NETWORK SECURITY AND INFORMATION

MANAGEMENT

Project:

Specific Issues on Information Security in

Educational Institutions

Topic:

Real Time Network Protection for

Educational Institutions

Byr:

ROSIADI BIN TAJUDIN

SHAYNE VADYA MUYAU
LIP YE VUN

SCHOOL OF INFORMATICS SCIENCE

UNIVERSITY MALAYSIA SABAH
LABUAN INTERNATIONAL CAMPUS
 CHAPTER 1

INTRODUCTION

As information technology growth to what it is today, internet was becomes one of the
most important area to get information, data and many more. Talk about the real time
protection, we are referring to the conditions in which data or information’s were
requested and at the same time protection were being provided so that there will be no
attack or threats to the systems.
As real time communication become larger, the information and network security
becomes an essential part to protect information and data in an organization.
Educational Institution is one of the organizations which might face the most challenging
task to protect their data. All valuable data such as student’s records, result, staff
records, financial record and other confidential data need to be secured from attack,
threats, or intrusion which might come from inside or outside the organization.
Nowadays, network threats have changed from identity-based threats to content-
based ones. This putting pressures on network security assets to try to adapt into it. The
growing on "real time" communication and access to information have forces these
network security assets to work faster to find malicious content before it can do its harm.
In this study, the four important topic being discussed is, the changing demands
on education networks, the changing nature of networks threats, the challenges and
issues specific to higher education institution, the conventional solution to educational
network security, and the ways to secure the educational network security. All of this
topics will elaborate briefly with some current issues happened not only in Malaysia
education system but around to world.
Conventional network security systems which are mostly software-based point
solutions have not been able to keep up with the need for "real time" protection. Thus, in
this study also researchers tried to come up with suggestions of some solution for
network security needed by educational institutions.

CHAPTER 2

THE CHANGING DEMANDS ON EDUCATION NETWORKS

2
The internet began as a research network funded by the Advance Research Projects
Agency (ARPA) of the U.S. Defense Department. Since that time, the internet technology
has tremendously developed from connecting a numbers of computer connections only
to the worldwide connections. By the middle 1990, the internet connections included to
more than 60 countries and more than 2 million host computers with more than 15
millions users worldwide. Up to day, internet has cover most countries around the world
and can be accessed at anywhere and any time as it is needed.

The rapid development of internet brought together the changing performance in

many field of industries. One of the most affected fields is educational area. Even
internet has brought many advantages to educational field but it becomes most
challenging parts to secure an educational institution networks. This is because by the
online technology, most of the systems were developed to be online. This make the
contents of some system can be disturb by outsider. So this is the main points why the
real time network protection is needed to secure such system from the intrusions of other
party.

The Internet has increased students exposure to many valuable and useful
sources of information. It is deniable, that most student use internet to get information
and to know about the current research being conducted. However, it has also made it
easy to access inappropriate or illegal content and to utilize campus networks for non-
educational pursuits. The issues might happen such as:

• Access to inappropriate content by young students

• Intrusions into academic record and exam stores

• Introduction of viruses and worms into campus networks

• Utilization of campus networks for illegal content sharing

These issues have placed an enormous strain on all resources that are associated
with the health, maintenance or support of campus computing systems and networks.
While numerous products are available today that can be used to filter inappropriate
content, eliminate viruses and worms, detect network intrusions and prevent access to
critical computing assets, the cost of procuring and managing these systems stretches
the personnel and budget limitations of the vast majority of educational institutions. What
is needed is a new, architecturally different approach to network protection for distributed

3
and diverse educational network and computing environments that is effective,
inexpensive, easy to install and maintain, and consistent with applicable government
requirements.

CHAPTER 3

THE CHANGING NATURE OF NETWORK THREATS

For much of the last two decades, the primary threats to networked computing systems
were attacks launched by remote hackers who established connections from outside of

4
the private or trusted network to resources within the private network, and used those
connections to compromise private data and programs.
The response to these so-called "connection-oriented" attacks was to install
network firewalls at the junctures between the private local area network (LAN) and the
public wide area network (WAN) most commonly the Internet. The primary functions of
the firewall are to hide the internal structure of the private network from those outside
and to validate that traffic traversing the LAN/WAN boundary is from legitimate senders
for legitimate purposes. A process that is based primarily on determining that the remote
party is trusted and that the nature of the connection is for something allowed, like Web
browsing or email, vs. disallowed, such as remote control.
More recently, the most damaging and costly attacks do not require sustained
connections from outside to inside the private network; rather, so-called "content-based"
attacks, such as viruses, worms and Trojans, deploy active agents within the private
network that act autonomously and rapidly. Detecting content-based attacks is much
more challenging than connection-based attacks, because the contents of the
communication, rather than simply the source and the nature of the application, must be
thoroughly analyzed to determine if it contains malicious code. Indeed, most content-
based attacks are delivered by ostensibly "trusted" sources such as email messages and
Web pages, the two types of traffic that are always allowed by firewalls.
To make matters worse, at the same time that threats are becoming more
sophisticated and difficult to analyze and detect, our need to access information and our
patience with network performance are now categorized in one of two ways: "real time"
or "unacceptably slow." Whereas just a few years ago email seemed lightning fast
compared to "snail mail", email itself is often too slow now compared to instant Web
downloads or instant messaging.
There are several needs, threats and challenges that are (in varying degrees)
common to the full spectrum of educational institution, from primary and secondary
schools through higher and adult education. These include protection from viruses and
worms, secure connectivity between remote locations and the network, protection from
inappropriate content and compliance with regulatory norms, maximization of bandwidth
and other network resources, protection of administrative resources and students from
hackers, ease of maintenance and updating, maximization of performance, and capital
and expense budgets. Each is analyzed separately below.

5
 • Protection from viruses and worms.
• Secure connectivity between remote locations and the network.
• Threats by the intruders
• Maximization of network resources.
• Protection from hackers and,
• Ease of maintenance and updating.

3.1 Protection from Viruses and Worms

The number of reported incidents of virus and worm attacks has increased dramatically
over the past several years, as has the cost of dealing with these attacks. According to
one study, the average number of attacks per company increased by 79% from July 1,
2001 to December, 2001 (Source: Riptech, 2002). The cost of recovering from attacks is
skyrocketing also. Following the much-publicized Nimda attacks, many major
corporations cut off Internet connectivity for periods ranging from several days to several
weeks.

Figure 3.1: Worldwide damage from

malicious attacks in 2001

It would be tempting to interpret the data regarding the damage done by recent
attacks as an indication of lack of investment by organizations in their antivirus defenses.
However, penetration of antivirus technology is actually quite high, reaching over 90% in
some market segments. This fact focuses attention on other causes for the problem,
namely the nature of the evolving virus threat, and the limitations of current solutions.
The much-studied Nimda and Code Red attacks are examples of the increasingly
sophisticated and disabling attacks commonly known as blended threats. Blended
threats spread through networks with unprecedented speed by exploiting known
vulnerabilities in widely deployed software applications. Even those organizations that

6
maintain host-based antivirus software are successfully attacked, because the infection
propagates to their PCs and servers faster than they can update their antivirus software.
In addition, new vulnerabilities are exposed by the practice of allowing employees to
access their personal, Web-based email accounts while at work, effectively bypassing
most companies’ server and desktop AV defenses.
In the wake of these costly threats, organizations have been searching for
solutions that can respond more effectively to fast-spreading attacks. Some
organizations have resigned themselves to the fact that Internet connectivity poses risks,
and simply prepare for the next inevitable outbreak. Other organizations are
implementing means to automatically or manually cut off Internet access each time they
learn of a major attack until they can verify that all of their hosts have updated antivirus
software. Both of these approaches come at cost, and point to the need for alternative
measures that can mitigate the weaknesses of host-based antivirus measures.

3.2 Secure Connectivity Between Remote Locations and The Network

School districts and universities alike can now be found with tens to thousands of users
spread out over numerous locations, many of whom utilize virtual private network (VPN)
technology to provide fast, secure access to information stored on the network. VPNs
use encryption and authentication techniques to ensure the privacy and integrity of data
as it traverses the public network. While generally very effective for providing ubiquitous
remote access, VPNs have some significant limitations and shortcomings. Most
importantly, conventional VPN hardware and software does not scan the content carried
within their "secure" tunnels, and as a result VPNs can provide yet another means by
which viruses, worms, and other attacks can penetrate the firewall and reach the private
network. Without real time scanning of VPN traffic before it enters the network, VPNs can
actually represent a threat as opposed to an enhancement to network security.
Unlike private corporate networks, which, by their nature, are designed to be
“walled gardens” of information, campus networks – due to the need to facilitate
collaboration and provide access to information – generally are designed to be more
open, and therefore more vulnerable to misuse.
Not only can an educational institution’s computer systems be the target of
unauthorized access from outside the institution, but individuals with access to those
powerful systems can use them to launch unauthorized attacks on other computer

7
systems and networks. Public access terminals located in college and university
libraries, now a nearly universal phenomenon, are particularly vulnerable, both as a
means to obtain access to institutional networks and to harass others anonymously. As a
result of these trends, college and university administrators, IT professionals, and legal
counsel should become familiar with the federal and state computer theft and privacy
laws that may give rise to criminal prosecution or civil claims against the institution as
well as its personnel and students.

3.3 Maximization of Network Resources

Some institutions have reported that peer to peer file-swapping, as popularized by

Napster and continued by its progeny Morpheus, Kazaa and Grokster represents the
largest consumer of bandwidth on their networks. While the legality of file swapping can
be debated, the tremendous bandwidth it utilizes cannot. A typical MP3 file is about 300
to 400 kilobits, and DVD movies can run into gigabytes. Downloads of these files
consume enormous amounts of bandwidth, and it doesn't take many such users to bring
the entire network to a crawl. Firewall applications can effectively prohibit this sort of
activity by preventing students from downloading certain types of files like mp3s, or by
blocking the file swapping protocols. Alternatively, traffic management technology can be
used to limit the amount of bandwidth that is allocated to these types of applications.

3.4 Intruder The Biggest Threat to Network Security

Companies find it convenient to single out employees as the main threat to internal
network security so they can put a face on the problem. But unwanted intruders, not
employees, pose the greatest risk to organizations. An intruder can be a malicious
hacker, former employee or one of the thousands of third party connections
organizations have opened to help further business goals.
Solutions exist to protect against employee abuse. The most common is access
control locking down file servers, desktops and applications. Recently, vendors have tried
to protect content on the networks. This approach only fortifies against the casual
employee who is bored or looking to get a head start with the sales list before heading to
the next job. These solutions cannot protect against sophisticated intruders who employ
state-of-the-art tools and technologies to cause damage to companies.

8
 Today, hackers circumvent network security by disguising themselves as
legitimate users. With one legitimate access account, the intruders can infiltrate systems
not breaking down gates, but accessing each system with legitimate credentials they
gather along the way. They steal these credentials in a variety of ways: compromising a
home user's computer, tricking employees into divulging passwords or user names, or
sniffing an ISP. Scarier still, most companies don't have a way to detect these
compromises. Compromises are usually discovered while operating or rebuilding a
server or, more likely, when a CEO wakes up to find his proprietary data publicly
available. Criminals use an arsenal of techniques to access valuable data: reverse HTTP
tunnels, Internet Control Messaging Protocol backdoors, sniffers, Trojans, even
steganography embedding data in images. And with the proliferation of sources to
download these tools on the Web, users need less sophistication than they did even six
months ago. That's why companies should worry about sophisticated hackers and not
employees who blindly access networks.
New technology compromise detection exists to combat the risk malicious
hackers pose. Unlike both access controls and content filters, compromise detection was
built specifically to defend against the stealthy and sophisticated attacks that intruders
will use now and in the future. Compromise detection exposes hackers as they enter and
move through the network. This approach independently audits and tracks internal traffic,
looking for specific telltale signs pointing to the footprints intruders leave behind. To
identify these covert actions on internal networks, a product must have a deep
understanding of how internal networks fundamentally behave. The fact is, companies
assume risk for a compromise anytime they grant access to their networks. Employees
happen to be the easiest risk factor to guard against. It is imperative for organizations to
realize employees are not the main problem. Thinking so leaves networks consistently
and dangerously exposed.

3.5 Protection from Hackers

Whether it involves the classic scenario of a student trying to access their records
to change a grade, or a "hacktivist" attempting to express their opinion in a very
noticeable (and illegal) way, hacking can cause significant damage to a school's network
and can utilize an overwhelming amount of network resources to prevent, identify and
remedy. Unfortunately, because they can purposely grant access to the wrong people,

9
through VPNs, old usernames/passwords, stolen identities or other back doors, firewalls
alone are not enough.
A comprehensive Intrusion Detection and Prevention System (IDP) can help
identify hackers and stop them in their tracks. IDP technology effectively operates as a
network's "sleuth", constantly watching the network for suspicious activity that indicates
an attempt to exploit or overwhelm specific servers and/or applications and allows the
network administrator to take immediate action to protect the network. An effective IDP
system will set off an alarm when network activity fits a known "attack profile" either
automatically as part of a security policy or manually. Just as importantly, a truly effective
IDP system can be configured to block threats from entering the network in either an
automated or manual fashion.

3.6 Ease of Maintenance and Updating

An often overlooked but critically important aspect of any educational network security
solution is its ease of use, maintenance and updating. Most educational institutional
regardless of size have limited budgets for their system/network administration staff.
Network protection solutions that require 3, 4, 5 or more distinct applications each from a
different manufacturer with different interfaces, policies and capabilities results in a
daunting and expensive management task that can require extensive staffing.
For much of the last two decades, the primary threats to networked computing
systems were attacks launched by remote hackers who established connections from
outside of the private, or trusted network to resources within the private network, and
used those connections to compromise private data and programs.
CHAPTER 4

THE CHALLENGES AND ISSUES SPESIFIC TO EDUCATION INSTITUTIONS

There are few issues and challenges of information and network security faces by Higher
Education. It involves addressing the unintended and unwanted by-products of these
freedoms. For example, students can and occasionally will use the school's network for
inappropriate or illegal purposes. In this sub topic discussions will be focus on three
common issues, that is:

10
 • File Swapping,

• Malicious constituent activity, and

• Security and identity management.

4.1 File Swapping

Academics continue to strongly oppose downloading more than eight-in-ten (85%) report
it is not OK to swap or download files without paying. Students are more varied in their
opinions –one quarter are unsure of their position, but the percentage of students who
have no problem with swapping and who think it is okay for low value items have
decreased since 2003. Additionally, one-third (32%) of students report it is not okay to
swap or download without paying (up from one quarter in 2003). Those most opposed to
file swapping include students who report they would never download music or movies
(72%), and those who would never P2P commercial software (54%).
Downloading music is a gateway to downloading software. Students who
download pirated music are much more likely to download unlicensed software and feel
it is OK to download or swap files. Students are taking advantage of high-speed
connections on campus students who use their school’s network to access the internet
are more likely to download games, movies, and commercial software using P2P
programs. Students who download commercial software from college and university
networks are significantly less likely to ever pay for the software they download.
These students are also more likely to report they are downloading commercial
software from P2P programs more often. Two thirds (65%) of students reported
downloading music using P2P programs. Students’ ethical positions on downloading are
ambivalent half (48%) say their likelihood of downloading commercial software using
P2P depends on the circumstances. Currently, 61% of the students who download
commercial software rarely or never pay for it. Half of students say their likelihood of
downloading commercial software from a P2P program depends on the circumstances.
Half of students believe that even in the workplace, it is fine to download and swap files
no matter what the value.
The graph below explained the frequency of file swapping usage among students
and academic using university networks.

11
Figure 3.2: The rate of file swap among students and academic

Figure 3.3: The internet access behaviors among students and academic

Figure 3.4: The frequency of P2P used among student and academic

12
Figure 3.5: The purpose internet to use in the university

Figure 3.6: Music downloading behaviors among students

Example Music Swapping

Such as in Napster and Kaaza, is a perfect example of application that can have a very
negative impact on a higher education network. University networks are commonly used
as laboratories for new threats, and can also be used to launch attacks on administrative
systems. The recording industry has stepped up its campaign against music swapping at
higher education establishments, filing suit against four students who operated file-
search services on colleges' internal networks. University students have been widely

13
viewed as the core of the various file-swapping networks ever since the appearance of
Napster on the digital scene in late 1999.
Universities have seen half or more of their network bandwidth used by people
uploading and downloading songs, software and movies over the past few years.
Colleges have attempted to crack down on the practice of file swapping in various ways,
ranging from blocking network traffic associated with Napster or Kazaa to confiscating
computers used to trade files.
In a recent congressional hearing, some lawmakers called for criminal
prosecutions for campus file-swappers. Kazaa or Nepster has built a large international
business through encouraging and authorizing the illegal copying of music users of its
network. It does not authorize this copying without seeking the license or permission of
the owners and creators of the music, nor does it pay any royalties to either the owners
or creators of the music.
Direct Connect resembles Napster most closely, allowing users to connect to a
central server, search one another's hard drives and download files from one another.
Flatlan, by contrast, lets a student set up a search engine often on an ordinary dorm
room PC that scours all computers connected to a campus network that have Windows
file-sharing turned on. Unlike Napster or Kazaa, which helped create a network of
computers that would not have existed otherwise, Flatlan searches a network that
already exists. Phynd is a generic search engine technology that lets users configure it to
search whatever they want, including FTP sites, websites or local files such as those
found on a college network.

4.2 Malicious Constituent Activity

One alarming trend is the growth of viruses and worms originating from within Higher
Education networks. "Smart hackers don't like to launch attacks from their own systems.
They prefer to take over easily compromised systems at other locations, like universities
and poorly defended companies, and use those systems to launch attacks."

4.3 Security and Identity Management

14
Institutions face a tenuous balance between the need to expand information access and
the requirements to protect information assets from unauthorized and inappropriate use.
The increased use of electronic information at higher education institutions has resulted
in an expanding number of accounts, passwords, and other mechanisms to permit and
limit access to these resources.
Managing access to this expanding set of resources has itself created overhead
and increased the likelihood that access to some of these resources may not be
appropriate. At the same time, institutions are witnessing an expanding threat matrix
including viruses, spyware, phishing, rootkits, and deliberate electronic break-ins and
data theft along with intense media scrutiny of security breaches amid an evolving legal
and regulatory landscape. Antivirus and other security software will always play an
important role in security, but there is no such thing as software that can make an
institution secure.
In response to these demands, colleges and universities must establish and
maintain comprehensive security policies and procedures and enforce these with
technologies that support the efficient authentication, authorization, and auditing of
information access.

CHAPTER 5

THE CONVENTIONAL SOLUTIONS TO EDUCATIONAL NETWORK SECURITY

Just a few years ago the total number of educational network users and therefore
potential threats could be counted in the thousands, now the potentially harmful pieces of
content number in the billions per minute per network. In other words, the threat has
increased by many orders of magnitude from what it was just a few years ago.
However, network security tried to keep up with this changing threat by rolling out
many different "point solutions", each of which seeks to address a particular component

15
of the whole network security picture. While this approach is certainly better than doing
nothing, it has many holes that leave educational networks exposed. Among the many
problems with this approach is the fact that these solutions were never designed to work
together, and therefore do a poor job interacting and cooperating leaving the network
administrator to figure out how to weave everything into a comprehensive and cohesive
network security system.
Besides, there also few points that contributes to the failure of the conventional
solution. Some of the points are:

• Lack of complete protection

• Lack of real time protection
• High price and total cost of ownership
• Difficult to implement and manage
• Introduction to antivirus solutions

5.1 Lack of Complete Protection

Nowadays, a few organizations and educational institutions enjoy the funding required to
support the procurement and ongoing management of a complete network protection
system that addresses the full range of threats to their computing systems’ security and
integrity. As a conclusion, most educational institutions are under-protected and exposed
to vital risks.
Systems and networks are subject to electronic attacks. The increasingly frequent
attacks on internet-visible systems are attempts to breach information security
requirements for protection of data. There are vulnerability-assessment tools check
systems and networks for system problems and configuration errors that represent
security vulnerabilities.
Intrusion-detection systems collect information from a variety of vantage points
within computer systems and networks and analyze this information for symptoms of
security breaches. Both intrusion-detection and vulnerability- assessment technologies
allow organizations to protect themselves from losses associated with network security
problems.

5.2 Lack of Real Time Protection

16
Conventional solutions usually used “host-based antivirus” (HAV) technology, which is
provided by a software application that is loaded onto a user’s desktop computer or a
server. HAV technology is useful for protecting systems against threats introduced by
physical contact with a computer such as via floppy, CD drives, or USB ports – but is not
as effective in dealing with attacks that enter via the network. For example, most HAV
software scans email messages as they arrive, but does not scan Web traffic, because
the decrease in Web page download speed would be too severe. The same is true for
HAV software deployed on “gateway” servers at the network edge, in conjunction with
the firewall they too scan email traffic, but do not scan Web traffic.
Without the ability to scan real-time traffic for content-based attacks, educational
organizations place themselves at great risk, despite their investments in host-based
antivirus software.

