Medium Educational Institution

Previous page
Table of content
Next page

Davis State University is a liberal arts school in Pittsburgh, Pennsylvania. Each of the 2300 undergraduate and 400 graduate students is required to have a personal computer. The school employs 500 faculty and staff, has 3 computer labs, and maintains approximately 50 different servers. The students use a T3 Internet connection, and there is a T1 reserved for the faculty and administrators (see Figure 11-7).

Figure 11-7. Initial Davis State Network Configuration


The school is faced with two problems that are proving difficult to solve. The first is that a number of other colleges and universities have recently had very public breaches in their computer security. Specifically, several incidents in the news have reported confidential student data and test scores stolen. The major donors and alumni are pressuring the senior administration to make sure this doesn't happen at Davis State.

The second problem is that a T3 Internet connection should be more than sufficient for 2700 students, but it's not proving to be so. The school IT staff found that the T3 is saturated with traffic that has nothing to do with education. So much traffic is generated by peer-to-peer file-sharing applications, Internet game servers, and software file servers that the T3 is almost unusable for legitimate purposes. Furthermore, the IT staff is concerned that the school might be held liable for any copyrighted material the students download using school networks.

Davis State's tiny information security team determines that an IPS can mitigate both problems.

Limiting Factors

An IPS might be able to mitigate the two problems, but it has to operate under certain restrictions:

  • The school takes a very permissive approach to computer security. The students pay a quarterly fee to use the school computing resources. Davis State administrators feel that if students are paying for a service, they should be able to use it for pretty much whatever legal purpose they want.

  • Educational institutions generally believe in a free exchange of information, and Davis State is no exception. For the most part, computer security should not curtail information exchange.

  • The students and faculty have complete control over their own systems. They can install and use whatever software they want. At the same time, the school has no way to mandate that a particular software package be installed.

Security Policy Goals

Davis State doesn't have much of a security policy, but it does maintain a list of high-level security guidelines. At the request of the administration, two guidelines were added:

  • A best effort must be made to prevent theft of confidential student data.

  • Davis State IT can restrict (not prevent) the use of certain types of applications such as peer-to-peer file sharing, game servers, and software file servers.

HIPS Implementation

Davis State used the goals and limiting factors to come up with a high-level HIPS deployment plan. The plan defined the following:

  • Target hosts

  • Management architecture

  • Agent configuration

Target Hosts

The students and faculty have complete control over their own machines. They can install whatever software they want, change their system configuration at will, and attach new systems to the network. The school IT department has no way to forcibly deploy HIPS to any student or faculty host. Thus, a HIPS at Davis State cannot solve the bandwidth problem.

The IT department can, however, deploy agents on the machines they administer. Those machines include the servers that store confidential student information. There are only a few of them, but they all will have agents to help achieve the confidentiality goal.

Management Architecture

The single-server management architecture is more than sufficient for the limited number of agents to manage at Davis State. The team elects to install the management server software on a powerful workstation computer.

Davis State has a central IT department, but most of the server administration is decentralized.Departments have their own IT personnel to administer the department's computing resources. Student confidential data is kept on servers administered by a number of different departments. The deployment team decides to create a HIPS administrative account for each department. The accounts are limited so each administrator can configure only agents belonging to his or her department.

Agent Configuration

The agents on the servers are to have a very restrictive configuration. Usually, a restrictive policy requires a great deal of ongoing management. In this case, the servers that store student data run only a few applications, and those applications change very infrequently.

The central IT department creates the initial agent configuration. Each application on the servers has its own custom policy. The policy allows the application to perform only the functions it must in order to work correctly. When the agent is deployed and tuned, the central IT department turns administration over to the departmental administrators. To make sure that the departments don't change the policy too much, the central IT security team periodically checks the status of the policy on each server.

NIPS Implementation

With the open nature of the university network (and lack of control over student's systems), Davis State University decides to focus on a strong NIPS deployment. By regulating traffic at the network level, it can regulate the use of applications (such as peer-to-peer software) without having to directly modify the student's computers.

Sensor Deployment

Davis State University decides to deploy an in-line NIPS sensor at their Internet perimeter (the T3 line). This in-line sensor is configured to drop peer-to-peer traffic using pre-installed signatures. By limiting peer-to-peer traffic, the university hopes to enable everyone to have adequate bandwidth to access the Internet (see Figure 11-8).

Figure 11-8. Final Davis State Network Configuration


It also decided to deploy an in-line IPS sensor to monitor access to the server VLAN and the administrative network. These sensors limit access to the servers and administrative network, as well as log connections to the administrative network.

It also decided to promiscuously monitor other network segments so that it can quickly identify malicious activity on the network. It decided not to use in-line monitoring at these locations because of the open nature of the university.

Promiscuous Monitoring

Sensors running in promiscuous mode detect intrusive activity by examining traffic received on one of their monitoring interfaces. Usually, this requires directing a copy of the network traffic being analyzed to the sensor's monitoring interface. Unlike using in-line mode, sensors operating in promiscuous mode can only react to the traffic that they analyze; at least the initial attack packet will always reach the target system.


NIPS Management

Davis State University decides to configure its NIPS sensors individually because it manages only a few sensors. The current IT staff is responsible for managing and configuring these new security devices on the network.



Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
WebLogic: The Definitive Guide
Java for RPG Programmers, 2nd Edition
Visual C# 2005 How to Program (2nd Edition)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy