After being stung by high-profile cases of data theft, prominent colleges and universities are in the forefront of efforts to introduce effective security to networks, while preserving the openness and unhindered use that have long characterized campus computing environments.
Security is moving to the forefront of campus IT efforts, after decades as an afterthought at schools, according to interviews with campus IT administrators. The techniques that schools are adopting could soon become commonplace on corporate networks, as well, as traditional network perimeters begin to disappear, experts say.
At Colby-Sawyer College in New London, New Hampshire, almost 1,000 students will arrive on campus this week, most with one or more computers in tow. The influx will more than double the number of systems on the campus network, which operates 50 or 60 Windows and Linux servers and around 650 desktops to support administration and other college employees, said Scott Brown, an information security analyst.
“Imagine your population of computers doubles in 24 hours, and theyre all filled with spyware,” said Brown.
Administrators at Colby-Sawyer are better prepared for the onslaught this year than in the past. All students are provided and required to install free copies of NOD32, a desktop antivirus software product from ESET Software and with Webroot Software Inc.s Spy Sweeper antispyware software before they connect to the campus network.
To enforce that policy, Brown and his colleagues are using Campus Manager, a product from Bradford Networks Inc. that tracks student computers using their unique MAC (Media Access Control) address. Students who attempt to connect to the campus network are directed by Campus Manager to a virtual LAN where they can install the ESET Software and Webroot Software. Colby-Sawyer also removes existing antivirus and antispam software from the student computers and connects the system to Microsofts Web site to obtain the latest Windows operating system patches, Brown said.
Before giving students access to campus resources, Colby-Sawyer also uses a new CAT (client assessment tool) that scans the student computers and verifies that antivirus and spyware definitions, as well as Windows patches are up to date.
Its a harsh approach, but students who dont wish to go through it are free to use public workstations around campus, Brown said.
The story is similar at Cornell University, in Ithaca, New York, where network administrators used home-grown technology to quarantine systems belonging to about 6,500 students who arrived on campus last week.
Before being granted network access, students must complete a computer-based registration with the university that checks for known security threats, such as administrative accounts with no password, open Windows file sharing folders and up-to-date operating system patches, said Steve Schuster, director of information technology security at Cornell.
Cornell found 720 systems that were vulnerable to compromise during the registration process, and kept those systems quarantined until the problem or problems were corrected, he said.
Next Page: Fixing problems without the IT department.
Colleges lead charge
for secure, open networks”>
The new automated registration system was a success. Between 90 and 95 percent of students were able to use the system to fix the problems on their computer without help from the IT department, he said.
While such draconian techniques arent common in the corporate world, enterprise IT administrators may soon be looking to programs such as those at Cornell and Colby-Sawyer to help deal with the influx of laptop computers and other portable computing devices in their environment, said Chris Novak, a senior security consultant at Cybertrust Inc.
Many colleges and universities are asking about or implementing quarantining systems like those at Cornell and Colby-Sawyer, said Laura Koetzle, an analyst at Forrester Inc.
Campus networks are also becoming more complex, as IT administrators begin isolating sensitive administrative systems and those governed by regulations like HIPAA and Sarbanes Oxley, from the chaos of student residential networks, said Novak.
“Before, a lot of universities operated in a flat environment, where everything was connected to one core switch. Now were seeing internal firewalls and VPN (virtual private network) solutions,” he said.
At Cornell, IT staff is using detailed router access control lists, or ACLs, to segregate critical assets at the Universitys 11 colleges, Schuster said.
For example, at Cornells College of Veterinary Medicine, Schusters staff worked with the Colleges local networking people to set up ACLs that blocked traffic from student machines and cordon off key assets, while still allowing College staff to remotely access those systems – and approach Schuster terms “default deny.”
“It lets us block everything except whats explicitly needed,” he said.
At Colby-Sawyer, administrators are using remote access software by Citrix Systems Inc. to allow IT staff to consolidate the colleges critical administrative systems.
“Its easier to patch eight computers instead of 300,” Brown said.
Still, colleges and universities will always have a different approach to network security than for-profit companies, which must put a premium on network security to protect corporate assets and reputation, experts agree.
“Corporate IT has security paranoia; because they know they have proprietary information … that demands secrecy. But most university students dont have that level of paranoia, and dont see security as a big concern,” Novak said.