universities should be using NetFlow

A hacktivist group calling itself Team GhostShell has claimed responsibility for leaking 120,000 records from more than 100 higher-education networks. Team GhostShell claims the attacks were carried out in an attempt to “bring attention to failing educational standards worldwide.”

From the looks of it they were quite successful. The story has been picked up many times with dozens of articles discussing it.

I don’t want to get into a debate on world-wide educational standards, but I do think there is a serious discussion to be had around higher education network design, policy, and network security methodology.

Too much freedom?

Higher-education (.edus) have long since maintained a “freedom is king” mentality that flies directly in the face of securing sensitive data. Look at all the security issues arriving from the BYOD movement. Anytime you let users do whatever they want or give them the impression they can do as they please with the network, major problems arise. It is the duty of university administration to keep their student’s personal information safe, even if it comes at the cost of their own intellectual freedom. Yes, the rules still apply even if you are an academic.

ISP or Higher Education Campus Network?

EDUs have always felt ,to me, like small ISPs. Many students view their campus connections no differently than the Internet uplinks found at the parent’s house. Faculty expect unabated access to anything. In general, the campus network and security staff conduct business in a manner very similar to that of a small Internet Service Provider. This mentality leads to behaviors that have no place in a formal educational setting and place sensitive student information, and valuable research material at risk.

The EDU campus is not an ISP. Too much is at risk to conduct business this way. Consider some of the common practices found within an EDU and relate these to practices found in a modern enterprise network:

  • Assigning public IP addresses to all hosts: Walk onto a university campus and grab a DHCP IP. What do you get? A publicly addressable IP. The large public address space creates a “vacuum effect” that opens the university campus up to backscatter, random scanning, smurf amplifiers, and other attacks that leverage large public space.
  • No proxy servers and/or very little outbound web filtering: Students would hate it, faculty would go nuts, but the fact is that controlled access to Internet destinations provides massive value in terms of securing the campus.
  • Limited firewalling and inbound access control: Campus-wide firewalling is rare. I’ve seen a few small private universities have gotten away with it but larger colleges and universities rarely have firewalls at the college campus gateways. Instead they often rely on transparent filtering technologies (TippingPoint is popular) that won’t be noticed by the students or staff. I’m a big fan of TippingPoint IPS but traditional filtering and rate-limiting also has its place.
  • Lax Acceptable Use policies: Now when I say “lax” I don’t mean the campus IT staff didn’t try hard to build something that works, I simply mean that the campus administration (professors, alumni, etc) won’t allow campus IT to tell users what they can and can’t do – at least not the way an enterprise would.
  • Poor segmentation: ResNet is always the dirtiest network found on a college campus. Kids with computers, anonymity, and lots of free time. They could be compared to the guest network within an enterprise or a Starbuck freenet. Are they being properly segmented? Not always.

Departmentalized Network Security Teams

Individual colleges and facets within the university often maintain their own firewalls and security staff. This fractured management leads to inconsistent policies and poor campus security posture across the board. How many (successful) enterprises run their security in such a way? Is data within the campus any less critical than that found in the enterprise? A social security number or credit card has the same value to the attacker regardless of where it originates.

Graduate Culture Shock

One last point to make here is the notion of graduate culture shock. This is what happens when a student transitions from the open, free, ISP-like networks found at the campus to the controlled, regulated, policy-oriented networks found at the enterprise. Interns and new hires have to suddenly learn to behave very differently from what they have experienced during the past 4+ years.

Universities have an obligation to prepare students for the expectations their new employers bring to bear on new employees.

It’s Not IT’s Fault

Having said all that I must say that I’m (personally) happy with the education system in the US. I’ve met a number of top-notch US EDU rockstars such as Joe Yeager and Chris Hovis. So before you condemn me please consider:

  • It’s those that set policy that cause these issue, not the do’ers. Campus IT staff have long been known to build incredibly effective home-grown solutions simply because they had to, due to the fact they couldn’t get funding or administration wouldn’t permit a vendor’s involvement in the network.
  • There are plenty of EDUs to which none of what’s written above applies. For those of you that have solved all these problems, my hat’s off.
  • Organizations such as Educause are constantly pressing to tighten up higher-education practices. Hat’s off to them as well.
  • Finally, commercial solutions such as the TippingPoint IPS, Enterasys Mobile IAM, and our own Network Flow Analysis technology Scrutinizer have grown inacceptance over the years largely because campus IT has demanded better tools to do their jobs – even if it means dropping a packet or recording a faculty member’s flows.
So what are these university admins afraid of? Where is the discussion? What do you think?


Adam Powers author pic

Adam Powers

Experienced technology professional specializing in information security. Skilled orator and accomplished public presenter (see webinars, blogs, etc below). Lead advocate for NetFlow and IPFIX technology adoption.


Leave a Reply