Higher Education - Learning To Deal With Unexpected Network Security Issues

 Modern higher education needs technology. IT drives research projects, it powers administrative systems, and it’s on every student’s desk and in every pocket. The result is a complex, almost chaotic network environment that mixes controlled business services with an uncontrolled myriad of different devices of all ages and all capabilities.

There’s no way for higher education to mandate hardware and software; students will always bring their own computers and their own software. Thousands of machines connect to networks every day, using academic resources, connecting to external services such as webmail, playing games, running experiments. If there’s something you can imagine a computer doing, it’s being done on an academic network somewhere.

Funding issues make managing these networks a more complex challenge in industry. Years of financial privation have meant that in many cases campus networks are being run with equipment that’s decades old, and without significant IT management support. Updating this infrastructure to cope with the demands of a modern, hyper-connected, student body is essential – with demands only going to increase. Already students and staff are carrying an average of three or four devices, with the number expected to grow over the next few years.

 

Recent attacks on academic networks have shown the BYOD model encouraged by cash-strapped universities can be a problem – not only for the networks, but also for their users. The 2015 attack on JANET left students unable to connect to academic applications, cut off from notes and other teaching materials, and prevented from delivering essays and other pieces of work.

So why are academic networks at risk?

  1. They’re expensive to run. Network infrastructure is never cheap, and upgrades can also require significant building work. The resulting budgetary pressures make it easier to focus on operating costs rather than any necessary capital expenditure. The result is that modern security tools and services aren’t installed, and organisations rely on integrated solutions that may not have the security stance of more specialised hardware and software.
  2. Networks designed a decade or more ago don’t have the capacity required when working with BYOD at scale. High connection and disconnection rates from devices roaming between wireless access points across a campus results in a heavy load on network services, allowing intrusions to be hidden in the high volume associated with “normal” operations and traffic.
  3. The variable demand on academic networks, between term and research time, makes it hard to plan for normal operations. Designing for one operating scenario risks degrading the other, especially as the overall demand is hard to predict from year to year.

Blocking networks and services may seem to be a quick fix solution, limiting access in order to control bandwidth and protect network resources. But like all many obvious solutions, there’s a significant downside, with a risk of false positives as a result of blanket blocks. After all, there’s no black hat hacker more determined than a student who can’t get to their Gmail account.

So what’s the answer?

The obvious solution is segregating academic and casual traffic, offering separate virtual network segments for administration, for research, for teaching, and for personal use, using access control to switch users from one network type to another, and applying appropriate security controls for each network.

Much of this can be done at a low level, using the internet’s familiar IP address system to identify and segregate devices, using them as part of a set of network access control policies. Automatically delivered to every device that connects to a network, their addresses can be used as a key that opens access to appropriate resources, keeping trusted and untrusted devices separate. Modern IP address management tools can automate much of the process, keeping track of devices and ensuring they’re treated appropriately as soon as they connect to a network. Tying these tools to other security features can help solve other problems, for example quarantining devices that don’t meet security standards in networks that only let them download and install security patches.

Recent advances in networking technology have made managing complex networks a lot easier. Instead of expensive proprietary network hardware, open standards-based x86 systems as used by cloud providers are quick and easy to deploy, using software-defined networking techniques to deliver a network that can be reconfigured on the fly, responding to user demand, and controlling access to protected resources. Technologies developed for the public cloud are now ready for our networks and campuses, bringing the lessons of the Facebooks of this world to academia.

The same developments have improved support for many for the common protocols that underpin our networks. Improved security tooling can do much more than the familiar firewall, protecting resources from denial of service attacks, while pinpointing complex intrusions and data thefts. With new data protection regulations, like GDPR, on the horizon, applying these protections to networks stops being optional and becomes essential.

It’s also now possible to use automation to manage those network services and protocols more effectively, taking lessons from large scale corporate BYOD deployments. Some, like Microsoft, use a simple web form with an email authentication loop to grant access to visitors and to personal devices, while others use device identification techniques to automatically segregate unapproved hardware onto partially managed network segments, using the same network hardware but unable to access corporate resources. It’s a model that could work well in academia, controlling access to resources via approved devices and giving the rest of a user’s fleet of hardware access to the wider internet.

With a wide area campus network, where students and staff share resources, there’s a need to manage costs and reduce risk. It makes sense, then, to consider how a campus network can be both designed and managed, to keep resources safe, and to give as many devices access as possible without increasing costs and risks. Here we can take advantage of modern network hardware and software to deliver a dynamic, responsive, and, above all, secure network – and at a price that doesn’t break the budget.

     
   
   
 
  Link to this article:
(Copy and paste the following code to your web page.)
 
 

Education Magazine | Advertising | Education Emails - More Articles