The Growing Vulnerability of Campus Networks
Wednesday, March 13, at 2 p.m. U.S. Eastern timeHow can colleges protect their computer networks from a new wave of intruders?
The volume and intensity of security attacks on campus computer networks are growing at an alarming rate. Virus infections, unsecured software, and a shortage of people who know how to make computers safe on the Internet are converging to make campus networks a particularly alluring target for hackers -- and now, some experts worry, terrorists. Colleges are scrambling to figure out the extent of the problems they face, to come up with solutions, and to improve security -- without destroying the academic culture in which computer users expect easy and relatively open access to networks.
» The Growing Vulnerability of Campus Networks (3/15/2002)
Randy Marchany, who has been working in the computer industry since 1972, is a senior member of Virginia Tech's Unix system management group and the coordinator of the university's Computer Incident Response Team (CIRT). He is also the coordinator of VA-CIRT, an incident-response group comprising the teams from various public universities in Virginia. Mr. Marchany was one of the authors of a report, "Consensus Roadmap for Defeating Distributed Denial of Service Attacks," which was requested by the White House after a series of attacks on commercial Web sites in 2000, and he frequently lectures on network-security issues. Mr. Marchany will respond to questions and comments about the security of campus networks on Wednesday, March 13, at 2 p.m. U.S. Eastern time. Advance questions are encouraged and may be posted now.
Florence Olsen (Moderator):
Good afternoon, and thanks for joining today's online chat about campus network security. I'm Florence Olsen, a writer for The Chronicle of Higher Education, and I'll be the moderator for the chat.
Randy Marchany:
Thank you very much for having me here.
Question from Theresa Regge, University of Wisconsin at Madison:
We can't layer tons of security measures on our network without restricting or hindering the work we do. After being hacked twice, we are installing a firewall. But it has become obvious that I can't absolutely prevent intruders from gaining access to the network without seriously hampering the work we do. I am very interested in the opinions and solutions of others in dealing with this thorny issue.
Randy Marchany:
The firewall approach needs to be layered, in that you can't place all of your security on a single box and expect it to effectively "secure" your network. You need to have a combination of things such as personal firewall software like ZoneAlarm or BlackIce, or a variety of other similar tools. You need to install this at all of your endpoints. This constitutes the first line of defense.
What you need to do is come up with a common configuration of what you want to allow and not allow. Things like what services or ports you'll allow access to. Have a way to monitor when attempts are made against your machines. I think personal firewall software is going to be the wave of the future as campuses install wireless networks, because right now a wireless network will bypass a firewall box. At Virginia Tech we purchased site licenses for ZoneAlarm and BlackIce as a service to our university community. We're in the process of deciding on this configuration.
Question from Mark Trebian, Fond du Lac Tribal and Community College:
What is the most effective way to assess your campus's vulnerabilities?
Randy Marchany:
There are a couple of things that you can look at. The SANS Institute's top 20 internet threats document at http://www.sans.org/top20.htm lists the 20 vulnerabilities that were responsible for over 90% of the successful attacks in the last 4 years. You should examine all of your critical assets and see if any of these vulnerabilities apply to your systems. The documents includes some solutions for addressing these vulnerabilities.
The more general approach is to conduct a risk analysis of your system. At Virginia Tech we have a couple of templates that you're more than welcome to take a look at. We have used these templates for our IT audit for the entire university -- about 160 departments -- and have gotten close to 98% on-time return. You can see the templates at http://security.vt.edu and click on the risk analysis link.
Question from Rick Gasper, King's College:
How much monitoring of its resident students should a college do?
Randy Marchany:
We don't specifically monitor our residential networks. We do not isolate them from the rest of the campus network and we act only when we receive a complaint about a particular machine. Our response is that the port gets disabled immediately. The trouble ticket is flagged to call the security team when the student calls to report that they can't get on the network.
Question from Mark Faulkner, University of Cincinnati:
I have four questions. The first one -- do universities need to plan for security in all aspects of the network -- that is, for administrative, student, research, video, voice over IP, etc.?
What can universities do to achieve a quick payback -- in essence, to pluck the low-hanging fruit?
