Awareness of security issues has heightened dramatically over the past several years. High-profile security incidents at various campuses, including Indiana University, have sparked action in the education community. Actions have included the appointment of security officers at many institutions, and the recent establishment of the joint EDUCAUSE/Internet2 Computer and Network Security Task Force.
Campuses are subject to daily probes and scans by people on the outside looking for systems with specific vulnerabilities to exploit. These violations can cause serious interruptions in operations or disclosure of sensitive data. Colleges and universities are often targeted because of the perception that they have lax security coupled with high-capacity systems and networks. High-capacity networks that facilitate quick transfer of large files are attractive to violators looking to store sizable files.
At each Indiana University campus, such as this library at the Indianapolis campus, network security includes a user identification database and firewalls.
University systems are also targeted as a means of intrusion into other more attractive systems. A couple of years ago, some university systems were used to wage denial-of-service attacks against various company Web services in an attempt to prevent legitimate users from using that service. The attacks caused financial hardship, and many services had to temporarily shut down.
Cabling Installation & Maintenance recently talked with Mark Bruhn, Indiana University's chief IT security and policy officer, about trends in beefing up network security at his campus installation:
Q: How has the education community responded to heightened concerns about network security?
A: Due to cultural issues, mechanical concerns and cost, higher education professionals have been hesitant to install security measures—such as perimeter firewalls and strategic mechanisms that facilitate monitoring of network traffic. However, as we experience more serious incidents that affect personal workstations, the higher education community is beginning to accept some level of monitoring. And the cost of implementing security measures is becoming less of an issue as most large campuses find that they are probably spending as much, if not more, money on responding to security incidents.
There are valid concerns about technical issues with firewalls and intrusion detection systems (IDS). Devices able to handle the high capacity of our network have only recently become available, and maintaining the rule sets in firewalls for large organizations is difficult. However, I believe the tradeoff is becoming clear, evidenced by the many campuses now using or investigating use of firewalls and IDS.
Q: What network security technologies are in place?
A: We have entered into a partnership with a firewall and IDS vendor to firewall our data centers, and we are researching the possibility of very large perimeter firewalls. The firewalls essentially examine in-coming and outgoing traffic on a network, a segment of a network, or a specific device on the network, and apply rules to the traffic that permit access to some services while denying access to others. Indiana University's security engineers are also involved in intrusion detection work, using various tools to identify anomalies in our network traffic. This information is used to identify computers on campus that may have been compromised.
For our wireless systems located in many areas of our campuses, we use a set of virtual private network (VPN) servers to authenticate users. The use of VPN servers has been successful, and we are currently working to make wireless available in all areas of the core campuses.
A central IT security office works closely with Indiana University's central computing department and with telecommunications engineers to coordinate security for 126,000 users on eight campuses.
Q: How are security measures coordinated among the 126,000 users and eight campuses of Indiana University?
A: We have a central IT security office (ITSO). The ITSO works very closely with the central computing department and with telecommunications engineers on network security issues. The ITSO also collaborates with regional campus chief information officers and their technical staff via frequent e-mail and monthly meetings to discuss general IT issues, policies, and security threats. This interaction ensures that all policy development includes input from each campus, and that all technical staff have a means of asking questions and seeking advice.
The two core campuses are structured with department technicians, known as Local Support Providers, and the ITSO interacts with each Local Support Provider in the same way we interact with technical computing staff on the regional campuses. We offer a series of security certification classes for the technicians, which have proven to be very popular. In addition, we are currently negotiating with human resources to acquire 15 minutes of time during employee orientation.
Communication to students and the general user population is done regularly via various methods, including electronic newsletters. We have a very active communications office within the Office of the Vice President for IT and CIO, and it's rare that an issue of the electronic newsletter is sent out without some reference to security. In addition, we have a comprehensive security Web site with many how-to and best-practices guides. Naturally, we also conduct presentations on campus whenever the opportunity presents.
Q: How are the 126,000 users on the system authenticated and access controlled?
A:We have a central identification database, based in the Lightweight Directory Access Protocol (LDAP). This type of database is fairly typical at schools, and most users have a profile assigned to them before they even know it. Staff, faculty, and students utilize an account management system to activate their accounts and set their password. The username and password, which we collectively call the user's credential, grant access to almost all central computers and applications.
Password validation is done by a Kerberos system. Users are required to choose very strong passwords, and many systems also require the use of a password-generator token where users must correctly enter a response to a challenge in order to gain access. This type of system is called "two-factor authentication," and is used where more positive user identity is required.
For all employees, we have procedural authorization mechanisms in place where individuals whose job functions require access to sensitive data and systems must request that access from an appropriate data steward. The data steward evaluates the request and provides training for those who, in fact, need access. The data steward then authorizes the technicians to permit those individuals to access the specific application or system.
