Strengthening the first line of defense: here's how administrators can combat threats to their networks.
Securing these complex campus and district networks can seem daunting. But just as technology creates opportunities for mischief, so too does it deliver new tools to prevent Here's advice on how to keep your network safe.
First, update existing filtering methods, virus software and patches. This can't be stressed enough. Fortres Grand, N2H2, Norton, Power On Software, SurfControl, Symantec and other vendors continually enhance their products and technologies to handle new threats. Indeed, subscription-based services are increasingly popular partly because they eliminate update concerns.
Second, stay informed. Subscribe to security e-newsletters, especially those from hardware and software vendors used by the district. Apply patches and updates quickly. To automate patching tasks, large districts might look at Shavlik Technologies' HFNetChkPro package, which has an impressive ROI.
Third, explore newly developed solutions. For instance, packet-filtering and signature-based blocking both scan data-packet protocols on the fly to block unauthorized P2P activity and more regardless of source. Telemate.net's NetSpective WebFilter network appliance uses signature-based blocking. Palisade Systems' ScreenDoor software will block access by protocol, port or server address.
Wide reach also characterizes Vericept's VIEW Filter. It monitors all TCP/IP traffic--Internet, intranet, email, attachments, chat, IM, P2P and more--for out-of-bounds activity plus it has adaptive URL blocking. Spector-Sort's Spector Pro software similarly tracks e-mails, chat, IM and even keystrokes via "stealth recording," sending an alert when suspicious activities or banned topics are detected.
Security Solutions Get Sneaky
Clearly, to protect networks from both smart programs and the clever people behind them, the newest breed of security solutions employ some deviousness as well.
Decoy servers, for example, simulate active servers with faked data and email traffic to attract any attacker. Once there, all activity is recorded for tracing back to the culprit. These are a class of intrusion detection systems (IDS). Symantec offers a robust Decoy Server. So does Palisade Systems, whose SmokeDetector program can mimic up to 19 server operating systems on one box. Also, IDS and/or filtering are built into some firewalls now, such as those from 3Com or Cisco Systems.
Detours are another approach. WebSense has Web-page requests pass through some control point (firewall, proxy server or caching device), where it checks them against a customizable set of parameters before sending along. NetSweeper transforms this "detour defense" into a turnkey solution by adding the router/proxy server Being hardware-based, this system's filters mad rules are extremely hard to circumvent.
Dedicated network-security appliances, in fact, have emerged as a trend. Decoy servers are one distinct type; others are more hybrid in nature. Most of this hardware dovetails with optional subscription-based services too, resulting in a comprehensive defense.
Symantec's Firewall/VPN Series, for instance, fits nicely with their filtering and virus software. VPN, for Virtual Private Network, basically creates a "tunnel" within the Internet for remote secure access to LANs. SonicWALL's Education Editions are tailored just for mixed platform K-12 networks. These security appliances include a firewall, VPN capability plus a free year of their content-filtering service that was just enhanced to Version 2.0. Add-ons include virus protection and a management module.
A new and elegant solution to remote-access security is the IVE, Instant Virtual Extranet. Introduced to K-12 schools this spring, security vendor Neoteris describes the network appliance as an "extranet in a box."
The IVE sits between an internal LAN and all outside users, intercepting all requests. After authenticating them, the IVE then spawns a second, separate and encrypted session with the LAN to pass along only copies (proxies) of the request and return results. Remote users never actually connect to the LAN, only to the IVE.
The IVE employs the same Web-based encryption--SSL--as banks and online shops do for transactions. This supplies secure access to e-mail, internal LAN resources, Web resources and more from any remote computer. Plus, for secure messaging, standard Windows programs like Microsoft Outlook mad Lotus Notes work fine, eliminating costly VPN client software and all of its hassles.
Uniquely, the IVE controls LAN access at the application layer, enabling highly granular control. One can restrict incoming access to a single server or certain files and applications, for example, or limit outgoing requests to specific domains.
Finally, it's a real plug-and-play appliance. No DNS changes; no additional security configuration; no patches to Microsoft IIS servers. Just plug the 1VE into the network for an instant school extranet portal.
"It took me 10 minutes to set up and zero maintenance since," confirms Julio Velasquez, director of information technology for Somerset Area School District in Pennsylvania. Needing to provide secure remote access to the district's Windows network for hundreds of teachers, staff and administrators--with a minimum of administrative headaches--the former CTO turned to Neoteris' IVE.
It was a good decision. "Teachers manage their own computers with it in place," he explains. "They can change their own passwords and more, and the IVE just handles it."
After a successful pilot with district faculty and staff, Velasquez says he'll open the IVE up as a secure portal for students and parents, too. "The beauty is it creates secure access for any remote computer, so it's perfect for our situation with constant student and parent turnover." Neoteris was not the "cheapest solution" at the outset, continues Velasquez, "but when you figure in the personnel costs, man-hours and more it saves, the ROI became pretty compelling."
AdSubtract ad-blocking software www.intermute.com
Bugnosis free bug-spotting software www.bugnosis.org
Carnegie Mellon CERT Center threat updates www.cert.org
Cisco Systems www.ciscosystems.com
Federal Trade Commission Advisory closing open relay on servers www.ftc.gov/openrelay
Fortres Grand www.fortres.com
GuideScope pop-up and ad-blocking www.guidescope.com
Filtering Info www.filteringinfo.org
MAPS Transport Security Initiative securing e-mail servers www.mail-abuse.org/tsi
National Infrastructure Protection Center threat updates & new tools www.nipc.gov
Palisade Systems www.palisadesystems.com
Power On Software www.poweronsoftware.com
Shavlik Technologies www.shavlik.com
RELATED ARTICLE: Help for human habits.
The best network security is easily compromised by everyday human habits. Professionals are after data these days, and they have both online and off-line tricks. School staff, parents and students must understand how their personal safety and privacy is at risk if they are careless with passwords and other access codes.
After awareness, comes process. Lock computers when not in use by using password-protected screen savers. Publicize that network usage is being monitored to prevent temptation. Have punitive measures spelled out for breach of acceptable use policies.
Terian Tyre is a contributing editor.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Special focus: security|
|Date:||Nov 1, 2003|
|Previous Article:||Are script kiddies hacking your system? How to fight the onslaught of cyber attacks.|
|Next Article:||Self-defense in Texas.|