Securing The Campus

At a time when most water-cooler talk revolves around 'How many mydoom infected e-mails did you delete this morning?' it's interesting to learn how other institutions have been working to prevent such infections. Here, Thomas Danford, associate provost and CIO at the University of Dayton, discusses securing his campus.

Like every institution of higher learning, the University of Dayton needs to provide open network access to students, faculty, and staff. But as one of the most wired campuses in the country, that openness makes the college especially vulnerable to attacks that bypass the firewall and permeate the network.

All housing at Dayton offers high-speed Internet access, and there are about 10,500 workstations and 283 servers on campus. Our experience with the Code Red virus demonstrated that just five infected machines could overwhelm the core campus router. Before we implemented a more permanent solution, our only valid strategy was to apply patches before a server or workstation was allowed on the network--obviously a labor-intensive process. We also had no way to assess whether the network was infected or under attack.

Peer-to-peer file sharing--popular with students who like to download music and video files--presents additional legal, security, and bandwidth-abuse issues.

One of the fast-emerging areas in information security is automated intrusion prevention. It was clear our patchwork process for deflecting intrusions wasn't working, so late last year we began planning for an automated security initiative to detect suspicious activity and block it. Further, we wanted to easily manage the process using existing staff and install security capabilities for existing and future threats.Last December, we installed TippingPoint Technologies Inc.'s UnityOne Intrusion Prevention Appliance, a high-speed device that blocks malicious traffic at gigabit speeds and incorporates peer-to-peer piracy-prevention capabilities. As soon as the device was installed, our staff could immediately see attacks being blocked on the security-management console's attack log. The university now prevents more than a million network threats every month, including worms and viruses, using this technology. With new security filters, we can keep the intrusion-prevention capabilities up-to-date, protecting the network from exploits on the most-recent vulnerabilities. These security filters protected us from the recent Blaster worm--also known as Sobig or LovSan--and its variants.

We also took an automated approach to the drag on network traffic caused by peer-to-peer file sharing. We had the option to block P2P traffic completely or let students retrieve shared files from outside the university network while blocking outsiders from retrieving shared files located within our systems. We chose the latter course. But the point is that we had the tools to manage P2P traffic according to our own policies. We now augment our bandwidth availability by blocking more than 1 million illegitimate, nonuniversity file shares per month. Our peak rate of bandwidth consumption used to be roughly 30 Mbps. But when we blocked one-directional peer-to-peer traffic and installed bandwidth management, the rate fell to 17 Mbps within the first 30 minutes, giving us a 43% increase in bandwidth availability.

This solution has protected our critical systems and core data paths to the Internet through three massive nationwide attacks. Our next steps will be to deploy smaller devices to protect specialty subnets attached to the university network, and to continue to develop forensic capabilities and management features that will protect and benefit our educational environments.