2. About Penn College
Williamsport Technical Institute, founded 1941Williamsport Technical Institute, founded 1941
Williamsport Area Community College, founded 1965Williamsport Area Community College, founded 1965
Pennsylvania College of Technology, founded 1989Pennsylvania College of Technology, founded 1989
Special Mission Affiliate of Penn State UniversitySpecial Mission Affiliate of Penn State University
Accredited - Middle States Association of Colleges andAccredited - Middle States Association of Colleges and
Secondary SchoolsSecondary Schools
6,358 headcount - 5,891 FTE6,358 headcount - 5,891 FTE
288 FTE faculty, 518 FTE staff288 FTE faculty, 518 FTE staff
B.S., A.S. and certificate degrees in over 100 majorsB.S., A.S. and certificate degrees in over 100 majors
Specialize in vocational and technology-based educationSpecialize in vocational and technology-based education
Strong focus on small class sizes and hands-on instructionStrong focus on small class sizes and hands-on instruction
www.pct.eduwww.pct.edu
4. IT Infrastructure
2,600 College-owned computers, 1,400
student-owned computers in residential
complexes
1,600 computers in 50+ academic
computer labs, student to computer ratio
of 4:1
Standard computer lab software includes
Microsoft Windows XP, Office 2003,
NetMail POP3 e-mail system
6. IT Infrastructure (cont’d)
100% Cisco network infrastructure
except for Packeteer Packetshaper
Fast Ethernet via CAT5 for all building
LANs, Gigabit Ethernet via fiber for
backbone
Dual Cisco 6500s for redundant core
Fractional T-3 (30 Mbps) Internet
service
Dial-up Internet access provided for
employees, not students
About 50% wireless coverage
8. Information Technology Services
Organization (50 employees)
Desktop Computing
Academic Computing
Technical Support/Help Desk
Technical Writer/Trainer
Administrative Information Systems
Network Applications
Mail & Document Services
Media Services
Telecommunications
9. Post Y2K IT Security “Problem”
Increasing threats from viruses, trojans,
worms, hackers, etc.
Lack of security standards
No coordinated security response
Poor security awareness
Minimal security policy
No security testing
10. The “Challenge”
Limitations
Budget
Staff
Time
Large backlog of post Y2K projects
Balancing security effectiveness with
efficient resource management
11. Solution Analysis
Dedicated security staff vs. security team
Advantages of team approach:
Utilizes existing staff and expertise
Spreads/diffuses the importance of security
across all functional IT areas
Funded through existing budgets
Disadvantages:
No centralized focus/authority
Long lead time to develop expertise
Staff time directed away from other projects
Not invented here syndrome
12. The “Solution”
IT management recommended forming a
campus “security team.”
Each area of the IT department
committed one employee and a
percentage of its budget.
A senior manager was designated to
provide leadership and coordination of this
team effort.
The team met weekly over an initial 18
month period, then bi-weekly.
Rotating duty officer/CERT format
13. The Context
Risk vs. investment
Scope and impact for priority
Mitigating risk factors
Administrative data locked up in IBM
iSeries (AS/400)
GroupWise e-mail system
Institutional policy requiring data files
to be stored on network drives
Centralized IT management and
budget culture
15. Layer 1 - Physical
Before
Distributed servers,
not physically
secured, some
actually in
staff/faculty offices
Network components
not secured
Minimal UPS
protection
After
Most non-academic
servers moved to
secured data center;
backup generator
Wiring closets
secured
UPS for all servers
and network
equipment
16. Layer 2 - Internet
Before
Internet router with public IP addresses
No filtering of ports
After
Cisco PIX firewall with PAT translation initially,
later acquired additional IPs, changed to NAT
(still occasional problems, need an XLATE clear)
Access control list on Internet router (example)
Packeteer - Although purchased for bandwidth
control, provides another layer of “protection”
