Computer networks in education institutions present unique challenges. An open environment is essential to the free flow of information. Therefore, professors, students and researchers need a flexible and open environment to work, study and explore new ideas. They also expect that their work will not be compromised by computer viruses or cyber-vandals who might harm or compromise their data. School administrators expect that the information in registration, grants, student records, personnel, finance and payroll systems will not be exposed to attack through compromised student computers.
Today, student computers are much more likely to be infected with unwanted harmful programs, such as worms and trojans, or to run music and file-sharing programs and other high-risk applications. The proliferation of Internet-connected personal computers has become commonplace, but there have not been comparable advances in automated or preconfigured security software to adequately lock down these devices. Attackers see poorly secured computers as low-hanging fruit, and target them and their users through trojans and worms delivered by e-mail or over the web. When these unsecured endpoint devices connect to a school's network, they spread any worms and trojans they may have, become zombies under the control of malicious programs, or become infected for the first time.
A multi-pronged solution
Most education institutions use a three-pronged approach to tackle student computer security. The first part entails registering every computer a student will be using before the student accesses the network. Many network administrators use open-source software, such as netreg, to collect the MAC address (a unique identifier for each computer's network card) of each computer and then tie the MAC address to the computer owner in a registration database. One of the first steps in any outbreak or security incidence-management process is to find the source of the attack and then contain it or shut it down. Knowing whose device is attacking the network and the location of that device allows the networking staff to disable or contain an attack.
The second part of the approach is to ensure that computers have at least some basic security software. While it won't prevent every attack, anti-virus software still is essential on every computer. Many organizations purchase anti-virus software for all students through technology fees assessed at registration. This doesn't mean that everyone will continue to run the software and keep the virus definitions current, but at least network administrators can ensure students have the software installed.
The third part concerns using security “best practices.” Improving endpoint computer security with anti-virus software is a good first step, but most organizations don't have the resources or capabilities to enforce other computer security measures. Network administrators would like automated enforcement of these best practices. For example, best practices should include:
Making sure that all devices have the most recent security patches or service packs installed.
Using Windows automatic updates to install patches without user intervention.
Requiring personal firewalls (now a part of Windows XP Service Pack 2 software).
Verifying that anti-virus software is installed and running, and has the latest virus definitions.
Also, restricting the use of questionable and sometimes malicious peer-to-peer (P2P) software would reduce the risk of attacks and help reduce the liability of education organizations from music-sharing lawsuits.
A new breed of security solutions, called endpoint compliance or endpoint security, recently has entered the market. Endpoint security solutions typically quarantine new devices, test them for compliance with security policies, and allow them on the network only after they have proven to be safe. Endpoint security products vary in what they can enforce and how this enforcement is performed. Most test for the basic security requirements: the use of up-to-date anti-virus software and operating system security patches, hotfixes and service packs. Other products can test for personal firewalls, peer-to-peer software, operating systems, and web browser and application security settings. A few also offer extensibility, the ability to create custom tests for any software, services, programs and registry settings.
For education institutions evaluating or rolling out endpoint security solutions, two important considerations:
- The impact or user experience of student users.
- The IT resources required to deploy and manage endpoint security solutions.
Each product addresses these issues differently. A common practice is to install special agent software on each endpoint device and manage that agent software from a central management console. The agent monitors the device configuration and the software that is installed, and enforces requirements for patches and anti-virus protection. Some agents also act as a personal firewall and allow firewall rules to be pushed out to each endpoint device from the central management console by the system administrator.
Although agent-based solutions are capable of enforcing some security best practices, they do come with a downside. Installing and supporting new software agents on each student's computer is a burden on the IT staff. The security, technical and help-desk staff must be prepared to handle any issues that arise, such as installation problems, software compatibility and potential software crashes.
A new age
A more recent development is agent-less, also called client-less, endpoint security solutions. These are network-based and do not require the download or installation of any additional software on the endpoint device. Agent-less solutions offer significant advantages over the agent-centric approach. Because no software runs on the endpoint, agent-less options do not lead to the deployment problems or the increased administration of client-based solutions. Software compatibility issues, upgrade deployment and support issues, and increased helpdesk calls are avoided. By reducing the IT resources required to enforce endpoint security, agent-less solutions can offer significant relief to resource-strapped education organizations.
What to look for in an endpoint security solution
It's more difficult to secure a campus IT network than a corporate network. The largest business might have hundreds, possibly a few thousand remote workers and visitors connecting suspect endpoint computers to the network; in contrast, education institutions face the challenge of managing tens, even hundreds of thousands of unknown endpoint devices. Any one device could wreak havoc across the network or operate unauthorized applications that put everyone at risk.
Campus networks also must support a range of computer configurations and software, including older operating systems such as Windows 98, while corporate environments can standardize or mandate specific software and configuration settings. In addition to enforcing computer security requirements, education institutions are faced with potential lawsuits when students illegally share music MP3 files, or use the campus network as their own playground for attacking other students' computers.
Along with checks for patches and anti-virus software, any endpoint security-enforcement program should include checks for personal firewall, peer-to-peer software, Windows update settings, web browser and application security settings, services, registry settings, and required and restricted software. In addition, endpoint security solutions should proactively check endpoint devices to determine if they have been compromised by any worms, trojans or spyware — which ultimately is what endpoint security is all about.
To truly ensure that endpoints are secure, any endpoint security solution must include:
Ashley, CTO of StillSecure, Louisville, Colo., has more than 20 years of industry experience in data networking, network security and software product service development.
- Agent-less implementation
Endpoint security solutions can provide many benefits, but the cost of deploying and managing them can be high as well. Agent-less solutions can provide the same benefits, but at a much lower overall cost.
- A full suite of testing capabilities
Most endpoint security solutions check endpoints for the latest software patches and for the presence of up-to-date anti-virus signatures, but much more is required to truly ensure that endpoints are secure.
- Verification that harmful software does not reside on the device
Endpoint security solutions should proactively check endpoint devices to determine if they have been compromised by any worms, trojans or spyware.