How much more? How about managing an open network that lets everyone connect to just about any website — including pornographic ones. Or dealing with mischievous, overachieving teenaged computer whizzes who're just itching to find trouble of some kind, including running their own proxy servers to avoid school-deployed security measures?
Then there's the issue of allowing students and faculty to access peer-to-peer (P2P) networks — something that would send sweat pouring down the back of an enterprise IT professional. And what about the daunting task of cleaning up or locking down thousands of unmanaged PCs each fall, when school starts up?
"Welcome to my world," might well be the mantra for security professionals in educational institutions. They operate in a dimension that's only remotely similar to an enterprise network. Here's a look at just how difficult their job is.
Knowing the vulnerabilities
It's not news that schools, particularly colleges and universities, are data troves waiting to be exploited. Educational institutions have lost a lot of student, faculty and staff personal and confidential data already this year — and the year is young.
Part of the problem can be attributed to the "anything goes" nature of the typical educational environment.
"It's a lot looser in education," admits Craig Kleen, the assistant director of network services for California State University, Long Beach, one of the state's 23 public universities. "We have to support an open network. Our basic goal is to allow as much as we can with very little restrictions. It's the other way around in enterprises."
The University of North Florida, a public university in Jacksonville with about 15,000 students, approaches access to its networking systems similarly. "We don't make any qualitative decisions on content," including access to pornographic websites, says Jim Durfee, the school's assistant director of information security. "It's a philosophical decision," he adds. "Blocking content in an educational setting is not appropriate."
That kind of openness means "we have to keep on top of what's going on and react to it," Kleen adds.
His team is not in the area of content filtering, he admits, but that doesn't mean that there are no restrictions at all. "We do want to know when people are doing port scans," he says. To monitor that sort of activity on the school's 18 networks, he has deployed a TippingPoint intrusion protection system (IPS).
Keeping networks safe
Fostering an open environment doesn't always translate to letting the inmates rule the asylum, however. For several reasons, security pros in educational institutions have turned to network access control (NAC) technology to help keep their networks safe.
For one thing, NAC can ensure that only authorized users running up-to-date PCs can access school networks. They also give school IT staff tools to limit the resources authorized users can access from various locations around campuses.
The University of Rhode Island (URI) in Kingston R.I., for instance, relies on a hosted network access control solution from managed security services provider (MSSP) SecureWorks to ensure the 20,000 computers on the school network have the latest operating system patches and are running current anti-virus and anti-spyware applications. This capability is particularly critical at the beginning of each school year when about 2,000 new students plug their laptops into the network, says Alan White, URI's information security architect.
When students first plug their PC into the network, they are sent to a web page that authenticates them, they can then download a software agent that checks for patches, virus signatures and the like. If the PCs fail the check, the student is directed to another web page where free anti-virus software is available.
The NAC solution also provides a valuable service when school researchers deploy their own servers without notifying the university's IT department. "They get grants to buy systems, and security is an after-thought," says White.
The security ‘game'
Network access control is a particularly thorny issue at the elementary and high school levels.
"We have creative high school students who constantly keep at us — it's like a game," says Shawn Nutting, the IT director for the 4,500-student Trussville (Ala.) City Schools. "We lock everything down and they find a hole. We close that, and they find another one."
Two security tools Nutting relies on are a Cisco network access control server and Sanctuary, an endpoint policy manager software product from SecureWave. The Cisco software works with Microsoft's Active Directory "to do a wonderful job of locking kids out of Microsoft products," says Nutting.
That's where Sanctuary, which prevents unknown or malicious code from running on PCs, comes in.
"It will not let anything run on a computer unless it's approved via a white list," says Nutting. "It's a little frustrating for the kids — they can't do malicious stuff."
Bright kids can always find ways to beat security policies, it seems. When the Duval County (Fla.) school district's content filtering system stopped its students from visiting unauthorized sites, many of the district's students deployed their own proxy servers at home, says Jim Culbert, the district's information security analyst.
Setting up a proxy server "used to be complicated, but then someone wrote [proxy] programs that run on computers at home, and you can access your machine from school," Culbert says. Once a student logs into a proxy server, they could go anywhere on the internet, thus avoiding the district's policies.
"There's not a content filter that can be aware of those," Culbert explains.
He stopped the students cold, however, by working with security vendor 8e6 Technologies to develop bit-level signatures for the company's R3000 Internet Filter product that block access to all of the popular proxy programs available.
When students "are kicked off the internet by the filters, we take a two-strike approach," Culbert says. "First, they're not allowed to access the internet for 30 minutes. If they do it a second time, they'll spend three days at home."
Like their enterprise counterparts, security professionals in educational bodies also must deal with a hodge-podge of regulatory and compliance issues. "Our main battle is dealing with increasing federal regulation and compliance issues," says Joseph Clark, a senior network engineer at the College of Charleston in South Carolina.
The school has deployed a security event management (SEM) product from NitroSecurity, Portsmouth, N.H., to help it comply with Health Information Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) requirements, Clark says. Because the school has a health clinic and awards scholarships, it must fulfill the demands of both regulations, he adds.
The NitroSecurity box gives Clark and his team the tools to study logs from various networking devices and determine if a breach occurred and by whom.
P2P problems
As noted, security issues relating to P2P networks are another hot button issue among security folks in educational settings. In fact, North Florida's Durfee calls P2P his number one problem.
Most notably, he says, the Recording Industry Association of America (RIAA) "is waging war against higher education with increased enforcement" of its anti-privacy policies. It has warned numerous universities of potential lawsuits against them if they do not abide by a variety of new rules.
But there are some legitimate reasons for allowing P2P transfers on the school network — it's a popular way to distribute open source software, as well as large data sets within school environments. That makes controlling P2P a tough issue, Durfee says.
It's also been a problem for Kleen. He says, however, that the TippingPoint IPS has allowed the university to "close the rate of P2P traffic," giving the school an ancillary benefit to helping it pinpoint potential security holes.
- Jim Carr is an Aptos, Calif.-based freelance business and technology writer. Contact him at [email protected].
SCHOOL BREACH:
Bad grades
The open, exploratory nature of educational environments can make them ideal breeding grounds for security problems. How else to explain the following list of notable security breaches revealed in 2007?
Vanguard University (Costa Mesa, Calif.), Jan. 26: The school revealed that two computers with assets for more than 5,000 students, were stolen from its financial aid office.
University of Idaho, March 10: A file posted to the school's website contained personal info of 2,700 university employees.
Los Rios Community College District (Sacramento, Calif.), March 7: Private information of 2,000 students was accessible on the internet after the district used actual data to test a new online application process.
Georgia Institute of Technology, Feb. 21: Personal info of 3,000 former employees and about 400 state purchasing card numbers were compromised.
City College of San Francisco, Feb. 15: Almost eight years after it occurred, CCSF revealed that info of 11,000 students was posted on an unprotected website.
— Jim Carr
