Niagara College Canada found a way of ensuring its network security while not interfering with student and staff needs, reports Greg Masters.
Institutions of higher education work from a disadvantage as far as network security goes. They must keep their networks open and only refuse known threats. This is as opposed to businesses, which can restrict the flow of information and only open what is required.
Niagara College Canada, with 7,800 full-time and 14,000 part-time students, and around 650 full-time faculty and staff, needed to ensure compliance of the wireless devices on its network, especially as more devices were being added and the number of access points was continuing to increase each year.
The college's IT staff consists of 31 people, but this includes scheduling, AV and all academic support. The number of IT staff dedicated to managing the network is closer to 25.
To do this meant accounting for two campuses in the Ontario Niagara Region – one in Welland, Ontario and another in Niagara-on-the-Lake, Ontario – and three satellite sites, two in St. Catharines and one in Niagara Falls, which all are connected through a regional metropolitan area network (MAN).
The task of achieving the college's technical aims while at the same time preserving open lines of communication fell to John Levay (left), director, information technology services, Niagara College of Applied Arts & Technology.
“The way we did this in the past was to logically locate the wireless network outside of the college firewall, away from the main network. However, we also had a number of wired connections available for people to attach to – this also posed a problem. At the same time, the college was moving to a ‘mobily enhanced teaching' strategy and all of the professors/instructors were given the opportunity to acquire a laptop. We were also seeing a large number of people bringing in files to the college via thumb drives, email, etc. that were going to the core of our network with very little security checking being done.”
There was a need to perform two main security functions, Levay says: Ensure that network intrusions were detected and responded to in a timely manner and also provide some internal firewalling ability. “We also had the requirement of maintaining the speed of our various network links and not introducing any bottlenecks. Finally, we wanted to reduce the amount of malware-related traffic on our network.”
Without a secure network you cannot trust the data on it, he says, adding that part of his team's strategy is to provide more self-service and e-commerce options for customers. “Not securing this information will strongly discourage them from wanting to do business with us. There is also a legal requirement to secure sensitive personal information that is collected in various forms from around the college.”
Further, he points out that as seen with other higher educational security breaches, it's not just the initial breach that hurts – it can affect future admissions, enrollments, the ability to fundraise or secure donations.
Deciding on the solutions necessary to address this problem was a group effort that started with Levay and involved his team, including the manager of network and technical services, its security analyst and other IT staff. Much of the effort was done by the security analyst, Jason Post, and Laura VanClieaf, manager of network and technical services. Levay credits them with the suggestion to look at a network core protection solution and then to take other actions and directions to protect the core.
Changed security priorities
Levay's team began its search looking for an end point enforcement (EPE) solution. They researched the various technologies around and also looked into core protection, such as application firewalls. At that point, they started to review intrusion prevention (IPS). Any solution for EPE was going to require a complete network security solution, the components of which needed to work well together. It was then decided that an IPS was a better solution to start with, and that the college could add the EPE option later. When they went out to request for proposals for an IPS, several vendors offered up their technologies.
Cost is always a factor in higher education budgets, but selecting the correct solution is more important, says Levay. It had to be something that could scale and could be kept in place for at least five to seven years. The most important factors were that it needed to be low maintenance (one staff member at the college is responsible) and it had to be flexible.
Levay says that from a technical perspective, several factors helped to make Top Layer's IPS 5500 E-Series the leader, including the sheer speed of the device, the amount of fiber/copper links that it is capable of supporting, and its ability to easily firewall based on subnet.
The Top Layer's solution is a leading intrusion prevention system appliance that provides worldwide enterprise networks with complete three dimensional protection (3DP) to help ensure business continuity, meet compliance requirements, and protect confidential data and mission-critical applications, says Ken Pappas (left), vice president of marketing and security strategist, Top Layer Security. The IPS 5500's 3DP includes protection against malicious content through advanced IPS technology, undesired access through stateful firewall filtering, and rate-based attacks ,such as botnet and DDoS attacks, through DDoS mitigation. The IPS 5500 can be deployed at the perimeter, on internal network segments, remote site locations or at the network core to protect company assets and stop attacks. Customers can easily manage multiple IPS 5500 appliances with Top Layer's SecureCommand centralized management solution, says Pappas.
Apart from a couple of minor bumps, the implementation went extremely smoothly, says Levay. “Our Top Layer representative and reseller helped us through the implementation, answered all of our questions and addressed our concerns. They also recommended best practices. Subsequent Top Layer support has also been extremely helpful. The deployment has been successful and we are very pleased.”
Levay points out a couple of interesting things that occurred during the implementation process. First, the college runs dual redundant Nortel 8600 cores at each major campus. They work by sharing the load and dividing up a message into two parts and sending it along. This is known as split-multilink trunking and it is proprietary to Nortel. To the IPS it looks like half a message from each core and this is interpreted as bad data on the network. Levay's team was able to work with Top Layer to get that sorted out.
Also, he says the Top Layer tool was able to assist with some poor coding applications.
“We have seen many academic applications that are poorly written. In one case, the check sums on some of the transmitted data were bad and looked like a virus on the network. We have been able to create exceptions for these through Top Layer, but nevertheless, badly written applications do cause headaches for security personal and will continue to do so as good coding techniques continue to be marginalized over code production.”
When asked if the solution has been easy to manage and operate, Levay responds, “So far so good.” In the time the system has been in place, he says his team has been quite happy with the results and what the unit can do.
“The device is extremely easy to manage and operate,” he says. “The ISA software package allows for easy monitoring and configuration of the devices. The list of event counts is extremely helpful for a quick understanding of the current status of the system. The daily reports generated by the devices are extremely helpful, as are the innumerable reporting options provided by the NSA package.”