and “detection”
17. Internet Router ACL
access-list 115 permit tcp any 0.0.0.0 255.255.255.0access-list 115 permit tcp any 0.0.0.0 255.255.255.0
establishedestablished
access-list 115 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 115 deny ip 192.168.0.0 0.0.255.255 any
access-list 115 deny ip 224.0.0.0 15.255.255.255 anyaccess-list 115 deny ip 224.0.0.0 15.255.255.255 any
access-list 115 deny ip host 0.0.0.0 anyaccess-list 115 deny ip host 0.0.0.0 any
access-list 115 deny ip 12.23.198.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.198.0 0.0.0.255 any
access-list 115 deny ip 12.23.199.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.199.0 0.0.0.255 any
access-list 115 deny ip any 0.0.0.255 255.255.255.0access-list 115 deny ip any 0.0.0.255 255.255.255.0
access-list 115 deny tcp any any eq 135access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 135
access-list 115 deny tcp any any eq 137access-list 115 deny tcp any any eq 137
access-list 115 deny udp any any eq netbios-nsaccess-list 115 deny udp any any eq netbios-ns
access-list 115 deny tcp any any eq 138access-list 115 deny tcp any any eq 138
access-list 115 deny udp any any eq netbios-dgmaccess-list 115 deny udp any any eq netbios-dgm
access-list 115 deny tcp any any eq 139access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq netbios-ssaccess-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 445
access-list 115 deny udp any any eq 445access-list 115 deny udp any any eq 445
access-list 115 deny tcp any any eq 593access-list 115 deny tcp any any eq 593
access-list 115 deny udp any any eq 593access-list 115 deny udp any any eq 593
access-list 115 deny tcp any any eq 3333access-list 115 deny tcp any any eq 3333
access-list 115 deny udp any any eq 3333access-list 115 deny udp any any eq 3333
access-list 115 deny tcp any any eq 4444access-list 115 deny tcp any any eq 4444
access-list 115 deny udp any any eq 4444access-list 115 deny udp any any eq 4444
access-list 115 deny tcp any any eq 69access-list 115 deny tcp any any eq 69
access-list 115 deny udp any any eq tftpaccess-list 115 deny udp any any eq tftp
access-list 115 deny tcp any any eq 161access-list 115 deny tcp any any eq 161
access-list 115 deny udp any any eq snmpaccess-list 115 deny udp any any eq snmp
access-list 115 deny tcp any any eq 162access-list 115 deny tcp any any eq 162
access-list 115 deny udp any any eq snmptrapaccess-list 115 deny udp any any eq snmptrap
access-list 115 deny udp any any eq 1993access-list 115 deny udp any any eq 1993
access-list 115 deny tcp any any eq 1900access-list 115 deny tcp any any eq 1900
access-list 115 deny udp any any eq 1900access-list 115 deny udp any any eq 1900
access-list 115 deny tcp any any eq 5000access-list 115 deny tcp any any eq 5000
access-list 115 deny udp any any eq 5000access-list 115 deny udp any any eq 5000
access-list 115 deny udp any any eq 8998access-list 115 deny udp any any eq 8998
access-list 115 permit icmp any any echoaccess-list 115 permit icmp any any echo
access-list 115 permit icmp any any echo-replyaccess-list 115 permit icmp any any echo-reply
access-list 115 deny ip any any log-inputaccess-list 115 deny ip any any log-input
18. Layer 3 – Network - Before
10.x.x.x organized geographically; each
“building complex” has a subnet;
10.1.x.x, 10.2.x.x, 10.3.x.x, etc.
Any to any routing philosophy
Simple telnet to devices
No central security scheme
19. Layer 3 – Network - After
100% VLAN scheme
VLANs based on
computer/user role
Internet style ACLs applied
on traffic leaving VLANs
Traffic denied entering VLAN if
no reason for the traffic
Extended today to separate VLANS for point-of-sale
stations, HVAC, wireless, dial-up; each with its own
ACL
SSH required to access devices, coordinated
userid/password with Cisco ACS server that LDAPs
to our NDS
10.1.x.x network10.1.x.x network
equipmentequipment
10.2.x.x servers10.2.x.x servers
10.3.x.x printers10.3.x.x printers
10.4.x.x staff10.4.x.x staff
10.100.x.x ResNet10.100.x.x ResNet
Etc.Etc.
