Network Security – Are universities ready to deal with unexpected issues?

Modern higher education needs technology. IT drives research projects, it powers administrative systems, and it’s on every student’s desk and pocket. The result is a complex, almost chaotic network environment that mixes controlled business services with an uncontrolled myriad of different devices of all ages and all capabilities.

There’s no way for higher education organizations to mandate hardware and software; students will always bring their own computers and on average three to four mobile devices. Thousands of machines connect to networks every day, using academic resources, connecting to external services such as webmail, playing games or running experiments. If there’s something you can imagine a computer doing, it’s being done on an academic network somewhere.

Funding issues make managing these networks a more complex challenge. Years of financial deprivation have meant that in many cases campus networks are being run with equipment that’s decades old, and without significant IT management support. Updating this infrastructure to cope with the demands of a modern, hyper-connected, student body is essential.

In this blog, we look at why higher education organizations are being challenged by the Bring Your Own Device (BYOD) model and what modern technology can help them better design and manage their networks.

BYOD – challenging trend

Recent attacks on academic networks have shown the BYOD model encouraged by cash-strapped universities can be a problem – not only for the networks, but also for their users. The 2015 and 2016 attacks on the UK education network JANET left students unable to connect to academic applications for almost 48 hours.

Networks are also vulnerable to be taken down by students accidentally, or otherwise, in the UK alone there is an increasing number of highly skilled IT students any of whom could potentially decide to use their skills ‘mischievously’. Here are the key reasons academic networks are at greater risk of future downtime than their commercial counterparts:

1. Costs – they are expensive to run. Network infrastructure is never cheap, and upgrades can also require significant building work. The resulting budgetary pressures make it easier to focus on operating costs rather than any necessary capital expenditure. The result is that modern security tools and services aren’t installed, and organisations rely on solutions that may not have the security stance of more specialised hardware and software.
2. Capacity constraint – most technologies used, including WiFi, were not originally created for such heavy usage. Networks designed a decade or more ago don’t have the capacity required when working with BYOD at scale with thousands of students access academic services online from different countries at the same time. High connection and disconnection rates from devices roaming between wireless access points across a campus results in a heavy load on network services, allowing intrusions to be hidden in the high volume associated with “normal” operations and traffic.
3. Variable demand – between term and research time, variable demand for online access from students and professors makes it hard to plan for ‘normal’ operations. Designing for one operating scenario risks degrading the other, and this is where network monitoring is required. Students do not conform to a 9 to 5 schedule that IT departments work with. The IT network need to be ready for all-nighters.
4. Different requirements – the power, bandwidth and security requirements for world-class astrophysics research or highly confidential fee-earning research are clearly different from those needed for browsing the web or social. The flexibility to assign the correct security measures appropriate for each makes academic DDI management much more challenging.

Automated benefits

Blocking client devices, networks and services may seem to be a quick fix solution but like all obvious ones, there’s a significant downside, with a risk of false positives because of blanket blocks.

So where do we go from there? The obvious answer is segregating academic and casual traffic, offering separate virtual network segments for administration, research, teaching, and personal use, using access control to switch users from one network type to another, and applying appropriate security controls for each.

Much of this can be done at a low level, using the Internet’s familiar IP address system to identify and segregate devices, using them as part of a set of network access control policies. Automatically delivered to every device that connects to a network, their addresses can be used as a key that opens access to appropriate resources, keeping trusted and untrusted devices separate.

Network access control is necessary but not sufficient. Using IP configuration is the basis for modern network security. Modern DDI solution (DNS, DHCP, IPAM) tools maintains central repository of IP address related information. They can automate much of the process, centrally keeping track of devices and IP addresses and ensuring they’re treated appropriately as soon as they connect to a network.

Going forward

Recent advances in networking technology have made managing complex networks a lot easier too. Instead of expensive proprietary network hardware, open standards-based x86 systems as used by cloud providers are quick and easy to deploy, using software-defined networking techniques to deliver a network services that can be reconfigured on the fly, responding to user demand, and controlling access to protected resources. Technologies developed for the public cloud are now ready for our networks and campuses, bringing the lessons of the Facebooks of this world to academia.

The same developments have improved support for many of the common protocols that underpin our networks. Improved security tooling can do much more than the familiar firewall, protecting resources from denial of service attacks, while pinpointing complex intrusions and data thefts. With EU legislation like the General Data Protection Regulation (GDPR), coming into force the 25th May 2018, applying these protections to networks stops being optional and becomes essential.

It’s also now possible to use automation to manage those network services and protocols more effectively, taking lessons from large scale corporate BYOD deployments.

With a wide area campus network, where students and staff share resources, there’s a need to manage costs and reduce risk. It makes sense, then, to consider how a campus network can be both designed and managed, to keep resources safe, and to give as many devices access as possible without increasing costs and risks. Here we can take advantage of modern network hardware and software to deliver a dynamic, responsive, and, above all, secure infrastructure.