5.3 High Price and Total Cost of Ownership

Cobbling together best of breed point solutions an ad hoc security system is a costly
endeavor. A complete system that includes firewall, VPN, antivirus, intrusion detection,
content filtering, and traffic shaping can cost $20,000 for a relatively modest network,
and well over $100,000 for large networks. On top of this are maintenance fees and
annual subscriptions for antivirus, intrusion detection and content filtering updates. In
addition, annual costs for skilled networking and security personnel can equal or exceed
the initial capital expenses presuming one can attract and retain these highly sought-
after people. Sometime the cost of the network security is higher than other department
due to the reason of safety.

5.4 Difficult To Implement and Manage

Diverse and complex systems made by different manufacturers will by their very nature
tend to be difficult to manage. Otherwise, it’s taking time and hard to train people to
manage that system. Policies of one application won’t manage those of another. Some
system such as antivirus, content filtering, IDS will need to be updated regularly while
others will not. Different personnel will need to handle questions and problems with their
systems no one or two individuals are likely to understand the entirety of the solution.

17
Finally, management of numerous remote deployments can make things even more
challenging.
Many startups are working feverishly to develop one, comprehensive
management tool that will allow administrators to control the entire solution from one
interface. Until now, no one is succeeded but the search continues.

5.5 Introduction to Antivirus Solutions Introduction to Antivirus Solutions

This section describes the variety of virus scanning techniques used by most antivirus
vendors, and compares host-based antivirus (HAV) systems with network-based
antivirus (NAV) systems. The limitations of HAV systems demonstrates the need for a
properly implemented NAV system that allows network administrators to deploy
comprehensive antivirus protection faster, guarding against the rise of blended threats
that endanger networks today.
In this paper, the term "virus" loosely to include security threats of all kinds,
including:

• Viruses that replicate and perform malicious operations

• Worms that replicate and spread automatically via email, Web, or other protocols
• Trojans that hibernate on a host until awakened by a certain trigger

Most of the AV products in the market address all of these different kinds of threats.
Common Virus-Detection Techniques

Viruses are executable programs, always embedded within otherwise ‘legitimate’ files.
The challenge of antivirus science is to ensure that all infected files are stopped (100%
detection rate) without creating “false positives”; that is, without mistakenly marking a
clean file as being infected. Several methods are used to detect viruses.
The most common approach to virus detection is the “signature-based” approach.
Signatures are telltale patterns of bytes that are unique to a particular virus. Signature-
based AV products are composed of two key elements: a database that contains the
signatures for known viruses, and a scanning engine that compares files under
investigation with the signatures in the database to detect a match indicating the
presence of a virus.

18
 The simplest signatures are streams of bytes that are known to occur in a
particular sequence within the code of a virus. Signatures can be made more complex by
incorporating “wildcard” characters to account for known virus variations. In general,
larger signature databases and longer, more complex signatures require more time for
an AV system to scan a file.
Virus writers have taken a number of steps to further complicate life for AV
vendors. For example, they often encrypt the bulk of the virus code, which randomizes
the code and makes it much harder to develop a signature. Virus writers have also
developed so-called “polymorphic” viruses, which actually modify themselves slightly at
each replication, further complicating, and in some cases defeating the ability of AV
vendors to develop signatures.
In the continuing AV arms-race, AV vendors have also taken counter-measures,
by developing so called “heuristic” scanning that looks for patterns of “known bad
behavior”, rather than looking for a specific virus signature. For example, some viruses
read and write certain files or execute certain operations in a way that that would never
be found in legitimate programs. The sequences of operations that constitute these
behaviors can also be used to develop so-called heuristic signatures, which enable AV
engines to detect some viruses without an explicit signature.
For many companies, the “holy grail” of antivirus technology would be a
signature-less system that can detect and stop inappropriate behavior as programs
execute on host computers. While appealing in concept, such systems are not
commercially viable. A key problem is that the definition of appropriate vs. inappropriate
behavior changes fairly rapidly in today’s modern computing environment. The rules that
define acceptable behavior change with new releases of operating systems and
application programs. Like virus signatures, the rules that govern “anomaly-based” virus
prevention must be frequently updated to avoid an unacceptable number of false positive
detections. Even so-called signature-less system are not so different in practice from
their signature-based counterparts.
Despite their known weaknesses and limitations, signature-based AV systems are
still by far the most effective and widely used method of virus detection. Thus, the most
practical approach at present to improving the performance of AV systems is to
determine how to make signature-based systems more effective against today’s
increasingly complicated and quickly spreading blended threats.

