1. Securing the Campus Network Copyright, University of South Carolina (2004). This work is the intellectual property of the University of South Carolina. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the University of South Carolina. To disseminate otherwise or to republish requires written permission from the University of South Carolina. Rita Anderson Ronni Wilkinson University of South Carolina

2. Agenda USC’s Network During Fall, 2003 Call to Action Defining a Security Policy Implementing the Strategy Technology Choices Expectations of Fall, 2004 Risks & Mitigating Factors Lessons Learned

3. The University of South Carolina Centered in Downtown Columbia, SC Over 200 Year History Total Enrollment of 34,000 + (Based on Spring 2003, All USC Campuses) Over 350 Degree Programs 155 Facilities Spread Over 358 Acres

4. Network Connections at USC Extensive Wireless Implementation Across Campus USC Rated 30 th “Most Connected” campus in the country by The Princeton Review. - Forbes Magazine, October 2003 http://www.forbes.com/2003/10/01/conncampusland.html Residential Network –28 Residential Halls Plus Greek Housing, Married Student Apartments, etc. –Approximate Capacity – 7500 Students –40% of Undergraduate Population Lives on Campus

5. Move-In Weekend: A USC Tradition The Weekend Just Before Fall Classes Begin, Faculty and Staff Assist New Students Move Into the Dorms Students Register Their PC’s Via NetReg and Agree to Abide by USC’s Guidelines for Responsible Computing

6. The Reality of Move-In Weekend Many PC’s Have Been Offline for Weeks Many Freshmen Bring New PC’s Still in the Box –The OS Image is Typically Months Old ~7500 New Connections –Majority Unpatched –Majority Unprotected from Viruses –Cross-Infections Abound

7. Move-In 2003 Blaster Worm Was Introduced Just Prior to Move-In Faculty/Staff Urged to Patch, Patch, Patch Approximately 3,000 Systems Infected During the First 2 Weeks of the Semester Help Desk Stretched to Its Limits All IT Staff Became Student Support Staff

8. Can Education Solve the Problem? Questionable –Emails, Web Posts, News Articles, Banner Pages on Common Applications All Help… –Fall 2003 Was Certainly a Learning Opportunity By Feb, 2004, When Bagle.J Was Unleashed, Total Infection Count Was ~500 By April, When Sasser.B Was Unleashed, Total Infection Count Declined By May, Virus Alert Web Page Hits Averaged > 1,000/Day ~ 4,000 New Students to Educate Every Fall!

9. Call To Action Know Who/What Is Connecting to the Network Ensure that All Systems That Connect Are “Clean” Quarantine “Unclean” Systems Until They are “Cleaned” Automate the Process

10. 2004 Strategy: Supplement Education With Automation 1.Adopt a Strong Network Access Policy 2.Implement Proactive Measures –Automate Scheduled Operating System Patches –Automate Scheduled Anti-Virus Updates 3.Automate Reactive Measures –Validate that PC’s are Current Prior to Connecting to the Network –Quarantine and Remedy PC’s that are Not Current 4.Start Today With Technology Available Today

11. Adopting the Policy Goal State: 1 University, 1 Network Challenge: Concur on the Policy Historically –Networking Began in Academic Units –Leading Edge Experimentation Today –Multiple, Distinct Implementations Across Campus –Community of Network Managers

12. Adopting the Security Policy: Authentication Authentication Became a Key Requirement Domain Level or Network Multiple Methods in Place –LDAP / LDAPS for Most Applications –Active Directory in Some Colleges Not Ready to Move to “Single Sign-On” Username Password

13. Adopting the Security Policy: Authentication Librarians Objected to “No Unauthenticated Access” “We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” - Code of Ethics of the American Library Association (June 28, 1995) www.ala.org www.ala.org Campus Libraries Serve Community Beyond USC Resolution –Isolate Public Access Workstations from Remainder of Network –Obtain Approval from USC Office of General Counsel