We facilitate the installation of software—such as anti-virus, SSH cryptography and authentication technologies, secure file transfer protocol, and software patches for the entire university—[via] download on an authenticated Web site, and on CD-ROM. Access to central systems is not permitted without secure protocols. Each semester, we generate a security CD that contains new patches for popular operating systems and security software. We also provide these to new students at orientation.
For technicians maintaining systems, we have licensed various patch management tools to help them ensure that systems are patched. Departmental technicians can use our Web-based scanning service to scan their systems for vulnerabilities manually or automatically. In fact, all of the systems within the central IT department are automatically scanned every 28 days—I even get a scan report for my own workstation.
Q: How are the university's network systems physically protected, and what type of recovery plan is in place?
A: Each campus acquires network connectivity through the core campuses at Bloomington and Indianapolis. All physical access to the network components on every campus is restricted with access granted only to select individuals. We have deployed access-card systems, cameras on exterior doors, and glass-break sensors at our central IT facilities and other high-sensitivity areas. All IT staff are required to carry access cards and identification badges, and visitors must be escorted. We also have door alarms where appropriate.
All central systems and network components are on battery back-up, with diesel generators to provide power for longer outages. We use an off-site vault company for back-up of information—it's easy to recover a particular system or database. We also have mass storage facilities on both core campuses, and the network that connects them is extremely robust. This lets us mirror data between the campuses and share services, which provides inherent redundancy.
We have what we call a "limited recovery plan." We have installed a recovery site on the Bloomington campus several miles from the main data center in an older, very solid stone building. There, we have engineered additional power and networking, along with portable cooling units stored nearby. If the data centers at our core campuses become unavailable, services are moved to that recovery site. For the long term, we are aiming for reciprocal recovery capabilities between new IT buildings at Indianapolis, which are currently being constructed, and one at Bloomington, which is in early planning stage. The data centers in these buildings will be oversized to facilitate this arrangement.
Q: What efforts are underway to increase the awareness of IT security issues in higher education?
A: There is a great push related to increasing awareness of IT security in higher education. As a member of the executive committee for EDUCAUSE/Internet2 Computer and Network Security Task Force, I can tell you that this group has spurred increased interest surrounding security, and offers a growing information center at www.educause.edu/security. Conferences catering to higher education have also seen a dramatic increase in the demand for sessions dealing with security issues.
Mark Bruhn (c), Indiana University's chief IT security and policy officer, with teammates Thomas Davis (l), IT security officer, and Merri Beth Lavagnino (r), deputy IT policy officer.
With support from EDUCAUSE and Internet2, Indiana University has created the first information-sharing and analysis center representing higher education—Research and Educational Networking ISAC (www.ren-isac.net). The basic goal is to collect, analyze, and share security and threat information in attempts to forewarn and help our campuses prepare for incidents. An integral part of this initiative is learning from security incidents that occur elsewhere, including those experienced by other sectors of the economy. To that end, the REN-ISAC recently signed an agreement with the Department of Homeland Security, allowing us access to security information that we didn't have before. We hope to use this information to continue our efforts of improving awareness of security issues in higher education.
Q: What recommendations would you give to other university IT professionals striving to implement security solutions?
A: First, there must be someone assigned to coordinate all security activities. A facility that attempts to have a concerted security program without a security officer will find it almost impossible. The person needs to have a highly capable technical staff that has an excellent rapport with all other technical staff and managers throughout the campus.
Second, because the biggest problem is usually unpatched systems, tools must be made available that make it easier to identify and apply patches. Vulnerability scanning is also essential. Violators are constantly scanning our systems for holes, and facilities should be doing the same. These tools will dramatically reduce the risk of a system being compromised.
Additionally, a program of layered defense is needed—systems security, host access filtering, router access control lists, firewalls around specific sets of systems, and perimeter firewalls where possible. Because insecure systems will be compromised at some point, campuses should first deal with those systems where a security breach would be most damaging. If campuses become successful in transferring sensitive data and functions to a small set of systems that can be more easily protected, the layered defense model will become more cost-effective and feasible to manage.
Betsy Ziobron is a freelance writer covering the cabling industry, and a regular contributor to Cabling Installation & Maintenance. She can be reached at: firstname.lastname@example.org
A Certified Information Systems Security Professional, Mark S. Bruhn advises Indiana University on technology deployment, usage, and security issues, and directs the efforts of the University IT Policy Office and Security Office. Mr. Bruhn also serves as interim director for the Research and Educational Networking Information Sharing and Analysis Center. You can contact him at: email@example.com