19
 An obvious weakness of signature-based AV systems is that they can only detect
known viruses. As a result, signature-based AV systems are generally ineffective against
new attacks until the signature database is updated with the signature of a new virus or
type of virus behavior. After a virus is released and begins to spread and infect users,
several steps are necessary to update signature databases:
1. A new virus threat is recognized.
2. Antivirus companies gather suspected infected files and search for the virus
code.
3. The virus is identified and a signature is developed that will uniquely identify it,
without causing “false positives”.
4. The new signature is added to the AV vendor’s signature database.
5. Systems are “inoculated” against the new virus by propagating the new
signature database to every device that runs the scanning engine.
Organizations are most vulnerable to new infections during the period between
detection and inoculation, and any delays in the process increase the “window of
vulnerability.” For large organizations especially, the biggest portion of the vulnerability
window is the time required to update every PC, laptop, and server in their network with
a new signature database.
Reducing the window of vulnerability maximizes the performance of signature-
based systems. Network administrators can achieve this by deploying AV protection at
the network edge, using network-based AV as opposed to relying solely on AV protection
deployed on each computer and server in the network.

CHAPTER 6

WAYS TO SECURE EDUCATIONAL NETWORK SECURITY

Since the conventional solutions never work as it expected to, there are some ways to
make educational network and information more secure and not ease to threats and
attacks. Some of the solution can be taken such as:
• Limits the access of information and data in educational institutions following
the level of people who access it.
• Using powerful firewall to protect educational institution network ( Example:
Fortigate Antivirus Firewall)
• Implement strict law on educational system intrusions.

20
 • Implement the physical security level and desktop security level to prevent
misuse of universities computers laboratories.

6.1 Limits The Access Of Information And Data In Educational Institutions

Following The Level Of People Who Access It.

Accesses levels can assign to maximize public usage without risk disclosure of personal
identify information.

Level 1 Allowing an authorized staffs to read and write to all records and fields in
the database. The access level only permits to a minimum number of an
authorized staff members who operates or manages the data system or
are responsibilities for maintaining the accuracy and security in the
performance of their duties.

Level 2 Allowing researchers, education groups, and other parties who expresses
legitimate educational interests to read all records and fields in the
database to further the understanding of educational practices, methods,
or theory that would be expected through acceptable research practice.

Level 3 Allowing personally identifiable information plus those data that are
considered directory information only.

Level 4 Allowing individual records without personally identifiable information.

Level 5 Allowing summaries of data only. The university will block any aggregate
results when fewer than six students or educational personnel might be
disclosed.

6.2 Using Powerful Firewall to Protect Educational Institution Network

(Example: Fortigate Antivirus Firewall)

21
The use of firewall to inspect and control traffic to and from internal network locations
through VLAN. However, the primary purpose of VLAN is not for a security function, but
managing the broadcast domain and to permit placement of a departmental system
nearly any physical location on campus and still be associated with a specific logical
network segment.
VLAN can be used for security purposes generally in the area of additional
network configuration and management costs. Unique solutions in VLAN for each
department introduce additional network management complexity. Network complexity
often correlated to information security risks. Co-location of academic and administrative
traffic on a single department may limit the ability to implement aggressive security
policies to restrict VLAN traffic. At the similarly to a border firewall, network firewall
placed on a VLAN may provide limited security benefit but imposes additional
acquisition, maintenance and support costs.
The security policies to determine whether to permit or deny network traffic. The
characteristics of acceptable and unacceptable network traffic based on packet criteria at
the IP level and above. Network traffic that describes hostile intrusion attempts, denial of
service attacks and/or unauthorized attempts to read, modify or delete information is
proactively denied by the firewall. Network firewall’s capabilities to inspect and control
network traffic also permits the firewall to logically separate a network into public and
private segments as well as a semi-private segment (often refer to demilitarized zone –
DMZ) between the public and private network areas. Network firewall provides detail
logs describe permit and denied network traffic. Many firewall able hide the select
internal network segments from external networks by the provide network address
translation services (NAT).
While the capabilities of a network firewall seem quite powerful, it should be
noted that a network firewall does have functional limitations. The network firewall can’t
protect against hostile traffic it cannot observe or is not configured to block. The example
is internal network traffic behind an external border firewall will not be inspect and control
by the perimeter firewall. The network firewall doesn’t identify and control malicious code,
such as viruses. Unable to defend against a severe distributed denial of service attack
and could, under such an attack, itself become a failure point. The limitations of a
network firewall need to be considered when develop an effective information security
program.