20. Layer 4 – ResNet
BeforeBefore
Normal networkNormal network
subnetsubnet
No restrictionsNo restrictions
ISP attitudeISP attitude
No scanningNo scanning
After – version 1After – version 1
Single VLANSingle VLAN
ACL limited access to otherACL limited access to other
campus VLANscampus VLANs
After – version 2After – version 2
VLAN per 48 port switchVLAN per 48 port switch
Internet style ACL “rule set”Internet style ACL “rule set”
to block known bad portsto block known bad ports
such as 445such as 445
Routine scanning andRoutine scanning and
quarantiningquarantining
21. Layer 5 – Servers - Before
Public IP address via firewall conduit
Distributed physically
No port filtering
Inconsistent patch strategy
No virus protection
Inconsistent HTTPS implementation
Many outside of the “network” department
No scanning for vulnerabilities
No disaster recovery plan
22. Layer 5 – Servers - After
Servers in data center or managed by server groupServers in data center or managed by server group
HTTPS required for any sensitive dataHTTPS required for any sensitive data
Private IP addresses mapped to public via “conduit” in the firewallPrivate IP addresses mapped to public via “conduit” in the firewall
Port filtered in the firewall, deny all, allow those required forPort filtered in the firewall, deny all, allow those required for
specific servicesspecific services
Port filtered coming out of ResNet and student computer labsPort filtered coming out of ResNet and student computer labs
Managed patch strategy, critical patches applied in 24 hoursManaged patch strategy, critical patches applied in 24 hours
Symantec Anti-Virus on serversSymantec Anti-Virus on servers
NetMail/CA eTrust anti-virus and RBL filtering for e-mailNetMail/CA eTrust anti-virus and RBL filtering for e-mail
GWAVA/Symantec Anti-Virus e-mail filteringGWAVA/Symantec Anti-Virus e-mail filtering
GWAVA attachment filteringGWAVA attachment filtering
Routine Nessus scanningRoutine Nessus scanning
Comprehensive disaster recovery planComprehensive disaster recovery plan
23. Layer 6 - Employee PCs
AfterAfter
Private IP address via
PAT/NAT
Managed Symantec Anti-
Virus
“Push” of critical Microsoft
security patches via Novell
ZenWorks
Nessus scanning
BeforeBefore
Public IP address
No anti-virus
No patch
management
No scanning
24. Layer 7 - Social
BeforeBefore
Little or no publicLittle or no public
awarenessawareness
No AUPNo AUP
Loose user ID andLoose user ID and
password policiespassword policies
““It won’t happenIt won’t happen
here, we knowhere, we know
everyone personallyeveryone personally
AfterAfter
Acceptable Use PolicyAcceptable Use Policy
Accounts blocked afterAccounts blocked after
3 failed log in attempts3 failed log in attempts
Passwords changedPasswords changed
every 180 daysevery 180 days
Regular communicationRegular communication
via online newspapervia online newspaper
Security educationSecurity education
classesclasses
25. What’s on the radar screen?What’s on the radar screen?
SpywareSpyware
PC firewallPC firewall
Instant Messenging issuesInstant Messenging issues
VPNVPN
Network access controlNetwork access control
Two factor authenticationTwo factor authentication
Security as it affects privacy issuesSecurity as it affects privacy issues
E-mail securityE-mail security
26. Conclusion
Security team was the rightSecurity team was the right
approach for usapproach for us
Effective, no significantEffective, no significant
down-time except fordown-time except for
Blaster/Welcia, fall 2003Blaster/Welcia, fall 2003
Cost-efficientCost-efficient
Diffused securityDiffused security
awareness across theawareness across the
departmentdepartment
Developed security skillsDeveloped security skills
across ITSacross ITS
Security InfrastructureSecurity Infrastructure
Cisco PIX firewallCisco PIX firewall
Packeteer PacketshaperPacketeer Packetshaper
Cisco VLANs/ACLsCisco VLANs/ACLs
Symantec Anti-VirusSymantec Anti-Virus
Novell ZenWorksNovell ZenWorks
GWAVA Anti-GWAVA Anti-
virus/attachment filteringvirus/attachment filtering
NessusNessus
As a medium-size (6,000 FTE) 2 and 4 year degree-granting institution, Penn College’s IT resources are always stretched to the limit ( not unlike most other higher education IT organizations).
We wanted an IT security solution that could work within our current organizational structure, leverage existing staff expertise, not substantially drain our financial resources and yet provide an effective level of cyber-threat protection
IT management recommended the formation of a campus “security team.”
Each area of the IT department committed one employee from part of their normal assignments to be part of the security team.
Each area also “contributed” a percentage of their normal budget to fund the hardware and software.
A senior manager was designated to provide leadership and coordination of this team effort.
The team met regularly over an initial 18 month period to brainstorm, expand their knowledgebase, investigate solutions, recommend strategies, develop plans, and implement the initial layer of security infrastructure.
100% VLAN scheme
VLANs based on computer/user role:
ITS staff, college employees, computer labs, server farm, ResNet, HVAC, security, network equipment
Internet style ACLs applied between VLANs to limit access
Student lab PCs can’t “see” staff VLAN
ResNet PCs can’t “see” staff VLAN
Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL