IT Security at the University of Wisconsin - Green Bay

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. IT Security at the University of Wisconsin - Green Bay David Kieper Manager, Networks and Infrastructure Services IT Security Officer [email_address]
  • 2. University of Wisconsin – Green Bay
      • Students: 4500 FTE, 5400 head count
      • Faculty/Staff: 700
      • Campus is 35 years old
      • 750 acre campus on Bay of Green Bay
      • On campus housing for 2100 students
  • 3. Background on Campus Infrastructure
    • Campus Network
      • 2300 Wired 10/100 mbit ports
      • Minimal wireless (support both encrypted and open, Lucent/HP access points)
      • Extreme Blackdiamond Core Switch
      • Extreme Summit 5i and 3Com 4900sx gigabit aggregation switches
      • 3Com 3300 and HP 2524 Edge switches
      • Checkpoint SVN-1 for firewall, network authentication, VPN, and bandwidth control
  • 4. Background on Campus Infrastructure
    • Student Housing Network (“ResNet”)
      • 2100 students (one port per pillow)
      • 10/100 megabit service
      • 3Com 3300fx 100FX aggregators
      • 3Com 3300 edge switches
      • No client install (TCP/IP “dial tone” service)
      • DHCP
      • NAT to Internet
  • 5. Question:
    • Where does everyone in Chicago go when there is a tornado warning???
    • Soldier Field—There has not been a touchdown there in 30 years…
  • 6.  
  • 7. Overall Defenses (Desktop)
    • Computing controls all campus workstations and does software refreshes and updates
    • Ghost cloning for all core OS/software install
    • Windows XP mandatory policies to lockdown desktops and block certain executables
    • Windows Software Update Service (Win XP)
    • Anti-virus software (NAI Viruscan/Virex)
    • Workstation replacement plan ensures no workstation more than fours old
    • Accurate inventory
    • Training for desktop environment developers
  • 8. Overall Defenses (Network)
    • Firewall (Checkpoint SVN-1) between campus/residence life/open networks and the Internet
    • VLANS to separate/segregate traffic
    • Access lists at core switch to separate housing network from campus network
    • Access lists are core switch to stop known attack vectors
    • Accurate network records
    • Open access network use is authenticated via the firewall (LDAP)
    • Training for network administrators
  • 9. Overall Defenses (Server)
    • Predominately Windows 2003 (some 2000, one Linux)
    • Security policies to lockdown servers
    • Kept up to date on patches
    • Anti-virus software on all systems
    • Firewall only allows specific protocols to/from the Internet
    • Training for Windows server administrators
    • Eeye Retina for Intrusion Testing
  • 10. Overall Defenses (Housing Network)
    • Residence Life broke up into 38 VLANS
    • Quarantine Network for Infected Computers (new for 2004)
    • NAT for Residence Life Network
    • Distribution lists for each of the 25 housing buildings
    • Use Residence Assistants (RA’s) for distribution
  • 11. Overall Defenses (Other)
    • Mcafee Anti-virus software subscription for faculty/staff/student personal computers
    • Warning flyer and email to students/staff
    • Keeping campus informed when outbreaks are occurring in the wild
    • Policies
      • Acceptable Use
      • No Servers (games or otherwise)
    • Network General Distributed Sniffer
  • 12. Detection Methods
    • Firewall logs
      • Log all sessions to/from campus to Internet
      • Look for large numbers of similar sessions (i.e., SMTP or RPC) from an address to many different Internet addresses
      • Attempts by residence life network users to address into reserved areas of campus class B space
    • Sniffer (high bandwidth users, ARP’s to illegal addresses)
    • Scan software (Eeye, Microsoft)
    • Server event logs for specific attack information
    • McAfee E-Policy Orchestrator provides central virus reporting database
    • Network Monitoring (Openview, Servers Alive)
  • 13. Firewall Features
    • No outside initiated access to desktops for campus or housing networks
    • Stateful packet inspection to track negotiated sessions (i.e., RPC)
    • Only specific protocols to AND FROM each server
    • Bandwidth limit unknown sessions (100 kbits/second)
    • Log all sessions (15 – 20 million/day)
  • 14. Campus Network – The Damage (Aug, 2003)
    • 100 out of 1500 workstations hit by Nachi
      • Viruscan not up to date
      • Not all recloned to Win 2K, SP3