22
6.3 Implement Strict Law on Educational System Intrusions

The responding to unlawful conduct involving the use of the Internet is to implement
aggressive efforts to educate and empower the public to minimize risks associated with
the Internet and to use the Internet responsibly through technological and non-
technological tools. Although both types of tools can be extremely useful when used
appropriately, "one size does not fit all." One must weigh the advantages and
disadvantages in determining which set of tools will work best for an individual’s
particular situation.

This part of the report therefore discusses existing and potential new tools and
resources that can be used to educate, lecturers, and others to prevent or minimize the
risks from unlawful conduct involving use of the Internet. Review of the technological
and non-technological tools those are available for lecturer, staff to use to help ensure
that students have a safe and rewarding experience online. Consumers can educate
themselves in order to avoid fraudulent and deceptive practices on the Internet. Part of
the highlights, how of the several federal agencies are using technology to educate
consumers and how they are working with the private sector to develop effective
consumer protection practices and many other agencies are undertaking similar efforts.

Technology provides tools that may assist in preventing student from accessing
inappropriate materials on the Internet or divulging personal information about
themselves or their families online. The mostly common technological tools are
"blocking" and "filtering" software.

(a) Blocking Software

"Blocking" software uses a "bad site" list and prevents access to those sites. The
vendor of the software identifies specified categories of words or phrases that are
deemed inappropriate and configures the blocking software to block sites on which the
prohibited language appears although such software can be a useful tool for restricting
access to inappropriate websites in certain circumstances, they can also create a false
sense of security, because they cannot restrict access to all inappropriate sites for
student.

23
 Another potential drawback is that most blocking software does not differentiate
between the ages of the users. What may be inappropriate for an eight year old, may be
appropriate for a teenager. However, because most software only has one user setting to
determine what should be block, either the teenager will be denied access to sites that
are beneficial or the eight-year-old will be given access to sites that are inappropriate.

(b) Filtering Software

"Filtering" software blocks sites containing keywords, alone or in context with

other keywords filtering software may also be used to block sites that have a particular
label or rating. The content provider or a labeling service classifies the site in a particular
category (e.g., "romance: no sex" or "explicit sexual activity") and the filtering software is
programmed to deny access to sites with particular ratings.

6.4 Implement The Physical Security Level And Desktop Security Level To
Prevent Misuse Of Universities Computers Laboratories.

The information access to Central Administered Computer Facilities only persons

designated by the Coordinator of Information Resources, President of the College or
Director of Security shall have physical access to centrally administered computer
facilities. Keys to these facilities will not be issued to any individual without the
permission of the Coordinator of Information Resources.
The accessing of other computer facilities, labs, and equipment physical access
to departmentally administered computer facilities, labs and equipment is granted and/or
revoked by the administrative head charged with responsibility for the facility and/or
equipment. Keys to these facilities should not be issued to any individual without the
express permission of the responsible administrative head.
Work with agents, managers, technical staff, internal audit, and the ISF in
identifying and selecting appropriate and cost-effective security controls and procedures
to protect the information assets in their custody. Assist managers and agents in

24
implementing the appropriate security requirements for user access to automated
information files and databases for which the function has custodianship responsibility.
Grant, revoke, and periodically review the access privileges of individuals as necessary
to assure the utility and security of the information assets in their custody. Ensure that
valid user lists are current and auditable. Oversee procedures for College password
control.

References

http://oregonstate.edu/net/network/wireless/

htt://www.orange.lamar.edu/TechResources/IRSMforIR05.pdf

http://www.collab.org/newsbytes.html

http://www.inasp.info/pubs/bandwidth/section4.pdf

http://www.vpiet.ucdavis.edu/advancedprojects/Firewalls_FinalRpt.pdf

http://www.brynmawr.edu/computing/handbook#oncampus

http://www.brynmawr.edu/computing

25