Can you cite cases where a university or any entity has been held negligent for lack of security?
And for universities with medical environments, what will be needed to satisfy HIPAA regulations -- from the Health Insurance Portability and Accountability Act?
Randy Marchany:
1) Yes. Pretty much in the order that you specify. Presumably, the acceptable use policy will govern the use of IT resources.
2) See the SANS Institute's top 20 document. That's the quickest payoff that yields the most tangible results quickly. It's only 20 items to check.
3) As far as I know, there are none in the docket at the moment. However, NSF, NIH, and DOE are adopting tougher wording in their grants requirements, specifically addressing the security of the assets being used in the grant.
4) Clair Goldsmith recently wrote an article for one of the Educause publications specifically dealing with HIPAA. I don't remember the exact location of that article, but Clair is the vice-president for information systems at the University of Alabama at Birmingham.
Question from Florence Olsen, moderator:
You have done research and written about security audits. Could you explain what a security audit is -- and why you think it is an undertaking that colleges should consider?
Randy Marchany:
It's something that colleges should consider simply because external audit agencies require it. In our case, we are a state agency and subject to the state auditor's review, and this is one of the requirements of their review. A security audit is an examination of an asset in a comparison of its system or application security settings against a common standard benchmark. It's simply a measurement of how your system rates against this benchmark. Management will always listen to auditors and not neccesarily to system administrators. Here's a web site where you can get a minimum security benchmark for a variety of platforms, including Solaris, HP-UX, Windows 2000, and Linux: The Center for Internet Security web site is http://www.cisecurity.org and click on the benchmark tools link to download the document and scanning tool. Both are free.
Question from Don Campbell, College of Southern Maryland:
I suggest that incoming calls be set for four rings before the computer answers, and for one or, at most, two tries at the password before the system cuts off and requires redial. It takes time to break into a system, and the more time, the less inviting the target. Why isn't this done as a matter of course?
Randy Marchany:
I assume you're talking about the campus modem tool. We have caller ID enabled on our modem tool and don't think we need to do anything else to identify where the call's coming from.
Question from Ed, small community college:
As part of our network upgrade, my institution is implementing Microsoft Exchange Server. We do not want Outlook clients on all of our library computers, but are getting them anyway. How is it possible to maintain any network security when information policy is created without any thought to security by network managers more concerned with getting a good licensing agreement from Microsoft than with flooding the system with viruses?
Randy Marchany:
The silly answer is don't use Exchange. A more realistic answer is to investigate using e-mail virus filters as a front-end to your mail system. We use a system from Mirapoint for our non-Exchange e-mail, but the Exchange server properly configured should be able to intercept most of the known viruses. Again, a layered defense is desirable. The solution is not cheap, so this is where the risk assessment process can help you justify the expense.
Question from Tony White, Georgia Tech:
Do you favor an approach that relies on good, host-based security, rather than on firewalls and filters -- and can you educate people to do this?
Randy Marchany:
Host-based security is simply the firewall function resident at each host. So personal firewall software is an example of that, both for the Windows and Unix environment, and there are some small offerings for the Macintosh environment.
You still need a good filtering scheme as part of your layered defense. However, you don't need to activate it unless there is an event. At a minimum, your network group should have proper ingress and egress filters in place to prevent your network from being used to attack another site. Host-based detection systems are another component of your overall defense strategy.
Question from Florence Olsen, moderator:
How seriously do you take the threat that terrorist groups could seek to do harm by hijacking campus networks?
Randy Marchany:
Before 9-11, not very seriously. After 9-11, very seriously. The February 2000 DDoS attacks used approximately 300 systems to cripple access to major e-commerce sites. Some of these sites had been compromised for up to a year earlier, and had not been discovered. The threat from university networks may be diminishing slightly, but only because home computer networks such as DSL and cable modems offer many more attractive targets.
SANS-FBI statistics suggest that 2.3-million home computers are added to the net every month. These systems certainly do not have adequate security on them.
Question from Brad Tilley, VT:
Hi, Randy. What is the biggest network threat that departmental systems administrators should be on the lookout for?
