How four institutions manage security threats


IT managers at Stanford University were concerned. As security threats to colleges and universities increased, Stanford needed to keep private matters private—but at the same time, the university’s IT staff wanted to ensure that its wealth of information resources remained widely available to students, faculty, and researchers.

Yet, each academic department and school was responsible for its own network security measures, leaving this vital layer of protection an “incomplete patchwork,” school officials explained. The university needed an organization-wide firewall service that could accommodate a highly decentralized environment.

Stanford divides its campus network into eight operational zones, with each zone partitioned into multiple virtual firewall or security zones. Each security zone needed a unique set of security policies, virtual private network (VPN) access controls, and administrators.

To solve this challenge, Stanford deployed more than 20 Juniper Networks NetScreen-5000 Security Systems at the network perimeter and data center to protect the academic, administrative, and residential networks against malicious attacks and intrusions. Stanford now offers a baseline firewall service at no cost to all departments, and additional firewall services are available by request.

The Juniper Networks firewalls are deployed in redundant pairs to maximize resiliency and uptime. Full-mesh configurations allow for redundant physical paths, which also maximizes resiliency and helps the university protect its IT resources in the event of a campus emergency.

The firewalls reduced Stanford’s risk exposure and improved security compliance by offering a consistent level of firewall protection that meets the individual needs of its departments—and Stanford IT executives say the virtualized security service was deployed quickly and without disruption to IT operations.

Stanford integrated the NetScreen-5000 line of firewalls with its NetDB database, which offers a way of registering a unique name and IP address for each networked computer, to create a decentralized, self-service model in which firewall policies can be implemented hourly. The university also gained operational efficiencies by standardizing on Juniper Networks firewalls, as its IT staff no longer must manage and maintain firewalls from multiple vendors.

Northwestern University also constructs its security network in layers. “Juniper supplies our campus network border routers—the ones that connect us to the outside world, other research institutions and networks,” says Julian Y. Koh, Northwestern’s manager of network transport, telecommunications, and network services. “That’s the first place you want to start applying security filters.”

The university also uses Juniper security at the firewall layer. “We have dedicated firewall appliances in front of our data center to protect the data center and enterprise applications from attack, not just from the outside world but also from anyone on campus,” Koh says. His department gives schools within the university the option to contract with IT for their local firewall services. If a given department or school has a small number of machines to protect, IT might deploy a low-end firewall. If a school has greater demands, such as the need to protect a high-speed computing cluster or a larger number of machines, Koh can ramp up the capabilities to meet its needs.

In addition, Northwestern uses Juniper for secure remote access. The university deploys Juniper SSL VPN technology to provide secure access to sensitive data and restricted applications. With this technology in place, says Koh, it has been easy to define various roles and give users different levels of access depending on who they are.


The layered approach has been successful, as have been Juniper’s products. Northwestern first began using Juniper close to 10 years ago but recently replaced its original routers with the same kind from Juniper. “That shows our confidence in their function,” Koh says.

Securing distance education

The University of Central Florida, with 21 regional delivery sites, has more than 23,000 students taking online courses. UCF’s data network has become a critical resource that supports education, research, administrative services, and campus communications—particularly for those students engaged in distance education.

“The network is a part of how we teach and how we do business,” says John C. Hitt, UCF president. Maximum network reliability, then, is mandatory—and security issues must not be allowed to jeopardize the network that employees and students depend on every day, IT staff knew.

Yet, network security threats were costing the university money and time. The steady increase in viruses, DoS attacks, and similar threats made it clear that improved network security and monitoring were required. UCF decided to implement a security solution that included:

•    Perimeter security with Cisco PIX security appliances and Cisco Catalyst 6500 Series service modules;
•    Intrusion protection with Cisco IDS sensors and the Cisco Catalyst 6500 Series IDS Service Module, to identify and classify known and unknown threats; and
•    Secure wireless and VPN connectivity using Cisco VPN 3030 concentrators to establish secure connections across TCP/IP networks, including the internet.

Now, the university’s computer systems are securely protected from both internal and external risks, campus officials say. For example, the IT team was able to quickly respond to the Nimda worm in 2001, preventing it from spreading across the UCF network. Cisco technology enabled the team to track the affected machines and immediately remove them from the network, UCF officials say.

Quinnipiac University, in Hamden, Conn., has a much smaller student body but faces the same challenges, needing to walk the tightrope between giving users easy access to information and the constraints of government and industry privacy and protection standards.

For instance, the Higher Education Act of 1965—recently reauthorized with strict rules regarding copyright—and the Family Educational Rights and Privacy Act protect sensitive student information. Quinnipiac wanted to make sure it was compliant, so Brian Kelly, information security and network operations director for the university, knew he and his team needed to redesign their enterprise security strategy.

The first step was to gain a clear, real-time view of security issues across the network, via a sophisticated intrusion prevention system (IPS) from Hewlett-Packard. Kelly uses the IPS to aggregate and analyze logs from various watch points throughout the enterprise. Drawing information from a single database, rather than going from device to device to pore over system logs, has enabled Quinnipiac’s IT team to accomplish more comprehensive monitoring, auditing, reporting, and event mitigation.

“Before our IPS, we were using a series of home-grown utilities to try to aggregate and sift through system logs,” Kelly says. “But we don’t have a lot of full-time employees, so we either missed things or wasted valuable staff resources.”

Now, the team has instant access, via a single pane of glass, to critical security data, including network usage and possible threats. Team members can more easily deploy, update, and enforce access and configuration policies. And automating these tasks and giving appropriate personnel customized information frees up IT resources to be used on other, more strategic projects. It also empowers users to make better, faster decisions about data and network protection, Kelly says.

—J.N.

Laura Ascione