IT Security at the University of Wisconsin Green Bay

1
IT Security at the University of Wisconsin -
Green Bay

• David Kieper
• Manager, Networks and Infrastructure Services
• IT Security Officer
• kieperd_at_uwgb.edu

2
University of Wisconsin Green Bay

• Students 4500 FTE, 5400 head count
• Faculty/Staff 700
• Campus is 35 years old
• 750 acre campus on Bay of Green Bay
• On campus housing for 2100 students

3
Background on Campus Infrastructure

• Campus Network
• 2300 Wired 10/100 mbit ports
• Minimal wireless (support both encrypted and
  open, Lucent/HP access points)
• Extreme Blackdiamond Core Switch
• Extreme Summit 5i and 3Com 4900sx gigabit
  aggregation switches
• 3Com 3300 and HP 2524 Edge switches
• Checkpoint SVN-1 for firewall, network
  authentication, VPN, and bandwidth control

4
Background on Campus Infrastructure

• Student Housing Network (ResNet)
• 2100 students (one port per pillow)
• 10/100 megabit service
• 3Com 3300fx 100FX aggregators
• 3Com 3300 edge switches
• No client install (TCP/IP dial tone service)
• DHCP
• NAT to Internet

5
Question

• Where does everyone in Chicago go when there is a
  tornado warning???
• Soldier FieldThere has not been a touchdown
  there in 30 years

6
(No Transcript)
7
Overall Defenses (Desktop)

• Computing controls all campus workstations and
  does software refreshes and updates
• Ghost cloning for all core OS/software install
• Windows XP mandatory policies to lockdown
  desktops and block certain executables
• Windows Software Update Service (Win XP)
• Anti-virus software (NAI Viruscan/Virex)
• Workstation replacement plan ensures no
  workstation more than fours old
• Accurate inventory
• Training for desktop environment developers

8
Overall Defenses (Network)

• Firewall (Checkpoint SVN-1) between
  campus/residence life/open networks and the
  Internet
• VLANS to separate/segregate traffic
• Access lists at core switch to separate housing
  network from campus network
• Access lists are core switch to stop known attack
  vectors
• Accurate network records
• Open access network use is authenticated via the
  firewall (LDAP)
• Training for network administrators

9
Overall Defenses (Server)

• Predominately Windows 2003 (some 2000, one Linux)
• Security policies to lockdown servers
• Kept up to date on patches
• Anti-virus software on all systems
• Firewall only allows specific protocols to/from
  the Internet
• Training for Windows server administrators
• Eeye Retina for Intrusion Testing

10
Overall Defenses (Housing Network)

• Residence Life broke up into 38 VLANS
• Quarantine Network for Infected Computers (new
  for 2004)
• NAT for Residence Life Network
• Distribution lists for each of the 25 housing
  buildings
• Use Residence Assistants (RAs) for distribution

11
Overall Defenses (Other)

• Mcafee Anti-virus software subscription for
  faculty/staff/student personal computers
• Warning flyer and email to students/staff
• Keeping campus informed when outbreaks are
  occurring in the wild
• Policies
• Acceptable Use
• No Servers (games or otherwise)
• Network General Distributed Sniffer

12
Detection Methods

• Firewall logs
• Log all sessions to/from campus to Internet
• Look for large numbers of similar sessions (i.e.,
  SMTP or RPC) from an address to many different
  Internet addresses
• Attempts by residence life network users to
  address into reserved areas of campus class B
  space
• Sniffer (high bandwidth users, ARPs to illegal
  addresses)
• Scan software (Eeye, Microsoft)
• Server event logs for specific attack information
• McAfee E-Policy Orchestrator provides central
  virus reporting database
• Network Monitoring (Openview, Servers Alive)

13
Firewall Features

• No outside initiated access to desktops for
  campus or housing networks
• Stateful packet inspection to track negotiated
  sessions (i.e., RPC)
• Only specific protocols to AND FROM each server
• Bandwidth limit unknown sessions (100
  kbits/second)
• Log all sessions (15 20 million/day)

