- eCampus News - https://www.ecampusnews.com -

eCN Special Report: Next-Generation Network Security

A multilayered approach is often necessary to protect campus networks.
A multilayered approach is often necessary to protect campus networks.

In the Middle Ages, city planners and feudal land owners relied on a multilayered approach to keep marauders at bay: Those laying siege to a castle, for instance, first had to cross a moat, then get past an outer wall, or curtain wall. If they succeeded in breaching this outer wall, invaders faced a series of daunting obstacles in a structure called a barbican, a narrow exterior passage that led to the main castle entrance. Invaders who were lucky enough to reach this barbican were subject to attacks with heavy stones, molten lead, or boiling water dropped through “murder holes” in the ceiling of the passage.

Their methods might not be as barbaric, but information technology officials at many colleges and universities have adopted a similar strategy in securing their computer systems from attacks. The routers, firewalls, and virtual private networks (VPNs) in their arsenal are analogous to the moats, curtain walls, and barbicans of old.

“A layered approach to security is desirable, because you are protecting yourself against a failure by any layer,” says Julian Y. Koh, manager of network transport, telecommunications, and network services for Northwestern University.

“Let’s say someone was able to get through the protective measures at our border router; they would still be blocked at the firewall level,” Koh explained. “Or, if someone bypassed our border router and tried to come in through the VPN, the security measures at the VPN would stop them.”

He added: “The layered approach is a way of protecting yourself against failure by any of the components in your security model.” (Here [1] is a glossary of network security terms.)

Network security a growing challenge

College and university officials must deal with a host of potential threats to their network environments, with new online interactivity such as peer-to-peer communication, text messaging, and social networking contributing to the problem as information is shared across devices and networks.

A campus network can have thousands of devices logging in at any given moment, and security threats abound. College students, young and—by nature—typically curious, often test the security system just to see if they can crack it. More malicious attacks also can take place as hackers attempt actions such as stealing Social Security and credit card numbers, illegally accessing the student information system to change grades or destroy proprietary school information, or hacking into the financial system to make it look like tuition has been paid when it hasn’t. Then, there are attacks launched unknowingly by users logging on to the network with their own machines that already might have been compromised by viruses and worms.

In short, every single device connected to the network—whether in a classroom, dorm room, administrative office, or off campus, as well as the smart phones and other web-enabled mobile devices that students carry around with them—is a potential entry point for a security attack.

With these developments, the chief information officers of higher-education institutions face a challenge that is perhaps greater than at any time in the past. Yet, at the same time, college and university CIOs also need to pave the way for users to access information from any location. Students and faculty want to be able to log onto the network using a variety of devices, from Macs and PCs to laptops, iPads, and smart phones. They need to be able to access the network from a variety of locations, both on and off campus. Distance learning, in particular, has made it more important than ever that students be granted access to resources from remote locations.

“Security is a wide-ranging topic,” says Troy Herrera, senior marketing manager for Juniper Networks, a company that provides network security solutions for colleges and universities. “You want to make things accessible and encourage the sharing of information, but you must protect proprietary information and research and infrastructure.”

Click here to download a PDF of the eCN Special Report on Next-Generation Network Security. [2]
Click here to download a PDF of the eCN Special Report on Next-Generation Network Security.

Campus life is changing in ways that would have been impossible to imagine even a decade ago. “We have video and data and texting and sharing information and collaboration, and we have viruses and worms and Trojans being passed back and forth. It’s a highly infectious environment, like the club scene in the 1980s,” says Bill McGee, security solutions manager for Cisco Systems, another company offering network security solutions to colleges and universities. “You want collaboration to happen, but it has to be safe.” (To learn more about four universities’ approach to security, see “How four institutions manage security threats [3].”)

Students aren’t the only ones who want easy access to the network from a variety of devices. Faculty, too, need anytime, anywhere access. A professor might want to be able to grade papers on the train using his smart phone and then repost them back to student mailboxes, or sit in a coffee shop and log on to the campus network wirelessly to work on lesson plans.

Hypothetically, there could be a student at the coffee shop using his computer to pose as a wireless access point, and the faculty member might log in via that person rather than via the coffee shop’s network. Then, says McGee, the student could “sit in the middle of the coffeehouse, watching all the traffic that’s flowing through.  [Colleges] need to take appropriate countermeasures against that kind of attack.”

Campuses that have graduate-level offerings pose an even greater security challenge. Some of the biggest recent security threats to colleges and universities have come from graduate student labs, says McGee. And schools with hospitals attached have had patient information inadvertently made available because there is an overlap between patients and students.

Technology managers know that cyber crime is a very real threat. In fact, $202 million is lost to cyber crime every year in the U.S. alone, according to Cisco.

To meet the demands of anytime, anywhere access and allow for the open exchange of information, while simultaneously protecting users and the network, an institution needs to have a robust technology infrastructure that takes a layered approach to security, experts say.

What a layered approach might look like

Layered security refers to the combination of security products, at different levels of the network, that can strike a balance between strong network security and open network access for all users—and finding the right balance between these objectives will vary from institution to institution.

“One of the biggest things we’re seeing in education is that, in terms of security, if something doesn’t look right, [campus officials] shut it down,” says Michael Rothschild, solutions marketing director for Juniper. “And one of the biggest issues with that approach, especially in a university setting, is freedom of speech. Someone might be doing something totally normal, but if it’s a questionable activity, it gets shut down. It’s like using a hammer to kill a fly.”

By taking a layered approach, he explains, colleges and universities can look at risks on a more granular level, which allows them to be more specific in terms of how they handle each individual threat.

A typical layered approach can be broken down into four main categories of service:

Access Control and Authentication

Access control refers to the ability to limit access to different types of content or activities. For example, if a computer lab is only to be used for research or science and math, and people are using it for video games, a local firewall can stop people from using the lab for that activity.

Firewalls also can help protect against “Denial of Service” (DoS) attacks, in which a malicious attacker can flood a network with incoming packets of information to try to bring it down.

“At this level [of security], you’re forced to authenticate,” says McGee.

The security solutions put into place can determine who a user is, what device the person is using, and the level of access that he or she has been granted to various parts of the network. They also can check a user’s device to make sure there are no viruses and that it has the required antivirus software turned on. If the user’s device does not meet those requirements, the user can be routed to a place where he or she can find an explanation of how to become compliant by downloading the appropriate software. Once the user has done this, he or she once again can log onto the network, this time successfully.

Firewall appliances, such as Juniper’s SRX Security Services Gateways, also can allow higher-education institutions to create distinct “virtual” network segments, and manage which users have access to those segments. Higher-ed institutions can separate graduate students from undergrads, engineering students from liberal arts students, and different schools or departments within the university from each other.

“Before, engineering would build one network, and liberal arts would build another. But now, [institutions] can build [a single] network and virtualize it; engineering would be a virtualized portion of the network, liberal arts would be another. They can scale it very well, and there’s tremendous cost benefits,” McGee says.

By defining virtual security zones on a firewall, the campus network is logically divided into separate service segments, each with its own rules. This allows educational organizations to create, manage, and enforce rules in which only users from a certain department, for example, can access that department’s applications and data.

Centralized management is important to creating a layered approach to security, says Juniper’s Herrera. “Firewalls can get very complicated to manage, so the ability to manage at scale, and with a centralized management console so you can see [permissions data] across the organization, is important,” he explains.

A centralized access policy manager resides on the local area network (LAN) itself, to ensure that only authorized users can gain access to network destinations. It protects the campus network at the “data link layer”—the point of internet entry, or Layer 2 in the Open Systems Interconnection (OSI) model of network architecture—by identifying and authenticating each LAN user before the network provides the user with an IP address.

Intrusion Prevention

The next layer of protection in the typical layered security model involves application-level protection technologies that monitor network traffic and dynamically analyze it for signs of attacks or intrusions. These devices search for hidden security threats inside common applications such as eMail and instant messaging. Intrusion prevention system (IPS) devices examine control and data fields within the application flow to verify that the actions are allowed by your security policy and do not represent a threat to end systems. They can identify content out of the norm or content that represents a known attack or exploit from worms, Trojans, spyware, and other threats.

IPS devices can examine the subject field, attachment name, or attachment type within eMail traffic to detect characteristics of known viruses, for example.

Solutions such as Juniper Networks’ IDP Series Intrusion Detection and Prevention Appliances detect both known and unknown application-layer threats within network traffic and eliminate those threats in real time. The IDP Series also detects the use of unauthorized applications such as instant messengers or file sharing.

