Balancing the Freedom to Connect With the Mandate to Protect
- By William Lewis
- November 1st, 2005
Computer viruses are becoming ever more dangerous and fast-spreading. Reports of security breaches on campuses abound, including well-publicized incidents at the University of California, Berkeley; Boston College; George Mason University; Northwestern University and California State University at Chico. The impact of network attacks can be enormous, including lost productivity from downtime, repair costs, compromised privacy and lost data.
Network attackers constantly adapt to security defenses by developing new methods to penetrate or infect target machines. The most recent viruses and worms attack using vulnerabilities, such as application security holes, then propagate using another vulnerability, such as e-mail. Attackers are also quite skilled in using e-mail to entice unwitting recipients to open infected attachments.
Students are now setting up wireless base stations and file-sharing networks in their residence halls. These unauthorized networks constitute back-door vulnerabilities in the campus network and help spread viruses and worms. The proliferation of small memory devices, personal digital assistants (PDAs), and music players that plug directly into a PC’s USB port now make it possible to transfer huge amounts of information to an easily concealed gadget.
At Arizona State University (ASU), we have had a very hard time with viruses during the past few academic years. When viruses and worms hit, infected computers rapidly spread the contagion throughout the entire network. We had more than 6,000 security incidents between August 2003 and May 2004, including widespread infections from Blaster, Sasser and Nachi. Spillover from our campus help desk to our central IT help desk consumed hundreds of staff hours.
A Balancing Act
ASU is one of the largest academic and research universities in the nation. With more than 61,000 undergraduate, graduate and professional students on four campuses in metropolitan Phoenix, ASU is an important global center for innovative teaching and research. When students come to ASU, they expect to use the outlets in their residence hall rooms and get electricity. They expect to go to the water fountain and get water. And they expect to connect their computers and get access to the Internet and the campus network.
Is network access a utility that comes free with tuition? Or is it an access privilege that must be earned and safeguarded to protect the rights and privacy of all students and the assets of the university?
This is a delicate balance for every administrator in higher education. We all cherish the principles of academic freedom. Our mission at ASU is to be open, to encourage people to use our resources. We don’t restrict people from walking into our campus library to explore its extraordinary resources. Similarly, we want people to come to ournetwork presence with the same ease and freedom. Yet, we must protect the university’s assets. We must strike a balance between these two conflicting goals.
The approach we have chosen is to focus on protecting the integrity of the network, not on dictating the individual freedom of the user. Rather than attempting to lock down the end-users’ computers or to enforce security policies at the student level, our strategy is to achieve the highest degree of protection with the minimum amount of intrusion into the function the user is trying to perform.
How We Addressed the Balancing Act
Two years ago we put together a Request for Proposal (RFP) with a comprehensive list of criteria that included 18 mandatory requirements and eight desirable requirements. After extensive evaluation, we determined that the best way to serve our students and protect the network in the least intrusive way possible was the Cisco Clean Access solution, enabled by a fully scalable, reliable and secure network architecture, which we deployed initially in residence halls. We have more than 8,500 residents in residence halls, and the dorms are a major source for security incidents introduced into the ASU network.
Here’s what the Cisco Clean Access solution enables us to do.
Evaluate all devices that attempt to access the network for compliance to our internal security policies.
Place noncompliant devices into a quarantine area where they undergo automated repair processes.
Ensure that machines attaching to our network have all the latest operating system patches, are running McAfee antivirus software at the current level and are configured to receive automated updates.
Apply different policies to different groups, such as the library, staff, administrators, students, adjunct faculty and guests at conferences on campus.
Block specific systems by both Mac and IP addresses because IP addresses alone are so easy to spoof.
This is our second year with Cisco Clean Access. Before we put it in, we had more than 6,000 incidents in a year. Last year, we had fewer than 100. And this year, we’ve only had a handful.
Like many academic institutions, ASU has a growing number of unregulated laptops being brought onto the campus by students, faculty and guests. Currently, we require all new users to register when they log on to the network. We scan them with a basic scanning utility, but this is only a one-time precaution and it’s only an external scan. These days, an external scan has limited effectiveness because users turn on firewalls and block such checks.
We are conducting a pilot test of the Cisco Clean Access solution in a wireless environment in the busiest areas of our campus — the Business and Memorial Unions. We have at least 700 people on the wireless network at any one time, about five to 10 percent of whom are guest users. We are evaluating whether to require the installation of Cisco Clean Access clients on every wireless laptop that accesses our network.
We also have ASU facilities located off the Phoenix campuses in downtown Tempe. As part of a public/private partnership with the city, we plan to offer our students high-speed wireless access, for about $15 per month, from anywhere in the city. They can access their courses and class material, check grades and register. We negotiated access to the city’s utility conduits, which eliminates the need to run our own cabling. In return, we agreed to expand our wireless network and offer guest access around our buildings. Once the city completes implementation of a mesh network covering the entire urban area, we will provide free public access to for two hours a day. We also hope to extend this access to the greater Phoenix area. We believe strongly in social embeddedness, and we want the citizens of our community to turn to ASU first for information and educational resources. We are currently evaluating how we will implement security measures when we open the network to community access.
The Importance of Communications
I can’t emphasize strongly enough the importance of having a good communications plan before implementing a new security program. Move-in week is hectic enough without a torrent of help-desk calls complaining about a new login page, raising concerns about privacy or disputing security policies.
We begin communicating before students arrive on campus and continue after they’ve arrived. Here’s an example of a communications checklist.
1. Conduct outreach. Communicate with students about campus security policies at least five times, using various media.
2. Tell users what’s changing and when. Remember that specific dates are important.
3. Explain the change. Cite the costs of virus outbreaks and, especially, the impacts on users.
4. Tell what to expect. Describe the process in sufficient detail so that users are very clear about what they will be experiencing, how and why.
5. Say who’s in charge. Distribute a list of frequently asked questions and dedicate enough resources to fielding questions and concerns.
Communications with students should emphasize that network security benefits everyone. Institutions of higher education, with their large amounts of bandwidth, present an attractive target for hackers. The institution is protecting not just itself with security measures, but everyone connected to the network. If the university network goes down, everyone loses access to services. If a virus or worm gets into the network, it can affect everyone.
We see our security policies at ASU not just as protection, but as a teaching mechanism. The software tells students what’s wrong and how to fix it, so they learn about configuring antivirus software and updating their computer operating systems regularly. When they follow the rules, not only do we all have a safer network, but students generally get machines that perform better — resulting in a richer educational experience.
Dr. William Lewis is chief information officer at Arizona State University. He can be contacted at .