14. Adopting the Security Policy: Network Management Centralized Team for Network Monitoring –Manages Intrusion Detection and Firewalls –Monitors Network Activity and Operations Distributed Administration –Most Larger Academic Units Have Dedicated IT People –Manage Labs and Student/Faculty Access Adopted: –Centralized Registration of All Systems on Campus –Delegation of Network Management & Monitoring Authority –Centralized Definition of Minimal Security Standards –Distributed Enforcement

15. Adopting the Security Policy  Network Access Requires Authentication  All Systems Must Be Registered  MAC Address, User Name, Userid  All Servers Must Be Registered & Approved  Students Can Not Run Servers in Dorms.  No Personal Machine Can Route Traffic Through USC Network  All Wireless Traffic Must Be Encrypted  All User Systems Must Meet Minimum Security Requirements

16. Where to Start Implementation Faculty/Staff Wired Network Wireless Network Student Residential Network Student Labs RAS Connections VPN Connections  Start with the Student Residential Network

17. USC Residential Network Infrastructure Internet Area Switch Dorm Switch Student Router Core Router Firewall

18. Defining the Minimum Security Requirements Student PC –Current Anti-Virus Software –Clean System Report –Current Operating System Patches –Personal Firewall –Use of Strong Passwords Network –Elimination of Peer-to-Peer  Required  Too Expensive  Required  Future  Too Restrictive

19. Automating the Proactive Measures: Anti-Virus Software Provide Anti-Virus Software for All University PC’s –Faculty, Staff, Students Provide Install Option When Student Registers PC Set Default Options –Run Initial Scan at Install –Run Scan At Least Every Other Week –Run Updates Daily

20. Automating the Proactive Measures: OS Patch Management Microsoft Automatic Updates –Configured Per Desktop System –Desktop Polls Microsoft Site for Updates –Downloads Critical Updates –Installs at Scheduled Time or Upon User Approval http://windowsupdate.microsoft.com 2. Applicable Update List 1. Poll 3.Determine What is Already Installed 4. Download New Updates 5.Install Updates

21. Automating the Proactive Measures: OS Patch Management Microsoft Software Update Services (SUS) –Primary SUS Server Configured to Poll Microsoft Site –Local SUS Servers Pull Patches from Primary Server –Administrator Can Specify Updates to be Distributed –Desktop Polls Distribution Server for Updates http://windowsupdate.microsoft.com 4.Poll & Download New Updates 5.Poll & Download New Updates SUS Server Local SUS Servers 1. Poll2. Download Applicable Update List 3.Determine What to Distribute

22. Automating the Proactive Measures: OS Patch Management Many Commercial Products Limiting Factor –Students Desktops are NOT University Property –USC Does not Provide the Desktop OS Patch Management –Implement SUS as an Option for Faculty/Staff –Implement Automatic Updates as an Option for Students

23. Automating Reactive Measures: Validation of Minimum Security Requirements Are Patches & A-V Software Up to Date? YES Complete Connection to Internet Re-validation will be required on a scheduled basis. User Opens Internet Browser on Workstation User is Requested to Enter UserID and Password (Authentication) NO Network Access Restricted to “Remedial” Sites (Quarantine) User Instructed to Download A-V and/or OS Patches Are Patches & A-V Software Up to Date? YES Complete Connection to Internet User Installs Necessary Patches Or A-V Updates NO

24. Validation Software Requirements  Software Solution  Compatible with NetReg and DHCP  Implement a Remediation Quarantine  Do Not Allow Network Access Unless Validated  Ideally, Isolate PC’s from Cross-Infections  Redundancy  No Dependency on Particular Switch Configuration  Central or Tiered Management / Distributed Enforcement  Support for Non-Windows OS’s  Automate Exception Process  Flexible Configuration of Validation Tests  Server or Network Based Licensing

25. Technology Options: Validation Software Server-Based Scanning –Nessus Scans –Effective for Identifying Vulnerabilities –Benefit No Modification to Student Desktop –Risk Personal Firewalls Can Block Scans Can Not Validate Security Configuration Validation Client Software –Can Be Configured to Validate Configuration –Benefit - Validate Configuration –Risks Forcing Installation of Client on Student Desktop Frequent False Positives Difficult to Provide Direct Feedback to Students

