and data, users have to be authenticated and scanned by Sygate’s client/server software.

The Sygate agent is loaded on to each PC, and the server code hooks into the school’s Norton anti-virus software and its authentication system.

At each logon, the Sygate software runs a set of checks on the PC’s software. If Sygate detects problems, it directs users to a dedicated Web site, sometimes called a captive portal, backed by a tech support team. Users can’t regain network access privileges until they download patches and get help to fix the weaknesses.

Dartmouth’s help desk staff is more likely to reload the entire software image in a client PC than fix a specific problem, Noblet says. “The hackers are more sophisticated than they used to be,” he says. “They write assembly language programs that are hidden from the directory and therefore from a program scanning the directory. We had some cases where we patched a machine, thought we had fixed the problem and then found later the virus was deeper in the machine.”

This year will see a bigger emphasis on security outreach, education and evangelization. More schools will introduce network authentication procedures as a standard part of each student’s fall registration. Summer information packages now include guidelines for outfitting student PCs with anti-virus software, and school security policies and best practices to keep a student’s PC clean and safe. 

“This year we’re expanding our outreach efforts to include new avenues such as online video presentations, as well as messages contained in the software packages distributed to incoming students,” Tufts’ Jimenez says.

American University is creating a series of posters to be hung in on-campus buildings with warnings and tips about virus protection, spam and copyright issues.

Northeastern has added new network security information to the “welcome back” packets mailed to students. And this year, all residential students – not just the freshman – get client anti-virus software.

McGill is adding new self-service Web applications to simplify network requirements for users. One is a new Web site where staff and faculty can use a screen to set up a 24-hour guest account for wireless LAN access. In the past, users had to call the network staff to request this.

“It’s the same old enemies: viruses, worms, [peer-to-peer] file transfers,” American’s Whitman says. “But there are some new resources.”