      • Network performance impaired (ARP traffic)
    • Two Sources
      • Laptops at home for the summer came back infected
      • Imbedded PC system (solar monitoring kiosk with an opening through firewall to vendor who’s own network became infected)
  • 15. Campus Network - Enhancements
    • Weekly wakeup
      • Wake on LAN on Sunday, 1 am
      • Apply Windows updates (SUS)
      • Shutdown at 6 am
    • Periodic scanning for unpatched/infected
    • More diligent on software updates, patching clone images, verifying patch status
    • Review firewall to reduce holes to external providers
  • 16. Campus Network - Enhancements
    • Anti-virus DAT updates checked for hourly by E-Policy Orchestrator server
    • Workstations/servers check for DAT updates every four hours from E-Policy server
    • Servers demand scan when new DAT is received (email or file servers)
    • DAT updates can be pushed immediately by support staff
  • 17. Campus Network – Future
    • Investigate desktop firewall/intrusion prevention software for all clients (Mcafee Enterprise 8.0i, 8/11/2004)
    • More extensive use of VLAN’s to separate servers, faculty/staff, and lab computer networks
  • 18. Housing Network – The Damage (Fall, 2004)
    • 300 – 400 out of 1400 computers infected
    • Mostly nachi and lovesan worms
    • Many other trojan horse/backdoors also
    • Network performance impaired
    • Student workstation stability compromised
  • 19. Housing Network – Ongoing Damage
    • Reality:
      • New/rebuilt unprotected systems
      • New viruses/worms/trojans all the time
      • DAT updates are generally updated only daily or weekly
      • Many don’t do Windows update
      • Many don’t have firewall software
    • Result:
      • Some attacks get through and computers become infected
  • 20. Housing Network – Efforts
    • Block ping traffic at core switch
    • Block port 135 traffic at firewall
    • Block smtp traffic at firewall
    • Housing help desk for first two weeks after move in
    • Housing office has CD’s with patches, anti-virus software, and scanning tools
    • Residence Assistants have these CD’s also (later addition)
    • Residence Assistants went door to door
    • Lots of emails to students
  • 21. Housing Network– Efforts
    • Ongoing monitoring
    • Following up with emails to persons with infected computers, one week to clean up or get network service cut off. Give them links to Windows update, anti-virus scanner, and anti-virus software
    • Very little direct intervention
    • About 75% are cleaned up after first email, 95% by third email. Three disconnects had to be done.
  • 22. Housing Network – Fall, 2004
    • More information before students move in
    • Move infected computers to Quarantine VLAN and notify them
    • More monitoring of logs/traffic during move in period
    • Allow access to fixes/patches electronically via the network
    • Do not want to distribute fix/patch CD’s to all students (patches are a moving target and CD’s become obsolete quickly)
    • Do not want to pre-scan computers
      • Parents/students want everything working within hours of move in
      • Too many computers, too few staff and locations to do scanning
      • No way to guarantee all patches and anti-virus software stay up to date after initial scan
    • Lots of communication (email, flyers)
  • 23. Housing Network – Fall, 2004
    • Quarantine Network
      • Only allow access to campus web server and web based email servers
      • Only allow internet access to selected vendor sites
        • PC suppliers (Gateway, HP, IBM, Apple, etc.)
        • OS suppliers (Microsoft, Apple, etc.)
        • Anti-virus vendors (Mcafee, Symantec, etc.)
        • Firewall vendors (Black Ice, Zone Labs, etc.)
    • Make/force student to want to get their computer cleaned up!!
  • 24. Housing Network - Future
    • Considering over-the-network scans to identify vulnerable systems with email follow up
    • Commercial/shareware products to automate scanning and movement between housing and Quarantine VLANS.
    • Will wait to see how 2004/2005 year goes before decision is made
  • 25. Campus IT Security – The Near Future
    • Formal procedures for investigating potential violations of acceptable use policy have been developed
      • Academic freedom issues
      • Privacy issues
      • Legal issues
      • Human Resources/Union issues
    • Warnings going out now
    • Investigations will begin October 1, 2004
    • Password security review
  • 26.  
  • 27. Thank you!!