EDUCAUSE & Internet2Security Professionals Conference

The Challenge: Securing a Large Multicampus Network

Kirk Kelly – Pima Community CollegeScott Ferguson – Pima Community College

April 11, 2006

2:45pm – 3:45pm

Denver Ballroom 2http://www.pima.edu/admin/presentations

Outline

• Who is Pima Community College (PCC)

• PCC technology infrastructure

• Specific incident

• Lessons learned

• New security devices

• New network architecture

• Questions

http://www.pima.edu/admin/presentations

Pima Community CollegeLocated in Tucson, AZ

• 8 campuses

• 9 centers

Enrollment

• 61,769 – Credit

• 13,639 – Noncredit

• 75,408 – Combined

Student Profile

• Average age: 27

• 41% ethnic minorities

• 56% female

• 69% part-time

• 68% daytime

• 25% evening

• 7% weekends

Current Data & Phone Network• 15,000 data network connections across the

college

• 7,000 devices connected to the network @ 100/1000mbits

• Campuses, DO, and MS connected at 1 Gigabit speed via City I-Net Fiber ring

• Wireless at all locations

• 2,500+ phone lines across the college

• Over 70 (IDF/MDF) rooms

Internet

Internet Router PCC

ResourceNetwork

DowntownCampus

CommunityCampus

District SupportServices Center

EastCampus

Routers or Layer 3 Switches

WestCampus

NE CtrSE Ctr

Davis-MonathonCtr

Green ValleyCtr

PCC Locations, Routers, Firewalls, and WAN Transports

T1 Point to Point

100/1000 Mbit Ethernet

KRK 11/19/04

PCAEEastside

PCAELindsey

PCAEEl Rio

PCAEEl Pueblo

Desert VistaCampus

AviationTrainingFacility

Nokia FW

Network Core Layer

DMZResourceNetwork

Data over Gigabit Ethernet(City of Tucson INET)

PIX

HITACHI

IPS2

1- 10 Mbit Ethernet2-IPS– Intrusion Prevention System is attached In-line on connectionsindicated by arrows

DOResources

NW Campus1

T1 Frame Relay

Wiring Closets, Before and After

W32/Blaster Announced

• August 2003

• Blaster, Nachi, Welchia

• Blocked port 135, etc. at the edge

• Thought antivirus updates were in place

• No problems first day while others across the Internet are having major problems

• Day two an infected laptop plugs in

• Infection spreads quickly and network is shut down

The Awakening

• All services stopped

• All IT meeting with the Chancellor at 6:00pm

• 35+ employees worked all night

• All core systems back online by 1:00pm the following day

• Some remote sites offline for 2-3 days

What Did We Learn?

• Antivirus updates handled differently at every campus

• MS patches were way behind• Firewalls & routers were underpowered and over

tasked (new firewalls installed two months earlier)• No way to control or secure campus links• Network not segmented • Poor communication between command center

and staff • No HVAC• No keys

Desktop Antivirus and Updates

• All computers centralized into two domains

• McAfee ePolicy Orchestrator

• WSUS for MS security updates

Intrusion Detection?

• Demo of an Intrusion Detection System (IDS)

• Visited U of A

• Discovered an IDS needs constant babysitting

• Demo of an Intrusion Prevention System (IPS)

• No more staff on the horizon

• No central data security position or team

Purchase an IPS

• Decision to purchase IPS• Updates• Threat Management Center

• Inline on Internet connection

• Inline to all WAN links

• “Wire Speed” packet inspection at gigabit speeds

Firewall

• Needed more horsepower

• Needed firewall ports to support all WAN links

• Needed more DMZs

• Needed more advanced features

• Purchased new firewalls• 24 gig ports• Virtual firewalls• Redundant boxes for redundant links• Processor management

Changes to Network• Needed multiple DMZs to support a centralized

server approach

• Created a Frame Relay T1 Failover Network

• Switch to gigabit

• Network segmentation

• Redundant Internet connection (BGP with City)

• Created public access network

• Wireless rides on public network

Additional changes

• Established a disaster recovery site• Payroll and native Banner only• Redundant Internet link

• Re-architected college DNS/DHCP• From 10 distributed servers to 4 centralized• Chose an appliance solution• HA pair for internal, 1 at disaster recovery site,

1 for external DNS

Future• Clean access type things…..

• Patch, spyware and antivirus checking• Quarantine • Goal to provide students access and maintain security

• Portal, students in LDAP• VoIP pilot and phased installation• Wireless security• Wireless with U of A and City of Tucson

• Inet tie in

Questions?

kkelly@pima.edu

sferguson@pima.edu