Davis State University is a liberal arts school in Pittsburgh, Pennsylvania. Each of the 2300 undergraduate and 400 graduate students is required to have a personal computer. The school employs 500 faculty and staff, has 3 computer labs, and maintains approximately 50 different servers. The students use a T3 Internet connection, and there is a T1 reserved for the faculty and administrators (see Figure 11-7). Figure 11-7. Initial Davis State Network ConfigurationThe school is faced with two problems that are proving difficult to solve. The first is that a number of other colleges and universities have recently had very public breaches in their computer security. Specifically, several incidents in the news have reported confidential student data and test scores stolen. The major donors and alumni are pressuring the senior administration to make sure this doesn't happen at Davis State. The second problem is that a T3 Internet connection should be more than sufficient for 2700 students, but it's not proving to be so. The school IT staff found that the T3 is saturated with traffic that has nothing to do with education. So much traffic is generated by peer-to-peer file-sharing applications, Internet game servers, and software file servers that the T3 is almost unusable for legitimate purposes. Furthermore, the IT staff is concerned that the school might be held liable for any copyrighted material the students download using school networks. Davis State's tiny information security team determines that an IPS can mitigate both problems. Limiting FactorsAn IPS might be able to mitigate the two problems, but it has to operate under certain restrictions:
Security Policy GoalsDavis State doesn't have much of a security policy, but it does maintain a list of high-level security guidelines. At the request of the administration, two guidelines were added:
HIPS ImplementationDavis State used the goals and limiting factors to come up with a high-level HIPS deployment plan. The plan defined the following:
Target HostsThe students and faculty have complete control over their own machines. They can install whatever software they want, change their system configuration at will, and attach new systems to the network. The school IT department has no way to forcibly deploy HIPS to any student or faculty host. Thus, a HIPS at Davis State cannot solve the bandwidth problem. The IT department can, however, deploy agents on the machines they administer. Those machines include the servers that store confidential student information. There are only a few of them, but they all will have agents to help achieve the confidentiality goal. Management ArchitectureThe single-server management architecture is more than sufficient for the limited number of agents to manage at Davis State. The team elects to install the management server software on a powerful workstation computer. Davis State has a central IT department, but most of the server administration is decentralized.Departments have their own IT personnel to administer the department's computing resources. Student confidential data is kept on servers administered by a number of different departments. The deployment team decides to create a HIPS administrative account for each department. The accounts are limited so each administrator can configure only agents belonging to his or her department. Agent ConfigurationThe agents on the servers are to have a very restrictive configuration. Usually, a restrictive policy requires a great deal of ongoing management. In this case, the servers that store student data run only a few applications, and those applications change very infrequently. The central IT department creates the initial agent configuration. Each application on the servers has its own custom policy. The policy allows the application to perform only the functions it must in order to work correctly. When the agent is deployed and tuned, the central IT department turns administration over to the departmental administrators. To make sure that the departments don't change the policy too much, the central IT security team periodically checks the status of the policy on each server. NIPS ImplementationWith the open nature of the university network (and lack of control over student's systems), Davis State University decides to focus on a strong NIPS deployment. By regulating traffic at the network level, it can regulate the use of applications (such as peer-to-peer software) without having to directly modify the student's computers. Sensor DeploymentDavis State University decides to deploy an in-line NIPS sensor at their Internet perimeter (the T3 line). This in-line sensor is configured to drop peer-to-peer traffic using pre-installed signatures. By limiting peer-to-peer traffic, the university hopes to enable everyone to have adequate bandwidth to access the Internet (see Figure 11-8). Figure 11-8. Final Davis State Network ConfigurationIt also decided to deploy an in-line IPS sensor to monitor access to the server VLAN and the administrative network. These sensors limit access to the servers and administrative network, as well as log connections to the administrative network. It also decided to promiscuously monitor other network segments so that it can quickly identify malicious activity on the network. It decided not to use in-line monitoring at these locations because of the open nature of the university.
NIPS ManagementDavis State University decides to configure its NIPS sensors individually because it manages only a few sensors. The current IT staff is responsible for managing and configuring these new security devices on the network. |