Is HE ready to deal with network security?
Recent attacks on academic networks have shown the BYOD model can be a problem, says Hervé Dhelin, SVP Strategy at EfficientIP
Modern higher education needs technology. IT drives research projects, it powers administrative systems, and it’s on every student’s desk and pocket. The result is a complex, almost chaotic network environment that mixes controlled business services with an uncontrolled myriad of different devices of all ages and all capabilities.
There’s no way for higher education organisations to mandate hardware and software; students will always bring their own computers and on average three to four mobile devices. Thousands of machines connect to networks every day, using academic resources, connecting to external services such as webmail, playing games or running experiments. If there’s something you can imagine a computer doing, it’s being done on an academic network somewhere.
Funding issues make managing these networks a more complex challenge. Years of financial deprivation have meant that in many cases campus networks are being run with equipment that’s decades old, and without significant IT management support. Updating this infrastructure to cope with the demands of a modern, hyper-connected, student body is essential.
BYOD – challenging trend
Recent attacks on academic networks have shown the Bring Your Own Device (BYOD) model encouraged by cash-strapped universities can be a problem – not only for the networks, but also for their users. The 2015 and 2016 attacks on the UK education network JANET left students unable to connect to academic applications for almost 48 hours. So why are those academic networks at risk?
- Costs – they are expensive to run. Network infrastructure is never cheap, and upgrades can also require significant building work. The resulting budgetary pressures make it easier to focus on operating costs rather than any necessary capital expenditure. The result is that modern security tools and services aren’t installed, and organisations rely on solutions that may not have the security stance of more specialised hardware and software.
- Capacity constraint – networks designed a decade or more ago don’t have the capacity required when working with BYOD at scale. High connection and disconnection rates from devices roaming between wireless access points across a campus results in a heavy load on network services, allowing intrusions to be hidden in the high volume associated with “normal” operations and traffic.
- Variable demand – between term and research time, it makes it hard to plan for normal operations. Designing for one operating scenario risks degrading the other, especially as the overall demand on academic networks is hard to predict from year to year.
Blocking networks and services may seem to be a quick fix solution but like all obvious ones, there’s a significant downside, with a risk of false positives because of blanket blocks.
So where do we go from there? The obvious answer is segregating academic and casual traffic, offering separate virtual network segments for administration, research, teaching, and personal use, using access control to switch users from one network type to another, and applying appropriate security controls for each.
Much of this can be done at a low level, using the Internet’s familiar IP address system to identify and segregate devices, using them as part of a set of network access control policies. Automatically delivered to every device that connects to a network, their addresses can be used as a key that opens access to appropriate resources, keeping trusted and untrusted devices separate. Modern DDI solution (DNS, DHCP, IPAM) tools can automate much of the process, keeping track of devices and ensuring they’re treated appropriately as soon as they connect to a network.
Recent advances in networking technology have made managing complex networks a lot easier too. Instead of expensive proprietary network hardware, open standards-based x86 systems as used by cloud providers are quick and easy to deploy, using software-defined networking techniques to deliver a network that can be reconfigured on the fly, responding to user demand, and controlling access to protected resources. Technologies developed for the public cloud are now ready for our networks and campuses, bringing the lessons of the Facebooks of this world to academia.
The same developments have improved support for many of the common protocols that underpin our networks. Improved security tooling can do much more than the familiar firewall, protecting resources from denial of service attacks, while pinpointing complex intrusions and data thefts. With EU legislation, like the General Data Protection Regulation (GDPR), coming into force the 25th May 2018, applying these protections to networks stops being optional and becomes essential.
It’s also now possible to use automation to manage those network services and protocols more effectively, taking lessons from large scale corporate BYOD deployments.
With a wide area campus network, where students and staff share resources, there’s a need to manage costs and reduce risk. It makes sense, then, to consider how a campus network can be both designed and managed, to keep resources safe, and to give as many devices access as possible without increasing costs and risks. Here we can take advantage of modern network hardware and software to deliver a dynamic, responsive, and, above all, secure infrastructure.