EDUCAUSE & Internet2Security Professionals Conference
The Challenge: Securing a Large Multicampus Network
Kirk Kelly – Pima Community CollegeScott Ferguson – Pima Community College
April 11, 2006
2:45pm – 3:45pm
Denver Ballroom 2http://www.pima.edu/admin/presentations
Outline
• Who is Pima Community College (PCC)
• PCC technology infrastructure
• Specific incident
• Lessons learned
• New security devices
• New network architecture
• Questions
http://www.pima.edu/admin/presentations
Pima Community CollegeLocated in Tucson, AZ
• 8 campuses
• 9 centers
Enrollment
• 61,769 – Credit
• 13,639 – Noncredit
• 75,408 – Combined
Student Profile
• Average age: 27
• 41% ethnic minorities
• 56% female
• 69% part-time
• 68% daytime
• 25% evening
• 7% weekends
Current Data & Phone Network• 15,000 data network connections across the
college
• 7,000 devices connected to the network @ 100/1000mbits
• Campuses, DO, and MS connected at 1 Gigabit speed via City I-Net Fiber ring
• Wireless at all locations
• 2,500+ phone lines across the college
• Over 70 (IDF/MDF) rooms
Internet
Internet Router PCC
ResourceNetwork
DowntownCampus
CommunityCampus
District SupportServices Center
EastCampus
Routers or Layer 3 Switches
WestCampus
NE CtrSE Ctr
Davis-MonathonCtr
Green ValleyCtr
PCC Locations, Routers, Firewalls, and WAN Transports
T1 Point to Point
100/1000 Mbit Ethernet
KRK 11/19/04
PCAEEastside
PCAELindsey
PCAEEl Rio
PCAEEl Pueblo
Desert VistaCampus
AviationTrainingFacility
Nokia FW
Network Core Layer
DMZResourceNetwork
Data over Gigabit Ethernet(City of Tucson INET)
PIX
HITACHI
IPS2
1- 10 Mbit Ethernet2-IPS– Intrusion Prevention System is attached In-line on connectionsindicated by arrows
DOResources
NW Campus1
T1 Frame Relay
Wiring Closets, Before and After
W32/Blaster Announced
• August 2003
• Blaster, Nachi, Welchia
• Blocked port 135, etc. at the edge
• Thought antivirus updates were in place
• No problems first day while others across the Internet are having major problems
• Day two an infected laptop plugs in
• Infection spreads quickly and network is shut down
The Awakening
• All services stopped
• All IT meeting with the Chancellor at 6:00pm
• 35+ employees worked all night
• All core systems back online by 1:00pm the following day
• Some remote sites offline for 2-3 days
What Did We Learn?
• Antivirus updates handled differently at every campus
• MS patches were way behind• Firewalls & routers were underpowered and over
tasked (new firewalls installed two months earlier)• No way to control or secure campus links• Network not segmented • Poor communication between command center
and staff • No HVAC• No keys
Desktop Antivirus and Updates
• All computers centralized into two domains
• McAfee ePolicy Orchestrator
• WSUS for MS security updates
Intrusion Detection?
• Demo of an Intrusion Detection System (IDS)
• Visited U of A
• Discovered an IDS needs constant babysitting
• Demo of an Intrusion Prevention System (IPS)
• No more staff on the horizon
• No central data security position or team
Purchase an IPS
• Decision to purchase IPS• Updates• Threat Management Center
• Inline on Internet connection
• Inline to all WAN links
• “Wire Speed” packet inspection at gigabit speeds
Firewall
• Needed more horsepower
• Needed firewall ports to support all WAN links
• Needed more DMZs
• Needed more advanced features
• Purchased new firewalls• 24 gig ports• Virtual firewalls• Redundant boxes for redundant links• Processor management
Changes to Network• Needed multiple DMZs to support a centralized
server approach
• Created a Frame Relay T1 Failover Network
• Switch to gigabit
• Network segmentation
• Redundant Internet connection (BGP with City)
• Created public access network
• Wireless rides on public network
Additional changes
• Established a disaster recovery site• Payroll and native Banner only• Redundant Internet link
• Re-architected college DNS/DHCP• From 10 distributed servers to 4 centralized• Chose an appliance solution• HA pair for internal, 1 at disaster recovery site,
1 for external DNS
Future• Clean access type things…..
• Patch, spyware and antivirus checking• Quarantine • Goal to provide students access and maintain security
• Portal, students in LDAP• VoIP pilot and phased installation• Wireless security• Wireless with U of A and City of Tucson
• Inet tie in