Randy Marchany:
Trojan attacks are the biggest threat. Older attacks such as Netbus, Sub7, Nimda, or any similar remote-control attacks, pose the biggest threat to desktops. DDoS tools are being built for desktops and once again, the security of the desktops is not as strong as we would like. In my opinion, vendors are selling us insecure systems, thereby putting us at risk right out of the box.
Florence Olsen (Moderator):
If you have questions for Randy Marchany, now would be a good time to ask them because we're halfway into our conversation about campus network security.
Question from Rick Richmond, University of Wisconsin at Eau Claire:
How do you balance the need for privacy and confidentiality of legitimate computing activity with the need to maintain intrusion detection logs?
Randy Marchany:
There's a recent document that was published by the American Association of Collegiate Registrars and Admissions Officers, http://www.aacrao.org. The report is called "A Final Report on the NSF-LAMP Project: Identifying Where Technology, Logging, and Monitoring for Increased Security End and Violations of Personal Privacy and Student Records Begin." The authors are Virginia Rezmierski and Nathaniel St. Clair. This document is an excellent resource and will answer your question. I believe it's a free download from their site.
Randy Marchany:
I forgot to answer Tony White's second question. Tony had asked how we educate people about good host-based security. Training seminars for sys-admins are an excellent tool to bring the knowledge level of campus administrators up to a certain level. Topics can include general system management, security, incident reposnse, and auditing. We've provided seminars like this here at Virginia Tech for our system administrators around campus. We don't do it as often as we'd like, but we're working on increasing the frequency of these classes.
Question from John Q. Public:
What do you think about public institutions partnering with for-profit security companies, which take the results -- papers, tools, etc. -- and then charge for them?
Randy Marchany:
I'm not aware of any that do that. We work with the Center for Internet Security, but they are non-profit and the tools and documents are free.
Question from Tom B, public accounting firm:
Do you have any data on what higher-education institutions are spending on information-technology security initiatives?
Also, what are some of the more common types of projects or security initiatives, and do you know within a range what is being spent on these projects annually?
Randy Marchany:
1) No. We have very limited data for what we spend here at Virginia Tech. Our expenditures are more along the lines of site licenses for various security software such as anti-virus software and personal firewall software. Our training is done mostly in-house. We tend to use freeware security tools such as Nessus, the CIS benchmark tools, Tripwire, IPFilter, Portsentry, and Logcheck. These tools are as good or better than most of the commercial security tools on the market. And they're free.
2) In dealing with other Virginia universities, IT training on security and incident-handling would seem to be one of the top priorities. Increasing general user awareness is another high-priority item.
Question from Sandra Wood, University of Alabama at Birmingham:
In writing up violations, we have had a difficult time putting together a total incident report. Are you aware of any products that could help us in pulling together info from IDS logs, router logs, firewall logs per incident in a form that is "upper management" worthy? We are a Cisco shop, if that matters.
Randy Marchany:
I'm not aware of any incident reporting software that does this. I know that there are a lot of commercial and freeware vulnerability scanners that produce some very good HTML-based reports. It would seem to me that you would not include detailed router logs or the like to a report to upper management simply because they wouldn't understand it. The higher up the management chain you go, the simpler you have to get in your report. :-) At the mid-level range, we have a number of web-based front-ends for our Cisco log, so we can simply include an HTML file that has the appropriate router log entries. That's a home-grown tool we developed here. Our network management group has done some excellent work in developing tools of this sort.
Question from Corky Brunskill, University at Buffalo:
It seems to me that a majority of our secruity problems come from institutions trying to run enterprise-level requirements using mom and pop technologies. Rather than using secure robust Unix -based client/server infrastructures, they choose PC-based systems that are well known for their vulnerabilities and shortcomings. Any recommendations as to how you convince IT people that Unix isn't an alien life form?
Randy Marchany:
You get what you pay for. :-)
The best way to approach this is to conduct a risk-analysis of your business functions and your IT assets. You can visit our web site at http://security.vt.edu for examples on how to do this. You're never going to totally eliminate the PCs or Macs from your environment for a number of reasons, including cost. It is a risk you will have to accept, but you can take steps via education of your administartors, users, and on best practices for those environments. Typically, what you might find is Unix servers handling the enterprise applications and desktop clients doing "real work" for the end user. The problems of securing both the server side and the desktop side are the same. A very simple solution is to make sure that you are up to date on your vendor patches and hot fixes, whether it's a Unix or desktop platform.