The device is more than meeting his team's expectations, he says. In addition to performing the base requirements of helping to protect the network and provide some measure of internal firewalling, the team also has used the device to track down other devices generating traffic to malicious sites. Furthermore, the device has helped them gain a more in-depth understanding of what is flowing across various points within the college's network.
Like any network security system, the tool from Top Layer allows Levay's team to watch for issues on the network and be more proactive with network security. It also allows the college to be PCI compliant, as it offers the ability to accept credit card transactions on the network without the added requirement of using an internal firewall. The IPS units (when in mitigate mode) will allow the college to achieve this compliance.
The Top Layer IPS 5500 (right) is implemented across the entire college. The units are deployed primarily around the college's core network services. They are deployed in such a way as to protect the links to and from the server switch stacks at each campus.
“We also are protecting our internet/DMZ switch stack links, says Levay. “Additionally, we have a Top Layer device monitoring the link from the switches on which our student laptop programs generally reside. We've set this protection because the mobile nature of the student's machines, which are fairly high-powered, introduces a risk vector with the machines potentially in regular contact with external networks. As much as possible, the devices have been connected in a clustered fashion to take advantage of the redundancy and processing increases.”
Interestingly, about a month after Niagara College decided on the Top Layer IPS solution, Levay's team was contacted by the vendor and asked if they would like to participate in a beta test of NAC solutions (NAC Director and Campus Manager) from Bradford Networks. These components worked with the IPS solution and would allow the college to monitor and control both the edge and the core in a synchronized fashion.
“Top Layer's IPS protects our critical core infrastructure, but we needed a solution that extends protection to the network end points (thus meeting our EPE needs), says Levay. “This integration with Bradford Networks' technology provides the perfect solution for us, as it fits seamlessly into our network infrastructure. It is a major step toward a completely automated solution that protects our network, students and faculty, while improving the quality of education by mitigating concerns over nefarious activity on our network.”
This integration was something that was very important to Niagara's IT team as they continued to open the network up for more activity. It also set the stage for them to look at moving the wireless network and the hard-wired public ports into the inner core of the college, thus allowing them to extend more functionality to this layer of interface.
“We are also looking at doing more flex computing and virtualizing many of our core servers,” says Levay. “If we do this, then more data/processing will occur at the core instead of at the ends and this will only increase our requirements to protect the core. It will also mean that many more edge input devices will be appearing on our networks, and these need to be managed so that everyone gets the best experience from the technology infrastructure we have in place.”
The IPS 5500 is the first and only IPS solution as rated by NSS Labs that seamlessly integrates stateful firewall filters with multiple content-based and rate-based protection mechanisms on a single platform, says Pappas. “Top Layer IPS solutions can therefore be deployed at the network perimeter or elsewhere on the network in front of servers that host critical applications and databases. The IPS 5500 achieved double NSS Award ratings.”
Levay says that his team's experience with Top Layer has been “wonderful.”
“From the initial contact, to the sale, to the implementation and training, Top Layer have been there to help. Working with one of their partners, Bradford Networks, was also very productive. It also doesn't hurt that they understand higher education, which is a great bonus.”
The college's changed security priorities
Levay says that he and his team have seen continued, almost exponential growth of wireless network use and an explosion of low cost computing devices (i.e., Apple iTouch, net books, Wi-Fi, mobile phones). This has pushed mobile computing into the hands of virtually every student, and forces Levay's team to constantly re-visit and revise their security priorities to ensure they are able to balance compliance and protection of college resources while allowing the freedom an academic environment demands. This has proven to be quite challenging, he says.
“I think the IPS and NAC solutions have made major inroads to protecting our network. There have been other changes lately that go hand-in-hand with these technologies. We have implemented more VLANs, IP filtering and have adjusted physical switch placement to segment the network off as best we can with our limited funds. We have also created a dedicated network security position at the college and have given this position the power to implement changes in network policies.”
Niagara College uses its network for physical security notification. It uses a VoIP PA system for warning people about issues on campus. It uses one cable plant on campus, and therefore, all user data is passed on the same network as the VoIP, security cameras, building access, building automation, digital signage, etc. This does present some interesting challenges to keep it separate, correct and secure, says Levay.
Another problem is dealing with bandwidth pirates and identifying what is really going on within the network. While the college has a network bandwidth shaping device (Packeteer), limiting what network users can do by ports or shaping the traffic ensures that users will find interesting ways of getting around these limitations. As an example, Levay points out that students now tunnel torrents through http and https – which are always open ports. Limiting any of that traffic is impossible, he says, as his staff will limit all of the legitimate http/https traffic on the network. This is becoming problematic as all users are starting to have a bad experience.
“There are ways of dealing with this, but we just don't have the resources to do it,” he says. “Also, the tools that we have, cannot do deep packet inspection if the data is encrypted when they see it.
When asked what the challenges were in working with an educational customer versus a corporate customer, Pappas responds, “Educational institutions often have thousands of users whose data must be protected – students, faculty, administrators and other employees. Yet, at the same time, there is a great focus on sharing of information at colleges and universities, which if not monitored, can result in a variety of vulnerabilities. With this number of students and faculty accessing the network with little regulation, it is a challenge for IT staffs to maintain optimum levels of network security and ensure that those logged in to the network are safe, and aren't opening up fellow classmates to the latest viruses. For example, the practice of sharing media files and downloading programs from websites is popular among students and faculty. This type of user behavior can expose the network to intrusions, worms, viruses, malware and other attacks, as well as violating laws, such as the Digital Millennium Copyright Act and the Higher Education Opportunity Act.