How one university is using security software to make sure that its network protection is based on more than an educated guess.
Norwich University was among the first institutions to receive the National Security Agency’s designation as a Center of Excellence in Information Security Education. With this security connection firmly in mind, serious concern is paid to the safety of the school’s computer network, where a redesign included new security vulnerability scanning software that regularly identifies problems.
Norwich University, the first private military college in the United States, has educated students who have become leaders in U.S. business, government, and the military since 1818. The school, located in Vermont’s Green Mountains, was the birthplace of the Reserve Officers’ Training Corps. It currently has a student population of about 2,100 military and civilian undergraduate students.
According to Jeremy Wood, information security analyst at Norwich, all dorms at the school have both wireless and wired connections in each room. The students “have had wired connections for years, but we just implemented the wireless when we redesigned the network about a year and half ago,” he says.
Until last year, when students came to the campus, they plugged whatever computers they brought into the university’s network, creating, “a large population of varied machines sitting on a network all connected to each other,” says Wood. That was a breeding ground for viruses and other cyber ills.
Today, students are required to install a Cisco software application at the desktop called Clean Access Agent; it ensures that each computer has sufficient virus protection and system updates installed.
“The agent looks for supported antivirus products as well as Microsoft critical updates,” explains Wood. If none are there, students must remedy that shortcoming.
Wood’s group guides students by pointing out eight antivirus products—some they can use at no cost; they must install one of those. “They also have to have all their Windows updates done. Once they pass those requirements, they are allowed onto the network where they can surf the Internet, get to school resources, receive and send e-mails, and other things,” says Wood.
After installation, the Clean Access Agent runs weekly checks of the students’ computers to make sure that future updates to the antivirus program and Microsoft have been installed. If they have not, and the students do not respond to prompts to do so, their network access is terminated.
Faculty and staff must also go through these same steps to join the university’s network, where they can create sites that contain syllabuses, class materials, and other information for their students as well as access the Microsoft Sharepoint portal for university announcements.
Making sure all students have antivirus protection and Microsoft critical updates is only one part of the current network safety program, however. All ports on campus are now dynamic so that no matter what port a student plugs into, it will recognize his or her ID and access level.
With those issues addressed, the university began to review available products that could regularly audit all servers and network equipment for vulnerabilities. “We needed a product that was able to scan a wide number of systems and applications,” Wood explains. “We have Windows systems, Linux systems, SQL systems, Oracle databases, MySql databases, and we needed to go through all of them.”
IT wanted the solution to be relatively straightforward and easy to use “so that we could have people other than myself look at results and understand what they needed to fix on their servers,” explains Wood.
The solution also “needed to produce solid reports so that we could trend our vulnerabilities over time, and if we needed a quick report on the status of our network, we could get one in short order,” he says.
The product identified as a good candidate was NeXpose by Boston-based Rapid7, a vulnerability assessment software that scans Web applications, databases, networks, operating systems, and other software to find threats, assess their risk, and devise a remediation plan.
Before the university made its final decision, Rapid7 demonstrated the product, and then “we had a 30-day in-house trial where we got to test it out on our network to see what it picked up,” says Wood.
The first scans, run in May 2008, revealed 3,000 vulnerabilities. Today, that number is fewer than 500. NeXpose scans the entire network on a weekly basis. Wood reviews the resulting report to assess vulnerabilities as acceptable or unacceptable. An example of an acceptable vulnerability might be where certain network ports may be open internally to the server network, “but they are behind a firewall between our servers and the rest of the network, so we can say that this port is protected,” Wood states. “An unacceptable vulnerability would be a missing Windows update—it doesn’t matter if it is inside or outside the firewall; it still needs to be patched.”
Wood uses a PC interface to see the details of each vulnerability in context. “I can click on a network category and see risk ratings assigned to each server. I can see how many vulnerabilities each server has, and I can click on the server to see each of the individual vulnerabilities and address them one at a time or hand them off to the person who is responsible for that server,” he explains.
He can also generate reports that include the necessary fixes to resolve the issue, “So the report might say, ‘This service is running on your computer, and it shouldn’t be; here’s how you can shut it down,’” he says.
The reports on acceptable vulnerabilities allow for detailed notes on why the exception was allowed. Other types of reports include trends, changes between weekly scans—which might show, for example, exactly when a piece of software was installed on a server—and vulnerabilities fixed over time.
Wood says that the software has performed as promised, and there have been few problems since the solution was installed. “When we started out, there was some confusion over the licenses we’d been granted. I spoke to Rapid7 on the phone. They fixed the licensing issue right away,” he says.
The vendor has also been responsive to suggestions for improvements in the program. It incorporated an enhancement request from Wood into the latest version of the software.