Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network

Southwest Educause 2003© Baylor University 2003

Adapting Enterprise

Security to a

University Environment

Bob Hartland

Director of IT Servers and

Network Services

Jon Allen

Coordinator ofIT Security

Tommy Roberson

Manager of ServersAnd IT Security


Overview of Presentation

• Baylor University

• IT Security

• Security through technology/hardware

• Security through People

• Putting it all together


Baylor University

• 14,221 Students• 1,750 Full Time

Employees

Waco, Texas


Information Technology Organizational Chart

Dr. Robert Sloan

President

Mr. David Brooks

CFO

Dr. Reagan Ramsower

CIO & Dean of Libraries

Bob Hartland

Director of IT Servers and Networking Services

Data Networks Broadband Video Telephone Network IT Servers and Security

Tommy Roberson

Jon Allen


What is IT Security?• “…the concepts, techniques, technical measures and

administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition,

damage, disclosure, manipulation, modification, loss, or use…” [McDaniel - IBM Dictionary of Computing 1994]

• It is more beneficial to focus on good planning then it is to rely solely on fancy technology.


Risks of Poor Security

• Loss of university productivity

• Public Relations problems

• Private Information (SSN, CC numbers, grades, etc.)

• Degradation or loss of client services


Security– As Viewed by Industry

• Security is a priority (proactive)

• The ROI for security has become highly visible in the past 2-3 years.

• Compromise or downtime results in lost profits


Security – As Viewed in an University Environment

• Threat to Academic Freedom • A hindrance to research and education

productivity• Contention for funding


Baylor’s Approach to IT Security

• Our security strategy can be divided into two parts

• Technology

• People


Security through Technology

• Firewalls

• Intrusion Detection Systems

• VPN (encryption technologies)

• Logs

• Server Configuration

• Vulnerability Scanning


Firewalls

• First line of network protection from outside world

• Must be strategically placed to be effective in universities

• One size does not fit all for firewall policies


Firewall Recommendations

• Multiple firewalls are necessary in a university environment

• Firewall policies should be written with port level filtering.


Intrusion Detection Systems

• Deployment must be highly targeted

• Networks and servers must be understood to limit false positives

• Not a substitute for good security practices


Virtual Private Networks

• Ideal for limiting access and securing data transmission

• Great for extending the university network to students and remote campuses


Logs

• Vital to identifying and resolving server and network problems

• Subtle or well planned attacks may only be seen through log evaluation

• Raises questions of academic freedom and big brother


Server Configuration

• Servers should only run daemons/services that are necessary

• Use mailing lists and OS update services to maintain server patches

• Limit the services on servers that contain critical data


Vulnerability Scanning

• Prioritize scans to focus on critical systems first.

• Be aware that false positives are common with scanning tools

• Scanning results can be used to point to weak points in networks and servers before they are abused


Security through People

• Policies

• Procedures

• Education


Policies-Creation

• Important to bring in other departments

• Anticipate problems

• Try to make policies broad enough to cover many issues


Policies-Modification

• Be flexible

• Policies are an ongoing work

• There will always be exceptions to policy


Policies-Enforcement

• Must have administrative backing for policies

• Helpful to explain this to various departments

• Must establish consistent method for dealing with student violations

• Document ALL enforcement actions taken


Procedures

• When done appropriately-procedures can be used to prevent many problems

• These are very time consuming…

• …but can eventually save time and headaches by preventing obvious security lapses.


Education

• End-User education

• Server admin education

• Support Staff education


End-User Education

• Most important thing is educating end-user on sound password practices.

• Users are more likely to follow policies and rules if they understand reasons for them

• Teach users to notice things that don’t seem right


Server Admin Education

• Teach importance of keeping systems up to date

• Encourage sound local account practices

• Try to bring other admins in other schools into the security community


IT Staff Education

• Support Staff are many times ignorant of sound security practices

• Many IT users in general never consider security when doing their jobs.

• We must also try to bring them into the security community


Security is everyone’s job!


On the Horizon

• Proactive and correlative IDS

• Stricter laws forcing security in universities

• Probable increase in security incidents


Summary

• Complete security solutions must address both technology and people

• Technology solutions are only as good as the policies they are enforcing

• Security strategies must depend upon and encourage cooperation from people in the organization


Contributors:

• Bob Hartland

Director for IT Servers and Network Services

[email protected]

Speakers:

• Jon AllenCoordinator of IT [email protected]

• Tommy RobersonManager of Servers and IT [email protected]

mailto:[email protected]




Copyright Bob Hartland, Tommy Roberson, and Jon Allen 2003.This work is the intellectual property of the author. Permission is granted for this

material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and

notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the

author.

Documents

Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network