14
Campus Network The Damage (Aug, 2003)

• 100 out of 1500 workstations hit by Nachi
• Viruscan not up to date
• Not all recloned to Win 2K, SP3
• Network performance impaired (ARP traffic)
• Two Sources
• Laptops at home for the summer came back infected
• Imbedded PC system (solar monitoring kiosk with
  an opening through firewall to vendor whos own
  network became infected)

15
Campus Network - Enhancements

• Weekly wakeup
• Wake on LAN on Sunday, 1 am
• Apply Windows updates (SUS)
• Shutdown at 6 am
• Periodic scanning for unpatched/infected
• More diligent on software updates, patching clone
  images, verifying patch status
• Review firewall to reduce holes to external
  providers

16
Campus Network - Enhancements

• Anti-virus DAT updates checked for hourly by
  E-Policy Orchestrator server
• Workstations/servers check for DAT updates every
  four hours from E-Policy server
• Servers demand scan when new DAT is received
  (email or file servers)
• DAT updates can be pushed immediately by support
  staff

17
Campus Network Future

• Investigate desktop firewall/intrusion prevention
  software for all clients (Mcafee Enterprise 8.0i,
  8/11/2004)
• More extensive use of VLANs to separate servers,
  faculty/staff, and lab computer networks

18
Housing Network The Damage (Fall, 2004)

• 300 400 out of 1400 computers infected
• Mostly nachi and lovesan worms
• Many other trojan horse/backdoors also
• Network performance impaired
• Student workstation stability compromised

19
Housing Network Ongoing Damage

• Reality
• New/rebuilt unprotected systems
• New viruses/worms/trojans all the time
• DAT updates are generally updated only daily or
  weekly
• Many dont do Windows update
• Many dont have firewall software
• Result
• Some attacks get through and computers become
  infected

20
Housing Network Efforts

• Block ping traffic at core switch
• Block port 135 traffic at firewall
• Block smtp traffic at firewall
• Housing help desk for first two weeks after move
  in
• Housing office has CDs with patches, anti-virus
  software, and scanning tools
• Residence Assistants have these CDs also (later
  addition)
• Residence Assistants went door to door
• Lots of emails to students

21
Housing Network Efforts

• Ongoing monitoring
• Following up with emails to persons with infected
  computers, one week to clean up or get network
  service cut off. Give them links to Windows
  update, anti-virus scanner, and anti-virus
  software
• Very little direct intervention
• About 75 are cleaned up after first email, 95
  by third email. Three disconnects had to be done.

22
Housing Network Fall, 2004

• More information before students move in
• Move infected computers to Quarantine VLAN and
  notify them
• More monitoring of logs/traffic during move in
  period
• Allow access to fixes/patches electronically via
  the network
• Do not want to distribute fix/patch CDs to all
  students (patches are a moving target and CDs
  become obsolete quickly)
• Do not want to pre-scan computers
• Parents/students want everything working within
  hours of move in
• Too many computers, too few staff and locations
  to do scanning
• No way to guarantee all patches and anti-virus
  software stay up to date after initial scan
• Lots of communication (email, flyers)

23
Housing Network Fall, 2004

• Quarantine Network
• Only allow access to campus web server and web
  based email servers
• Only allow internet access to selected vendor
  sites
• PC suppliers (Gateway, HP, IBM, Apple, etc.)
• OS suppliers (Microsoft, Apple, etc.)
• Anti-virus vendors (Mcafee, Symantec, etc.)
• Firewall vendors (Black Ice, Zone Labs, etc.)
• Make/force student to want to get their computer
  cleaned up!!

24
Housing Network - Future

• Considering over-the-network scans to identify
  vulnerable systems with email follow up
• Commercial/shareware products to automate
  scanning and movement between housing and
  Quarantine VLANS.
• Will wait to see how 2004/2005 year goes before
  decision is made

25
Campus IT Security The Near Future

• Formal procedures for investigating potential
  violations of acceptable use policy have been
  developed
• Academic freedom issues
• Privacy issues
• Legal issues
• Human Resources/Union issues
• Warnings going out now
• Investigations will begin October 1, 2004
• Password security review

26
(No Transcript)
27
Thank you!!