The Challenges of Securing University Computer Networks

<i>Universities are struggling to find balance between academic openness and the need for computer security across their networks.</i><p>Let&#x27;s not forget cheapness. Perhaps a major issue is that most of the &quot;academic have nots&quot; are expected to buy their own computers and software. Disclaimer: My spouse is such a worker. As a result, there&#x27;s a proliferation of computers on the academic network, with varying levels of security installed, and no incentive to secure them further.<p>My spouse&#x27;s attitude is pretty typical: If they want security, they can buy her a computer, otherwise it&#x27;s her personal property and they&#x27;re not allowed to touch it. The research labs are off limits to the IT staff because &quot;updates&quot; cause old computers running lab equipment to stop working.

Universities are generally designed such that people following their natural incentives will get security wrong. Universities tend to have both central staff, and departmental IT staff distributed amongst them. It works in the sense that departments with larger needs can fund their own hires, but they&#x27;re often understaffed, underfunded, and report to (and are hired by) people who&#x27;s general requirements are that systems operate either long enough to submit a grant proposal, publish a paper, lecture in front of class or submit final grades. Anything security related, like rolling out patches, is likely to interfere. This hypothetical won&#x27;t fly:<p>&gt; &#x27;Oh gee, we rolled out the latest version of firefox and now your lab&#x27;s instructional java applet won&#x27;t run. Sorry we didn&#x27;t test that before going live. But we patched this weeks&#x27; bug. See you this time next week!&#x27;<p>I figure until cybersecurity causes more outages than security lapses, the departmental system will continue to underinvest in security practices and overproduce botnets.<p>Because of that division, central IT folks working in security have few levers they can pull or dials they can twist. It&#x27;s been shown that universities have the most expensive password policies among policies observed. Think about that: you can execute a six figure trade using a password less secure than what you need to download a lecture video in Blackboard.

My university doesn&#x27;t really have a concept of &quot;The Network&quot; being privileged or sensitive. It&#x27;s just a route to the internet, like any other utility ISP. There&#x27;s 802.1x authentication with your SSO credentials (both wired and wireless with WPA2 enterprise), so your actions are accountable, and if you&#x27;re doing botnet&#x2F;spam&#x2F;blackhat things they can cut you off and come find you. WPA2 enterprise uses a certificate to authenticate the AP to the client, so pirate WiFi isn&#x27;t a security issue either, just an interference problem.<p>Services are all exposed to the internet (mostly as webapps) with Shibboleth CAS&#x2F;SSO authentication. The only thing you need &quot;The Network&quot; for is IP whitelisting for journals. There&#x27;s a web proxy you can use for that if you&#x27;re off campus. We also have a separate guest SSID that&#x27;s routed through non-whitelisted IPs.<p>We have a distinction between &quot;Managed Computer&quot; and &quot;other,&quot; where Managed Computers are required for data that&#x27;s confidential or subject to regulation. I&#x27;m sure there are Managed Computers in finance&#x2F;payroll&#x2F;scary labs but your average professor or student doesn&#x27;t need one.

Having spent a lot of time in this domain, you have to (and most seem to be coming to the same conclusion) just assume that everything that connects to your network is untrusted and likely owned and work inwards from there for your threat modelling.<p>You have to really forget about trying to secure the client (and this includes campus supplied gear) and up your monitoring game.<p>ISTR that Google has also taken a similar approach with its employees access to their LAN.

That&#x27;s similar to the issued the IT administration of the german Bundestag faced when parts of their network got owned.<p>I think not seeing it as &quot;one network&quot; but instead of seeing it as an internet in which some instances offer services for other instances helps. The &quot;one&quot; network is prone to fail because in such an environment you can&#x27;t fit all parties under one hat. (And perimeter security is dead, anyway.)

BTDTBTTS. I was forced to &quot;resign&quot; a sysadmin 4P3 FTE job at Stanford because I refused to sign off a vendor&#x27;s rushed and unreviewed demand to likely weaken the security of well-planned credit-card processing private network. That&#x27;s after we successfully lobbied the university to have departmental firewalls of networks, especially those connecting admin staff computers, which were previously directly on the internet with routable IPs and very little filtering... often found to be serving malware and dumpsites. There was even a gal from Shmoo brought in to make change, but was unable to due to institutional resistance. Later on, a laptop went &quot;missing&quot; with all staff social security numbers because of the failed ITS mantra of &quot;security is everyone&#x27;s responsibility [and therefore no ones, because it&#x27;s allowed to become a preventable Tragedy of the Commons].&quot; There were next to no concrete, practical standards (apart from ostensible and vague policies) for securing Windows, Linux, etc. and every pocket of IT did their own thing, without any sort of minimum standard of rigor.<p>Let&#x27;s not also bring up how vendors were allowed to supervise and set vague plans for themselves, waste millions of dollars on many projects, at numerous levels, and not have any material results to show for it. They had these vendors sitting on-site coding away for a couple years on some zombie project, still getting paid to do almost nothing, because it would too embarrassing to admit it was mismanaged and a total failure.<p>Students had no clue how I had access to all of their personal data, including the VIP pseudonym database and the housing draw, which was running on a Linux minitower which sat behind me. As a joke, a coworker and I ran Nessus against it and found all sorts of unpatched vulerabilities which could be used to gain root access to it... it was cluster-fuck that the admin didn&#x27;t want to deal with and pretended was fine.<p>Running academic computing networks is balancing openness and freedom with the routine tasks and security costs of cleaning up owned computers... we observed unpatched machines owned in anywhere in as little as 17 to 30 seconds, with a mean average of about 25 but no longer than about 2 minutes. The most important thing for campus IT: it needs to be kept to high standarda of professionalism, without being run like either a profit-centric corporation# or a small-town school district.<p>Note: the housing and dining dept (R&amp;DE), is part of Budgets and Auxilliaries, which is code for one of the largest profit-center, cash-cows of the whole unversity... to the tune of a quarter of a billion dollars. So if you ever wondered why drinks were so expensive in Tresidder or why the dining hall food used such cheap ingredients, it&#x27;s because it&#x27;s a business, not a center for learning.

Surprised there was no mention of eduroam: <a href="https:&#x2F;&#x2F;www.eduroam.us" rel="nofollow">https:&#x2F;&#x2F;www.eduroam.us</a>