Question from Ken Wieringo VT:
How well protected is an 802.11b wireless access point (Orinoco brand) if the security portion of the set up is turned on? Does it prevent outsiders from using your wireless surreptiously by driving by?
Randy Marchany:
You need to be very careful with wireless implementations. There is software that will map your access points. This software can be loaded on a Palm device. An example of this is Netstumbler. See netstumbler.com for examples of this type of tool. Regardless of what you use, you should always have some form of encryption such as SSH or SSL as a mandatory requirement for any wireless transactions. Radio waves act funny under certain atmospheric conditions. Those that remember listening to AM radio may remember listening to stations from across the country when the weather was right. This is why you need to have encryption for any kind of wireless transaction.
Comment from Bob, small community college:
Randy, we hope that you and your institution continue with 'free' training on information security, especially training geared toward higher education in Virginia. Relevant training from real world sources like yourself in information security and information technology is badly needed. Thanks, and keep up the good work!
Question from Chris Larger, NACUBO, National Association of College and University Business Officers:
Randy, is legislation needed at the national level to help colleges and universities and other entities achieve greater security for their networks? We know that institutions invest significantly in their electronic infrastructures and it is important to safeguard their investments. Is access to safeguards an issue of cost, or is the problem related to lack of an effective technological solution to better detect intrusions?
Randy Marchany:
There is legislation in Congress that deals with cyber-security. If you go to http://thomas.loc.gov and enter cybersecurity in the search field, there are a number of items currently being debating in Congess. Some of them are the Cyber-Security Information Act H.R. 2435, the Cyber-Security Research and Development Act H.R. 3394, the National Homeland Security Agency Act H.R. 1158, and the recently passed U.S.A. Patriot Act. These are examples of pending or actual legislation that deal with cyber-security.
I'm really concerned about the emergence of liability lawsuits coming on in the next 18 months. Lawyer groups have been asking about cyber-security issues, and my gut instinct tells me that they wouldn't be interested unless they saw something coming down the pike.
Vendors are shipping us insecure software. We have no time to secure a system with a vendor patch because the holes are well-known and can be exploited immediately. Until vendors start shipping us secured software, we will always be at risk.
Florence Olsen (Moderator):
Our guest has agreed to answer two more questions.
Question from Bob Babb, Union College, Schenectady NY:
What is your opinion of the use of Snort and Nessus to help determine security threats?
Randy Marchany:
Every higher ed institution needs to use them. I believe it was Information Security Magazine that rated Nessus one of the best vulnerability scanners around. Snort -- commercial vendors are now advertising their products as having Snort-compliant rules, so this indicated their acceptance in the marketplace. And again, these are extremely effective tools.
Question from Rich Peper, Bowling Green State University:
I agree DDoS and trojans are currently a threat to our systems. However, would our systems be better protected with user interventions, i.e., antivirus software, or by a better designed Internet to address future growth and concerns?
Randy Marchany:
The best way to prevent DDoS attacks is to ensure that your network ingress and egress filtering is configured correctly. As an example, you can look at "Help Defeat Denial of Service Attacks: Step by Step," available from http://www.sans.org/dosstep/index.htm. User awareness and intervention is certainly important, but it's the network configuration that will prevent the attack from spreading beyond your borders.
Florence Olsen (Moderator):
And that will have to be the final word on campus network security because I see that we're at the end of the hour. This has been an interesting chat, with lots of good questions and insightful answers from our guest, Randy Marchany, of Virginia Tech. Thank you for the conversation.
Randy Marchany:
Thanks for having me here. User awareness and system management training are the best defenses, in my opinion. It is extremely hard to do, but the payoff is much more long-term and beneficial to the school. If you'd like to see what we've done, you can visit http://security.vt.edu.
Copyright © 2008 by The Chronicle of Higher Education