Securing the Campus Network Copyright, University of South Carolina (2004). This work is the intellectual property of the University of South Carolina. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the University of South Carolina. To disseminate otherwise or to republish requires written permission from the University of South Carolina. Rita Anderson Ronni Wilkinson University of South Carolina
Agenda USC’s Network During Fall, 2003 Call to Action Defining a Security Policy Implementing the Strategy Technology Choices Expectations of Fall, 2004 Risks & Mitigating Factors Lessons Learned
The University of South Carolina Centered in Downtown Columbia, SC Over 200 Year History Total Enrollment of 34,000 + (Based on Spring 2003, All USC Campuses) Over 350 Degree Programs 155 Facilities Spread Over 358 Acres
Network Connections at USC Extensive Wireless Implementation Across Campus USC Rated 30 th “Most Connected” campus in the country by The Princeton Review. - Forbes Magazine, October Residential Network –28 Residential Halls Plus Greek Housing, Married Student Apartments, etc. –Approximate Capacity – 7500 Students –40% of Undergraduate Population Lives on Campus
Move-In Weekend: A USC Tradition The Weekend Just Before Fall Classes Begin, Faculty and Staff Assist New Students Move Into the Dorms Students Register Their PC’s Via NetReg and Agree to Abide by USC’s Guidelines for Responsible Computing
The Reality of Move-In Weekend Many PC’s Have Been Offline for Weeks Many Freshmen Bring New PC’s Still in the Box –The OS Image is Typically Months Old ~7500 New Connections –Majority Unpatched –Majority Unprotected from Viruses –Cross-Infections Abound
Move-In 2003 Blaster Worm Was Introduced Just Prior to Move-In Faculty/Staff Urged to Patch, Patch, Patch Approximately 3,000 Systems Infected During the First 2 Weeks of the Semester Help Desk Stretched to Its Limits All IT Staff Became Student Support Staff
Can Education Solve the Problem? Questionable – s, Web Posts, News Articles, Banner Pages on Common Applications All Help… –Fall 2003 Was Certainly a Learning Opportunity By Feb, 2004, When Bagle.J Was Unleashed, Total Infection Count Was ~500 By April, When Sasser.B Was Unleashed, Total Infection Count Declined By May, Virus Alert Web Page Hits Averaged > 1,000/Day ~ 4,000 New Students to Educate Every Fall!
Call To Action Know Who/What Is Connecting to the Network Ensure that All Systems That Connect Are “Clean” Quarantine “Unclean” Systems Until They are “Cleaned” Automate the Process
2004 Strategy: Supplement Education With Automation 1.Adopt a Strong Network Access Policy 2.Implement Proactive Measures –Automate Scheduled Operating System Patches –Automate Scheduled Anti-Virus Updates 3.Automate Reactive Measures –Validate that PC’s are Current Prior to Connecting to the Network –Quarantine and Remedy PC’s that are Not Current 4.Start Today With Technology Available Today
Adopting the Policy Goal State: 1 University, 1 Network Challenge: Concur on the Policy Historically –Networking Began in Academic Units –Leading Edge Experimentation Today –Multiple, Distinct Implementations Across Campus –Community of Network Managers
Adopting the Security Policy: Authentication Authentication Became a Key Requirement Domain Level or Network Multiple Methods in Place –LDAP / LDAPS for Most Applications –Active Directory in Some Colleges Not Ready to Move to “Single Sign-On” Username Password
Adopting the Security Policy: Authentication Librarians Objected to “No Unauthenticated Access” “We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” - Code of Ethics of the American Library Association (June 28, 1995) Campus Libraries Serve Community Beyond USC Resolution –Isolate Public Access Workstations from Remainder of Network –Obtain Approval from USC Office of General Counsel
