EDUCAUSE Security 2006

Internet Security@JBU

John Brown University

EDUCAUSE Security 2006

John Brown University

“John Brown University is a private, Christian university with more than 1,900 students from all over the U.S. and around the world. JBU offers more than 50 undergraduate degrees, including cutting-edge programs such as Digital Media Arts, along with liberal arts programs such as English and history.”

EDUCAUSE Security 2006

Campus Population

1200+ undergraduate students 900 on campus

200+ graduate students 400+ Adult Degree Completion Students 350 Faculty and Staff

EDUCAUSE Security 2006

Campus Network View

EDUCAUSE Security 2006

Campus Computers & Network

Computing Infrastructure 300 Computers in Student Labs

3 Open Labs 7 “Specialty” Labs

500 Office Computers 800 Student Computers

Network 1 Gbit Fiber Backbone 100 Mbit cat 5 to desktops About a dozen WiFi (802.11g) “Hotspots” 9 Mbit Fiber to our ISP

EDUCAUSE Security 2006

Network Services

File and Print Servers Several Web/FTP Servers Exchange Email Server LAN-LAN VPN to 4 Remote Sites Multiple Database Servers AS400 for Administrative Applications

EDUCAUSE Security 2006

Our Problems

Whatever happens is our

fault

Server Farm•Patch for Vulnerability•Packet Filtering Firewall

Our Students•Bring in Infected Machines•Need to protect us from students•Need to protect students from each other

JBU Clients•Patch for Vulnerability•Host Based Anti-Virus

EDUCAUSE Security 2006

Fall 2003: “That Semester”

Nachi and Blaster Worms ( July 2003 ) Infection Vectors - Students moving in to the

dorms bring in Infected Machines Network Impact - Spread like wildfire Solution

Disconnect Students from the Network JBU Staff went to the dorms to scan and patch

computers Not Fun

EDUCAUSE Security 2006

2004 – Access Control Server

Automated Scans for vulnerabilities Automated Scans for worm activity Enforce Patch and AV Requirements Reports with Instructions and links to …. Web Site with files

Patches Virus Scanners

Student mostly take care of themselves Much Nicer!

2004 - 2005 - Minimal problems (with Sasser) 2005 – 2006 - It’s not over, yet

EDUCAUSE Security 2006

Internet Security – more to do

NAT Protects Clients Email Protection helps a lot

Anti-virus scan Quarantine attachments

Enforcing Patches helps a lot Client anti-virus helps a lot, but …

Have to keep up with updates Not perfect

Need to compliment the Host Based Anti-Virus and Access Control Agent

Intrusion Detection and Prevention for Zero Day Exploits

EDUCAUSE Security 2006

Upgrade & Enhancement Dilemma

We had a “Sniffer” Content Filtering Solution Allows traffic until it categorizes it Potential to miss traffic in high traffic times

Or - it can be installed as a Proxy Requires Client Configuration Caused problems with some HTTPS sites

Content Filter is Fairly Expensive No budget for Firewall upgrade

EDUCAUSE Security 2006

Evaluation Process

Integrated Solution for – Firewall, Content Filtering, AV and IDS/IPS

Started looking at following solutions SonicWall iPolicy

Either could be purchased for what we had budgeted for the Web Filter

EDUCAUSE Security 2006

We Selected iPolicy

We liked both iPolicy

Central Management of multiple firewalls (Separate Firewall and Management Hardware)

Integrated Content Filter uses the SurfControl database Gartner “Magic Quadrant for Network Firewalls” report

was a plus Higher Bandwidth rating for similar cost Liked commitment to add services while maintaining

performance Technical people impressed us

EDUCAUSE Security 2006

Results

We replaced our Firewall and Web Content Filter with one appliance, for a comparable price.

Gained IDS/IPS We kept our separate Bandwidth

Manager

EDUCAUSE Security 2006

Experience

Firewall configuration is easy and effective Easy to take care of behavior anomalies like

infected client machines generating SMTP traffic

Performance – we run with our Internet connection pegged much of the time – performance is not a problem

The Web Content Filter works well Configuration is simple Filtering is as accurate as it was with SurfControl

EDUCAUSE Security 2006

Experience

Easy to turn On/Off IDS/IPS signatures Over 2400 signatures

Flood Signatures which still need to be tuned

Incoming and Outgoing IDS/IPS can detect and block … Worm activity Bot activity

EDUCAUSE Security 2006

IDS/IPS: more than buying a box

We don’t know all the threats We used iPolicy recommended

settings False positives happen

Thresholds for flood/DoS signatures need to be tuned

Some of the alerts are for older vulnerabilities

EDUCAUSE Security 2006

Summary

We like the iPolicy Product We need to learn more to use it well We really want IDS to be like AV

products today Pretty much install, set and forget I know – AV is an easier problem

We look forward to Virus Scanning of Internet traffic

EDUCAUSE Security 2006

Questions

http://Faculty.jbu.edu/RTWest