Universities could lose their federal student loan status if they don’t comply with laws governing copyrighted material on the web, says James Webb, chief information officer at West Texas A&M University. His team put a system into place preventing illegal peer-to-peer file-sharing traffic in which copyrighted material such as movies or music is exchanged. (For more on West Texas A&M University’s efforts, see “Top-notch security a must to remain in compliance, gain grants [4].”)

If the university’s IPS device detects such activity, the students are directed to a site explaining that what they are doing is illegal, and they must agree that they won’t attempt to do it again. Each time they attempt to exchange such material, they receive 10 points, and if they rack up 40 points, they are banned from the network until they go through student judicial affairs and get clearance to log back on. “That cuts down on illegal peer-to-peer traffic,” says Webb.

Unified Threat Management

Another layer of security involves file-level protection, which gives the ability to extract individual files within network traffic and inspect them to detect malware, including viruses, worms, or Trojans.

A common technology for file-level protection in a network is an antivirus gateway. Antivirus systems typically scan files in eMail and web traffic, mainly inspecting communication from servers to clients. Viruses are aimed at damaging or compromising end-user systems, but they use various eMail and web servers to propagate. Consequently, it’s important to detect viruses while they are being uploaded to, or downloaded from, servers.

Antivirus systems can search for virus signatures—a unique string of bytes that identifies a virus—and zap the virus from the file. According to Juniper, most antivirus scanning systems catch not only the initial virus but also many of its variants, because the signature code usually remains intact. Gateway antivirus systems scan files that are embedded in network traffic, including files in HTTP and eMail traffic, sent as attachments. If an infected file is detected, a gateway antivirus system removes it from the traffic, so that it does not affect other users.

Encrypted Communications

A fourth layer of security involves setting up secure connections between locations that encrypt transmissions using VPN technology when the transmissions are running across untrusted media, such as the internet. There are multiple kinds of VPN solutions from which to choose, and no single type of solution is the right option for every situation.

Internet Protocol Security (IPsec), for instance, is a set of protocols for securing IP communications by authenticating and encrypting each IP packet of a communication session. IPsec is an end-to-end security technique that operates in the internet layer of the OSI networking model. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

Other internet security protocols operate in the upper layers of the networking model. Secure Sockets Layer (SSL) and Transport Layer Security (TLS), for example, encrypt data at the application layer. Several versions of these protocols are in widespread use in applications such as web browsing, eMail, and voice over IP.

For fixed remote campus locations, Juniper suggests that IPsec is the preferred method for deploying VPNs. IPsec can operate with low latency for applications that require high performance. Once they are configured and in place for fixed locations, they typically do not need to be reconfigured and usually can operate without manual intervention.

For the teleworker and mobile campus population, a better alternative might be to use SSL VPNs. Because the SSL VPN uses technology embedded in all standard web browsers, it uses a clientless platform and requires little or no manual configuration on behalf of the user or changes to internal servers. This makes VPN access seamless to the remote user.

“When you have all these different layers of access control with a network access solution, you’re able to get very granular and very specific in terms of what’s allowed and not allowed,” says Herrera. And you can ensure that, when a threat occurs, it is not only stopped, but is also reported, so that IT staff can know where potential problems lie.

Choosing the right security solution

When choosing a next-generation security solution, it’s important to pick a solution that can work with whatever networking equipment and vendors your school is already using.

In times past, when IT managers found a solution that did not work with what they already had, the notion of “rip and replace” was a suitable action: They simply ripped everything out and started over. Today, with far less money available to universities, the notion of augmentation—that is, adding on to what already exists and making the technologies work together—is far more viable.

IT managers must ask what kind of disruption a new security technology will cause, says Rothschild. Juniper’s solutions are able to operate across multiple vendors’ equipment: If a school already uses someone else’s firewalls, “[with] our intrusion prevention system, we can correlate multiple feeds across these different products to root out stealthy activity,” Rothschild says.

Whatever solution or combination of solutions you choose, addressing the new and growing variety of network security risks while increasing your institution’s flexibility and capacity to innovate is a delicate balancing act—one that requires your technology infrastructure to be robust enough to handle the challenge.

“In order to have good security, it is very important that people know how their networks are set up, and what normal behaviors are, so they can notice anomalies and trends,” says Koh. “Choosing vendors whose equipment and systems can give you visibility into those trends and metrics is one of the most important things to consider when choosing whom to work with.”

Jennifer Nastu is a freelance writer who frequently covers technology in education.