Universities and college IT departments are walking a tightrope between keeping their network secure and maintaining academic openness. A number of educational establishments in the US are getting tough - with the students themselves.
The recent intrusions on supercomputers at leading US research universities highlight the growing problem of college campuses struggling to maintain academic openness while protecting staff and students from internet-borne viruses and malicious hackers.
Schools are being pinched by a steady stream of worms and viruses, tough privacy regulations and lawsuits targeting student file swappers. In response, colleges are investing in a wide range of security technology and looking at ways to lock down campus networks, all without stifling students and faculty.
With large, heterogenous networks and a diverse user population of students, faculty and staff, colleges and universities have become rich targets in recent years for malicious hackers, viruses and worms, according to one IT security expert. "Universities are an extreme example of what businesses are facing," said John Bingham, president of security technology company Intrusic.
A security advisory released by Stanford University earlier this month told how attackers hijacked user names and passwords for multiuser Linux and Solaris machines, often by sniffing information when users connected to those machines from other compromised systems. Attackers also took advantage of shared folders, which were loosely secured by the universities to make it easier to manage systems and share data processing tasks between machines.
Many campus networks are designed to serve as internet service providers, facilitating access for users, rather than protecting information assets, like more closed and segmented corporate networks, Bingham said.
That is a problem that IT staff at Boston College are weighing, according to David Escalante, director of computer policy and security at the college.
"Our current network is architected ... to pass information from A to B as quickly and efficiently as possible - from student to student, or faculty to student, to the internet, wherever," he said. Unfortunately, that architecture also amplifies the effects of malicious network activity caused by worms and viruses, he added.
Wayne State University in Detroit faced a similar problem on 11 September last year, when six compromised machines on the campus network launched a co-ordinated denial-of-service (DoS) attack that flooded the campus network with traffic and prevented communication to or from the university, said Patrick Gossman, director for academic technologies at the university.
IT administrators had to shut down entire parts of the campus network and work for more than a week to recover from the attack. IT staff at the university had no idea how the DoS programs got installed on the campus network. And, despite an official investigation from the FBI, university officials still do not know who was responsible for the attack.
Part of the challenge faced by universities comes from a new generation of mobile and tech-savvy students, according to administrators. "You've got people bringing laptop computers that are infected on campus, and its hard to detect those unless something goes wrong," Gossman said.
Boston College is encouraging students to move to portable laptop computers, which can be carried back home over break and during summer recess, Escalante said. Unfortunately, that mobility also increases the machines' exposure to internet threats, through unprotected connections at home. "Students are leaving and coming back to campus six times a year for a week or more and we don't know what their computers are doing when they're gone," he said.
At the same time, colleges have been reluctant to use network firewalls to block malicious traffic, fearing that such products would also prevent legitimate activities and research by other members of the university community.
"People at research institutions want to be able to do whatever they need to in order to complete their research. There's a historical attitude on the part of higher education and higher ed networking to support that," he said.
To combat malicious activity without squelching other network traffic, IT staff at Boston College are putting tougher demands on students to clean up compromised machines, and have begun using home-grown tools to quarantine infected systems and prevent them from accessing the rest of the campus network.
"We used to say 'You've got a problem with your computer, please do something about it.' Now we're saying "You've got a problem, do something about it or your computer will stop working'," Escalante said.
Boston College is also considering deploying intrusion prevention systems (IPS), such as those made by Top Layer Networks and Foundry Networks, which can look deep inside network traffic and spot malicious behaviour or DoS attacks, while letting legitimate traffic through. "We're hopeful that [IPS] will block things we know are bad, but not everything else in the world, so people can continue to do research," he said.
A similar balancing act between security and academic freedom has to be struck when dealing with the problem of spaml, as well as viruses and worms that often hide in e-mail messages, IT administrators said.
The University of Georgia processes around 900,000 incoming e-mail messages each day, frequently flagging more than 60,000 virus-infected messages from that traffic, said Stan Gatewood, chief information security officer at the university.
A complex system of more than 150 separate e-mail servers on campus complicated the job of protecting the university from those inbound threats, he said. It began using a secure messaging product by Mirapoint in May, 2003, consolidating three departments on Mirapoint's messaging platform, which provides traditional groupware features such as web-based e-mail access, group calendars, address books and to-do lists with integrated antispam, antivirus and content filtering.
Still, the university is treading carefully as it tries to stem the tide of junk mail and viruses. "One person's junk mail is another person's academic freedom," Gatewood said.
Almost every IT administrator interviewed for this story mentioned the need to manage the demands of different interest groups on campus as a major challenge.
"You need to build consensus," said Gatewood. "The adage 'build it and they will come' doesn't work well in higher ed. There are committees on campus that we need to court, legal and internal auditors to ...check for compliance, an executive management team, a security and ethics committee."
Tight budgets of IT administration and a diversity of users also forces colleges and universities to put a premium on security products, such as appliances, that are easy to manage, that can consolidate multiple functions in a single box, and that make provisioning different kinds of users simple, said IDC research manager Robert Mahowald.
IT security products for mail and the network perimeter are also helping college campuses address a raft of new privacy laws that affect on-campus activities, as well as persistent legal pressure from the private sector over illegal activity on campus networks, IT administrators said.
"One of my real concerns right now is our ability to keep up with the increasing numbers of state and federal laws that we have to be aware of," said Gossman of Wayne State. "There's a lot you have to do with privacy and confidentiality, and non-compliance carries with it liability."
US colleges and universities have long had to contend with the Family Educational Rights and Privacy Act of 1974. Today, they are also wrestling with the implications of new laws such as the Health Information Privacy and Accountability Act of 1996, which governs student, faculty and employee health information, and Gramm-Leach-Bliley Act of 1999.
IT staff at Wayne State are addressing those regulatory issues and also fielding around six complaints a week from the from the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) about illegal hosting of copyrighted material on the university's network, Gossman said.
The combination of legal, regulatory and security pressures facing college and university networks is forcing many institutions to turn to many of the same technologies that corporations have long used to protect their network assets.
In recent years, Wayne State has deployed a network firewall by NetScreen Technologies and intrusion detection system (IDS) technology to spot threats in inbound network traffic. IT staff are also scanning within the university network to spot open communications ports on systems that may pose security risks or signal compromise, Gossman said.
"If we didn't have IDS to stop the port scanning and a firewall, we'd have a lot more problems than we have today," he added.
The University of Georgia is also using IDS at the network perimeter and, like BC, is looking at IPS technology. Administrators have also deployed desktop firewalls and antivirus protection, Gatewood said.
To squelch out illegal downloads of copyrighted materials and preserve campus network bandwidth, many colleges and universities, including Boston College and Wayne State use so-called "packet shaping" technologies that cap the amount of bandwidth students can use during certain hours.
To make it easier to control virus and worm outbreaks within the campus networks, many colleges and universities are also segregating student dorms onto "untrusted" residential networks that are distinct from the "trusted" campus network containing critical administrative systems, Escalante said.
Despite the growing pressure on campus networks, most IT administrators interviewed for this article said that there has been a sea change in thinking about IT security in recent years.
"Just the fact that colleges and universities accept IT security is a big deal. I remember a time when it was not accepted or wanted or needed. Now it's received with open arms," Gatewood said.
Paul Roberts writes for IDG News Service
This was first published in April 2004