Home » Data Protection » Network Security

Crash Course: Information Security at Universities

How do universities cope each fall when students stream back to campus with infected, unpatched PCs? CISOs say it's (almost) all about the education.

"From the standpoint of the students in the dorms, we're like an ISP, and you wouldn't want your ISP telling you what applications to run," says Christopher Cramer, information technology security officer at Duke University.

Many colleges and universities rely on a two-pronged approach that security officers say delivers surprisingly good results: First, an aggressive education campaign encourages voluntary compliance with stated computing policiesmost often the use of antivirus software, an updated operating system and perhaps a personal firewall. And second, they use network technologies to isolate and quarantine machines that are compromised or otherwise not in compliance.

The 5,500 or so residential students at Duke who enjoy 100-megabit connections to their dorm rooms have access to a wide range of security tools and technologiesincluding a site license for McAfee antivirus software, another for Kerio personal firewall, and links and instructions for automatically updating Microsoft's various operating systems.

On the network, Duke runs an antivirus checker on the e-mail system and occasionally uses access-control lists on the routers to lock problem ports at the border. When students return in the fall, they're automatically directed to a private address space on the network where their machines are scanned for operating system vulnerabilities. Last year, students were given information at that point on how to patch their operating systems. For 2004, Cramer has beefed that up to a requirement: Students won't be allowed onto the university networkand from there onto the Internetwithout a properly patched system. As it stands now, the firewall, the antivirus software and any OS patches after the initial update in the fall are voluntary, Cramer confirmsthough the hope is that autoupdate features will take care of that last point for many students.

To skeptical corporate CISOs accustomed to a higher degree of control, Cramer says the system works just fine. "When Blaster hit, when Slammer hit, Duke survived better than many other corporations I'd heard of. The mixed environment (Macs, Microsoft, Linux, Unix), the collaborative environment, the education all work together to make this a valid approach. If it didn't work, we wouldn't do it."

This "scan and block" policy is common in the college world says John Pescatore, who, as a vice president and research fellow at Gartner, has a roster of clients in academia. "They stop short of saying what you should have on your computer, but they're not stopping short of saying what can run on their networks," Pescatore emphasizes. Universities are some of the biggest buyers of intrusion detection and prevention software, he notes; in the past few years, higher education has jumped up dramatically in its purchase of firewallstraditionally somewhat of a sensitive topic in academia. "When the Internet age started, universities didn't use firewalls. After Blaster and Slammer, now they've got the highest vertical industry growth rate," he says.