26. Technology Options: Quarantine Implementation DHCP Re-Direction (NetReg) –Unauthenticated Access Starts with IP Address with Limited Access Registration Site Remediation Sites –Once Validated, IP is configured for Student Community Network –Benefits Easy to Implement –Risks Users Who Hard Code IP Addresses Can By-Pass Validation Limited Validation and No “Forced” Remediation Typically, No Quarantine for Cross-Infections Remediation IP Address Remediation IP Address Authenticate & Validate Authenticate & Validate Student Network IP Address Student Network IP Address

27. Technology Options: Quarantine Implementation Dynamic VLAN Assignment –Dynamically Configures the VLAN Assignment Per Port –Unauthenticated Access Starts in Isolated VLAN –Once Validated, Port is Configured into Student VLAN –Benefits Eliminates Cross-Infection, True Quarantine –Risks Requires Network Infrastructure to Support Dynamic VLANs Switch Reconfiguration Via Software Shared ports can not be supported Switch Port Configured For Isolated VLAN Switch Port Configured For Isolated VLAN Authenticate & Validate Authenticate & Validate Switch Port Configured For Student VLAN Switch Port Configured For Student VLAN

28. Technology Options: Quarantine Implementation Private VLANs –No Communication Among Nodes on the VLAN –Unauthenticated Access Starts in Private VLAN Firewall or ACLs Prevent Communication Between VLANs –Once Validated, Port Can be Reconfigured for Community VLAN –Benefits Eliminates Cross-Infection, True Quarantine –Risks Requires Network Infrastructure to Support Private VLANs Switch Reconfiguration Via Software Switch Port Configured For Private VLAN Switch Port Configured For Private VLAN Complete Registration Complete Registration Switch Port Configured For Community VLAN Switch Port Configured For Community VLAN

29. Technology Options: Quarantine Implementation Subnet Masks –Many Subnets, Allowing 1 Machine Per Subnet –Unauthenticated Access Starts in Masked Subnet –Non-Validated Role “Quarantined” by Access Control List on Router –Benefits - Prevents Cross-Infection, No Dynamic Switch Config –Risks Managing Lots of Little Subnets Can be Circumvented by Clever User  Current Plan of Record Access Control List Denies Authenticate & Validate Authenticate & Validate Access Control List Allows Access Control List Allows

30. Status of the Project Proactive Measures –Anti-Virus Software Download –SUS Implementation for Faculty/Staff In Progress –Automatic Updates Configuration Download Available to Students Reactive Measures – Validation –Computer Services Network as Test –Plan to Implement Perfigo CleanMachines TM –Pilot in Summer Dorms During July –Introduce at Move-In Weekend

31. Expectations of Move-In Move-In Weekend Support Should Last Two Days! Limit Cross-Infections of New PC’s Significantly Reduce Overall Infection Incidents Expect Increased Help Desk Calls –New Process Will Generate More Calls –Expect “Do I Have To….” Questions

32. Key Risks “Big Brother” Image Leading Edge Technology New Virus or Worm Introduced that Weekend Pre-Infected Machines Ease of Use of the Process End User Education

33. Mitigating the Risks Focus on End User Education & Support –“How to Connect” Brochures in Each Dorm Room –Extensive Help Screens –Campus Newspaper Articles –Campus Cable TV Spot –Support Persons Available in the Dorm Minimize the Hassle

34. What We’ve Learned Thus Far Involve the Legal Team Minimize Modification to Student Desktops Communicate Early & Plenty Make Good Security as Painless as Possible Emphasize the Benefits –Network Availability

35. Next Steps Implement the Student Network For Fall –Scan for Vulnerabilities –Validate Anti-Virus Software and OS Patches –Force Re-Validation Once a Week –Monitor Feedback Closely If Successful, –Implement for Campus Wireless for Spring –Then, Begin Deployment to Faculty/Staff Subnets

36. References & Acknowledgements Reference Sites –www.ala.orgwww.ala.org –www.cisco.comwww.cisco.com –www.forbes.comwww.forbes.com –www.microsoft.comwww.microsoft.com –www.netreg.orgwww.netreg.org –www.perfigo.comwww.perfigo.com –www.sc.eduwww.sc.edu