Adopting the Security Policy: Network Management Centralized Team for Network Monitoring –Manages Intrusion Detection and Firewalls –Monitors Network Activity and Operations Distributed Administration –Most Larger Academic Units Have Dedicated IT People –Manage Labs and Student/Faculty Access Adopted: –Centralized Registration of All Systems on Campus –Delegation of Network Management & Monitoring Authority –Centralized Definition of Minimal Security Standards –Distributed Enforcement
Adopting the Security Policy Network Access Requires Authentication All Systems Must Be Registered MAC Address, User Name, Userid All Servers Must Be Registered & Approved Students Can Not Run Servers in Dorms. No Personal Machine Can Route Traffic Through USC Network All Wireless Traffic Must Be Encrypted All User Systems Must Meet Minimum Security Requirements
Where to Start Implementation Faculty/Staff Wired Network Wireless Network Student Residential Network Student Labs RAS Connections VPN Connections Start with the Student Residential Network
USC Residential Network Infrastructure Internet Area Switch Dorm Switch Student Router Core Router Firewall
Defining the Minimum Security Requirements Student PC –Current Anti-Virus Software –Clean System Report –Current Operating System Patches –Personal Firewall –Use of Strong Passwords Network –Elimination of Peer-to-Peer Required Too Expensive Required Future Too Restrictive
Automating the Proactive Measures: Anti-Virus Software Provide Anti-Virus Software for All University PC’s –Faculty, Staff, Students Provide Install Option When Student Registers PC Set Default Options –Run Initial Scan at Install –Run Scan At Least Every Other Week –Run Updates Daily
Automating the Proactive Measures: OS Patch Management Microsoft Automatic Updates –Configured Per Desktop System –Desktop Polls Microsoft Site for Updates –Downloads Critical Updates –Installs at Scheduled Time or Upon User Approval 2. Applicable Update List 1. Poll 3.Determine What is Already Installed 4. Download New Updates 5.Install Updates
Automating the Proactive Measures: OS Patch Management Microsoft Software Update Services (SUS) –Primary SUS Server Configured to Poll Microsoft Site –Local SUS Servers Pull Patches from Primary Server –Administrator Can Specify Updates to be Distributed –Desktop Polls Distribution Server for Updates 4.Poll & Download New Updates 5.Poll & Download New Updates SUS Server Local SUS Servers 1. Poll2. Download Applicable Update List 3.Determine What to Distribute
Automating the Proactive Measures: OS Patch Management Many Commercial Products Limiting Factor –Students Desktops are NOT University Property –USC Does not Provide the Desktop OS Patch Management –Implement SUS as an Option for Faculty/Staff –Implement Automatic Updates as an Option for Students
Automating Reactive Measures: Validation of Minimum Security Requirements Are Patches & A-V Software Up to Date? YES Complete Connection to Internet Re-validation will be required on a scheduled basis. User Opens Internet Browser on Workstation User is Requested to Enter UserID and Password (Authentication) NO Network Access Restricted to “Remedial” Sites (Quarantine) User Instructed to Download A-V and/or OS Patches Are Patches & A-V Software Up to Date? YES Complete Connection to Internet User Installs Necessary Patches Or A-V Updates NO
Validation Software Requirements Software Solution Compatible with NetReg and DHCP Implement a Remediation Quarantine Do Not Allow Network Access Unless Validated Ideally, Isolate PC’s from Cross-Infections Redundancy No Dependency on Particular Switch Configuration Central or Tiered Management / Distributed Enforcement Support for Non-Windows OS’s Automate Exception Process Flexible Configuration of Validation Tests Server or Network Based Licensing
Technology Options: Validation Software Server-Based Scanning –Nessus Scans –Effective for Identifying Vulnerabilities –Benefit No Modification to Student Desktop –Risk Personal Firewalls Can Block Scans Can Not Validate Security Configuration Validation Client Software –Can Be Configured to Validate Configuration –Benefit - Validate Configuration –Risks Forcing Installation of Client on Student Desktop Frequent False Positives Difficult to Provide Direct Feedback to Students
