IT Security at the University of Wisconsin -

Green Bay

David KieperManager, Networks and Infrastructure Services

IT Security Officerkieperd@uwgb.edu

University of Wisconsin – Green Bay Students: 4500 FTE, 5400 head count Faculty/Staff: 700 Campus is 35 years old 750 acre campus on Bay of Green Bay On campus housing for 2100 students

Background on Campus Infrastructure Campus Network

2300 Wired 10/100 mbit ports Minimal wireless (support both encrypted

and open, Lucent/HP access points) Extreme Blackdiamond Core Switch Extreme Summit 5i and 3Com 4900sx

gigabit aggregation switches 3Com 3300 and HP 2524 Edge switches Checkpoint SVN-1 for firewall, network

authentication, VPN, and bandwidth control

Background on Campus Infrastructure Student Housing Network (“ResNet”)

2100 students (one port per pillow) 10/100 megabit service 3Com 3300fx 100FX aggregators 3Com 3300 edge switches No client install (TCP/IP “dial tone”

service) DHCP NAT to Internet

Overall Defenses (Desktop) Computing controls all campus workstations

and does software refreshes and updates Ghost cloning for all core OS/software install Windows XP mandatory policies to lockdown

desktops and block certain executables Windows Software Update Service (Win XP) Anti-virus software (NAI Viruscan/Virex) Workstation replacement plan ensures no

workstation more than fours old Accurate inventory Training for desktop environment developers

Overall Defenses (Network) Firewall (Checkpoint SVN-1) between

campus/residence life/open networks and the Internet

VLANS to separate/segregate traffic Access lists at core switch to separate

housing network from campus network Access lists are core switch to stop known

attack vectors Accurate network records Open access network use is authenticated

via the firewall (LDAP) Training for network administrators

Overall Defenses (Server) Predominately Windows 2003 (some 2000,

one Linux) Security policies to lockdown servers Kept up to date on patches Anti-virus software on all systems Firewall only allows specific protocols

to/from the Internet Training for Windows server

administrators Eeye Retina for Intrusion Testing

Overall Defenses (Housing Network) Residence Life broke up into 38

VLANS Quarantine Network for Infected

Computers (new for 2004) NAT for Residence Life Network Distribution lists for each of the 25

housing buildings Use Residence Assistants (RA’s) for

distribution

Overall Defenses (Other) Mcafee Anti-virus software subscription

for faculty/staff/student personal computers

Warning flyer and email to students/staff Keeping campus informed when

outbreaks are occurring in the wild Policies

Acceptable Use No Servers (games or otherwise)

Network General Distributed Sniffer

Detection Methods Firewall logs

Log all sessions to/from campus to Internet Look for large numbers of similar sessions (i.e., SMTP or RPC)

from an address to many different Internet addresses Attempts by residence life network users to address into

reserved areas of campus class B space Sniffer (high bandwidth users, ARP’s to illegal

addresses) Scan software (Eeye, Microsoft) Server event logs for specific attack information McAfee E-Policy Orchestrator provides central

virus reporting database Network Monitoring (Openview, Servers Alive)

Firewall Features No outside initiated access to desktops

for campus or housing networks Stateful packet inspection to track

negotiated sessions (i.e., RPC) Only specific protocols to AND FROM

each server Bandwidth limit unknown sessions (100

kbits/second) Log all sessions (15 – 20 million/day)

Campus Network – The Damage (Aug, 2003) 100 out of 1500 workstations hit by

Nachi Viruscan not up to date Not all recloned to Win 2K, SP3 Network performance impaired (ARP traffic)

Two Sources Laptops at home for the summer came back

infected Imbedded PC system (solar monitoring kiosk

with an opening through firewall to vendor who’s own network became infected)

Campus Network - Enhancements Weekly wakeup

Wake on LAN on Sunday, 1 am Apply Windows updates (SUS) Shutdown at 6 am

Periodic scanning for unpatched/infected More diligent on software updates,

patching clone images, verifying patch status

Review firewall to reduce holes to external providers

Campus Network - Enhancements Anti-virus DAT updates checked for

hourly by E-Policy Orchestrator server Workstations/servers check for DAT

updates every four hours from E-Policy server

Servers demand scan when new DAT is received (email or file servers)

DAT updates can be pushed immediately by support staff

Campus Network – Future Investigate desktop

firewall/intrusion prevention software for all clients (Mcafee Enterprise 8.0i, 8/11/2004)

More extensive use of VLAN’s to separate servers, faculty/staff, and lab computer networks

Housing Network – The Damage (Fall, 2004) 300 – 400 out of 1400 computers

infected Mostly nachi and lovesan worms Many other trojan horse/backdoors

also Network performance impaired Student workstation stability

compromised

Housing Network – Ongoing Damage Reality:

New/rebuilt unprotected systems New viruses/worms/trojans all the time DAT updates are generally updated only

daily or weekly Many don’t do Windows update Many don’t have firewall software

Result: Some attacks get through and computers

become infected

Housing Network – Efforts Block ping traffic at core switch Block port 135 traffic at firewall Block smtp traffic at firewall Housing help desk for first two weeks after

move in Housing office has CD’s with patches, anti-

virus software, and scanning tools Residence Assistants have these CD’s also

(later addition) Residence Assistants went door to door Lots of emails to students

Housing Network– Efforts Ongoing monitoring Following up with emails to persons with

infected computers, one week to clean up or get network service cut off. Give them links to Windows update, anti-virus scanner, and anti-virus software

Very little direct intervention About 75% are cleaned up after first

email, 95% by third email. Three disconnects had to be done.

Housing Network – Fall, 2004 More information before students move in Move infected computers to Quarantine VLAN and notify

them More monitoring of logs/traffic during move in period Allow access to fixes/patches electronically via the

network Do not want to distribute fix/patch CD’s to all students

(patches are a moving target and CD’s become obsolete quickly)

Do not want to pre-scan computers Parents/students want everything working within hours of

move in Too many computers, too few staff and locations to do

scanning No way to guarantee all patches and anti-virus software stay

up to date after initial scan Lots of communication (email, flyers)

Housing Network – Fall, 2004 Quarantine Network

Only allow access to campus web server and web based email servers

Only allow internet access to selected vendor sites

PC suppliers (Gateway, HP, IBM, Apple, etc.) OS suppliers (Microsoft, Apple, etc.) Anti-virus vendors (Mcafee, Symantec, etc.) Firewall vendors (Black Ice, Zone Labs, etc.)

Make/force student to want to get their computer cleaned up!!

Housing Network - Future Considering over-the-network scans to

identify vulnerable systems with email follow up

Commercial/shareware products to automate scanning and movement between housing and Quarantine VLANS.

Will wait to see how 2004/2005 year goes before decision is made

Campus IT Security – The Near Future Formal procedures for investigating

potential violations of acceptable use policy have been developed Academic freedom issues Privacy issues Legal issues Human Resources/Union issues

Warnings going out now Investigations will begin October 1,

2004 Password security review