Sourcefire sensors improve college's network security

A technical resources director at Halesowen College in the West Midlands found a way to get network security on a tight budget.

With 4,000 full-time students and 4,000 more part-timers, as well as a computer population of around 1,700, Halesowen College in the West Midlands is as large as a fair-sized company.

But with scarce resources, the college's network security team has to make the best of limited budgets. For this reason, most of the security tools it uses – like firewall, Web and mail filters – are open source.

Up to recently, the college used Snort, the free network intrusion detection system. According to Will Davidson, the college's technical resources director, the IDS worked very well. "The Snort boxes were really good, but they were giving us so much information, and we had a lot of false positives. It was taking a long time to sift through and find out what was happening," he said. "Our network technician, whose job it is to monitor all the security stuff, was spending two-thirds of his time sifting through the Snort logs, which was not all that productive."

Davidson and his team spent around a year looking at possible commercial alternatives that would provide better management facilities, sifting through the logs and focusing on relevant attacks.

Sourcefire Inc, which manages Snort, was an obvious starting point, but he also looked at products from both TippingPoint Technologies Inc. and Cisco Systems Inc. That exercise proved to be a frustrating experience. "We were telling the suppliers what we wanted to do, and it was only Sourcefire (and its reseller, Armana Systems of Berkshire) who really came and talked to us and explained how they could help."

The result is that Davidson now has two Sourcefire 3D sensors, one monitoring his link out to the Internet, and the other watching over the link between the college's growing wireless network and the wired LAN. Due to budget constraints, however, a Snort box still monitors traffic between the academic and staff areas of the network.

Research from Royal Holloway

Read a group of information security articles -- from the highly technical to the basic -- authored by recent MSc graduates of Royal Holloway University of London (RHUL).
Using Sourcefire's RNA (Real-time Network Awareness) technology, in combination with the sensors, Davidson is now able to establish a baseline network inventory and then be alerted whenever anything unexpected occurs, such as a new unrecognised device appearing on the network. Data from the sensors is then fed back to the Defence Centre, which provides a single view of what is happening on the network.

The effect of installing the new systems has been dramatic, and worth the expense, he said. Because the system prioritises any threats detected by the networks sensors, it has appeared that the job of identifying genuine problems is now much easier. False positives are down, and the network technician's task of going through the logs is now greatly reduced. "The Sourcefire box provides prioritised alerts, and it is a lot more tuneable. The job of checking logs is down to about an hour a day," said Davidson. "It sorts out what you need to know. For instance, if your Web server is running on Apache, then you don't need to know about somebody hitting it with an IIS exploit."

The sensors also help with the deployment of new applications, such as VoIP, he explained. "We are implementing wireless VoIP at the moment, and that means we have to open up some holes in the firewall to allow the VoIP traffic through from the wireless LAN on to the wired LAN to get to the VoIP server. If we just open that up by IP address, it is open to abuse, but RNA allows us to check that devices coming through to the VoIP network are what they should be. We can lock it down to a particular type of device. If someone were to use a fake IP address and a soft client, it will alert us to the fact.

"It gives us much more fine-grained control of the monitoring. It will recognise, say, if something that should be a printer suddenly starts acting like a PC [because someone is using the IP address]. And it would let us know if someone booted up one of our PCs from a live distribution of Linux [from a USB stick or CD] instead of Windows."

Despite the purchase of the Sourcefire systems, though, most aspects of security are still managed using free or open source tools, or in-house code. The only other paid-for software is Sophos Inc.'s Puremessage for email filtering, and Sophos' Anti-virus, which is loaded on all college-owned PCs.

The college's network security, however, is applied at various levels to ensure safety. Incoming mail goes through a series of checks starting with the Anti-Spam SMTP Proxy Server (ASSP), available as a free download from Sourceforge), then through Gibraltar (an open source firewall based on Debian Linux), SpamAssassin/ClamAV (both open source), and finally Sophos Puremessage.

Provisioning and deprovisioning of student accounts is done with home-grown code. "As soon as the student has an ID on our student records system, we have some scripts that we knocked up in-house that detects a new enrolment and creates an Active Directory account," he said.

The process creates a user name and password that are stored on the AD database ready for when the student first logs on. When a student registers via an online form, the system sends him or her an SMS message with the password in it.

The college also runs weekly scripts to compare live accounts with live enrolments. Whenever a script finds a live Active Directory account that does not match up to an enrolment, the account gets disabled.

Before being allowed access to the wireless network, students wanting to bring in their own machines must have them checked for electrical safety and AV protection. "It is a completely untrusted and dirty network where we allow anything on it, but we monitor it and take action against anything bad that happens," said Davidson.

The network can be accessed via a captive portal, running, you guessed it, on another piece of open source software called m0n0wall. The software checks that users have valid Active Directory accounts.

Applications such as Instant Messenger or Skype are banned on the network, and Davidson said a combination of Sophos Puremessage and the Sourcefire RNA is effective in enforcing that policy – by stopping their installation in the first place, and then detecting any such traffic that did manage to reach the network.

Spending money on commercial software is obviously something that an educational establishment such as Halesowen does not do lightly, but Davidson said the payback has been easy to identify. Apart from saving so much time in analysing system logs, the Sourcefire system produces a variety of reports to help Davison and his team do their jobs.

"At an operational level, it allows you to look at individual flows, and really low-level stuff," he said. "Then at a slightly higher level, you might want to see the top 10 attacks, for instance. Or who are the top attackers, and the top attacked hosts.

"You can also archive attack information- to build up a folder on the attack so you can protect yourself better if it occurs again. It's really very flexible and really tells you what you need to know, rather than having to hunt for the needle in the haystack."

And all that information is useful when he has to report monthly on how well they are doing, and how many attacks they have beaten off. "It just cuts down the time we have to spend on analysis, so people can get on with other more productive work."

Read more on Endpoint security