Technology Options: Quarantine Implementation DHCP Re-Direction (NetReg) –Unauthenticated Access Starts with IP Address with Limited Access Registration Site Remediation Sites –Once Validated, IP is configured for Student Community Network –Benefits Easy to Implement –Risks Users Who Hard Code IP Addresses Can By-Pass Validation Limited Validation and No “Forced” Remediation Typically, No Quarantine for Cross-Infections Remediation IP Address Remediation IP Address Authenticate & Validate Authenticate & Validate Student Network IP Address Student Network IP Address
Technology Options: Quarantine Implementation Dynamic VLAN Assignment –Dynamically Configures the VLAN Assignment Per Port –Unauthenticated Access Starts in Isolated VLAN –Once Validated, Port is Configured into Student VLAN –Benefits Eliminates Cross-Infection, True Quarantine –Risks Requires Network Infrastructure to Support Dynamic VLANs Switch Reconfiguration Via Software Shared ports can not be supported Switch Port Configured For Isolated VLAN Switch Port Configured For Isolated VLAN Authenticate & Validate Authenticate & Validate Switch Port Configured For Student VLAN Switch Port Configured For Student VLAN
Technology Options: Quarantine Implementation Private VLANs –No Communication Among Nodes on the VLAN –Unauthenticated Access Starts in Private VLAN Firewall or ACLs Prevent Communication Between VLANs –Once Validated, Port Can be Reconfigured for Community VLAN –Benefits Eliminates Cross-Infection, True Quarantine –Risks Requires Network Infrastructure to Support Private VLANs Switch Reconfiguration Via Software Switch Port Configured For Private VLAN Switch Port Configured For Private VLAN Complete Registration Complete Registration Switch Port Configured For Community VLAN Switch Port Configured For Community VLAN
Technology Options: Quarantine Implementation Subnet Masks –Many Subnets, Allowing 1 Machine Per Subnet –Unauthenticated Access Starts in Masked Subnet –Non-Validated Role “Quarantined” by Access Control List on Router –Benefits - Prevents Cross-Infection, No Dynamic Switch Config –Risks Managing Lots of Little Subnets Can be Circumvented by Clever User Current Plan of Record Access Control List Denies Authenticate & Validate Authenticate & Validate Access Control List Allows Access Control List Allows
Status of the Project Proactive Measures –Anti-Virus Software Download –SUS Implementation for Faculty/Staff In Progress –Automatic Updates Configuration Download Available to Students Reactive Measures – Validation –Computer Services Network as Test –Plan to Implement Perfigo CleanMachines TM –Pilot in Summer Dorms During July –Introduce at Move-In Weekend
Expectations of Move-In Move-In Weekend Support Should Last Two Days! Limit Cross-Infections of New PC’s Significantly Reduce Overall Infection Incidents Expect Increased Help Desk Calls –New Process Will Generate More Calls –Expect “Do I Have To….” Questions
Key Risks “Big Brother” Image Leading Edge Technology New Virus or Worm Introduced that Weekend Pre-Infected Machines Ease of Use of the Process End User Education
Mitigating the Risks Focus on End User Education & Support –“How to Connect” Brochures in Each Dorm Room –Extensive Help Screens –Campus Newspaper Articles –Campus Cable TV Spot –Support Persons Available in the Dorm Minimize the Hassle
What We’ve Learned Thus Far Involve the Legal Team Minimize Modification to Student Desktops Communicate Early & Plenty Make Good Security as Painless as Possible Emphasize the Benefits –Network Availability
Next Steps Implement the Student Network For Fall –Scan for Vulnerabilities –Validate Anti-Virus Software and OS Patches –Force Re-Validation Once a Week –Monitor Feedback Closely If Successful, –Implement for Campus Wireless for Spring –Then, Begin Deployment to Faculty/Staff Subnets
References & Acknowledgements Reference Sites – – – – – – –