Network Security: The Next Generation

Not long ago at Texas A & M University in College Station, Texas, a network security application called Q-Radar detected a massive spike in the flow of data from the Forest Science Department. Developed by Q1 Labs, Inc. of Waltham, Mass., Q-Radar notified the network administrator that something was afoot. Fearing an attack, the IT staff investigated. "It wasn't worm traffic; it was streaming video," says Willis Marti, associate director for networking with Texas A & M University at College Station.

Had it been a worm, the early warning sent out by Q-Radar would have enabled the network administrator to shut down affected computers and resolve the problem before too much damage occurred. As it was, the streaming video discovery indicated a problem on the network. The Forest Science Department had set up a distance education program to support the state's Forest Service. The first courses were already sending streaming video to locations across the state, an activity that used valuable network bandwidth. Marti assigned his engineering staff to work out a way to run the courses without adversely affecting the network at large.

As with many college and university network administrators, Marti's goal isn't to search out and destroy viruses and worms that find a way into the network. Instead, he aims to ensure that network traffic flows freely. When a worm or virus threatens the system's traffic flow, it gets stepped on. And when departments come up with new ways to do their work -- like developing streaming video courses for distance education -- they get help.

The University of New Brunswick in Fredericton, New Brunswick, Canada, pursues a similar network security goal. "We work to balance network security with the needs of students and researchers," says Peter Jacobs, manager, communications and network services, integrated technology services for New Brunswick.

The Challenge Of Academic Network Security

Securing an academic computer network poses greater challenges than securing a corporate or business network, continues Jacobs. In a business environment, IT administrators dictate versions of operating systems to be used, control updates and ensure that security patches - software that plugs holes in various applications - are made as soon as vendors make them available.

University IT administrators cannot exercise that level of control. At New Brunswick, and other universities for that matter, departments and students connect all sorts of different computers with different operating systems to the university network. In addition, the IT department can only encourage departments and students to update security programs and patches in their personal computers. "We have strong suggestive powers in relation to university-owned computers," Jacobs says. "Even then, we don't have full control. Worse, every September, upwards of 2,000 student computers will arrive on campus that haven't been updated for network use. These machines connect to the network and can initiate messy problems from viruses and worms."

New Brunswick provides a Web page where department users and students can download the latest security patches and anti-virus software, but must rely on powers of persuasion to get people to use the site.

Q-Radar has proven particularly useful for academic networks like New Brunswick's. "We use it every day," says Jacobs. "It sits on three screens in our network administration office and watches traffic sort of like a city traffic engineer. When we see something unusual, we check with the user to see what program is running. If the user doesn't know that his or her computer is acting up, we suggest updating their patches and anti-virus programs, as well as running a program that will scan and clean the machine."

Texas A & M faces the same problems as New Brunswick - but even more so. During the regular semester, nearly 45,000 students connect to the university network, including 11,000 or so students that live on campus. "Of those 11,000 students, probably 10,000 have computers," Marti says. "Then, of those, probably 9,999 have at least one worm or virus."

In addition to scanning for unusual activity with Q-Radar, Marti's group has developed a program called NetSquid that automatically quarantines known worms. NetSquid installs on servers at exits from various networks across campus. By programming NetSquid to search for commands used by known worms, it is possible to ferret out the worms before, instead of after, they have carried out too much of their destructive activity.

"When the program detects worm traffic, it turns on the firewall at the computer sending out the worm and prevents traffic from moving outside," Marti says. At the same time, NetSquid directs that computer to a Web page that says: "Hey, you're an idiot. You're infected. Fix it." The Web page leads users to a set of instructions for repairing the problem.

The system times each detection. After five minutes of no worm traffic, it automatically unblocks the system. "It is possible with this system to detect an infection, block the computer, send instructions to the user on what to do, and to unblock a repaired system, all without any staff time," Marti says. "No one but the individual user has to be involved."

Three Generations of IT Security

At least three generations of security software have tried to protect academic as well as private IT networks over the past decade. The first generation employed firewalls and anti-virus software. These are considered reactive measures. When an unauthorized user or hacker drills through a firewall and gets into a system, administrators can evaluate the trespass and strengthen the firewall against another similar attack. When a virus makes its way into the computers on a network, antiviral patches can prevent that virus from entering again. But hacker attacks using different tactics and new viruses will always get around firewalls and anti-viral software. Neither can protect against new viruses or worms.

The well-publicized worm attacks of the past two years illustrate the problem. Following the initial attacks, network administrators applied patches to firewall and anti-viral software to prevent future attacks. Hackers then altered a few lines of code in these works and sent them back out to mount new attacks. Because the new worms were slightly different from the older worms, they often made it through.

A second generation of security software has helped to improve the suppression of worm attacks. Developed several years ago, intrusion prevention software was designed to detect intrusion attempts and then prevent them. Such programs alert administrators to assaults on system firewalls and enable them to react before extensive damage is done.

Q-Radar is yet another generation of security software. Its concept is to watch and evaluate data flows within a network, to look for and report anomalies and unusual network activity. Industry observers liken Q-Radar to a security officer watching the concourses in a busy airport. While everyone inside a concourse has supposedly been checked, it isn't inconceivable that a terrorist might get through. The security officers job is to look for and investigate anomalies - an abandoned bag perhaps or a person running through the concourse.

"Q-Radar is a smart idea," says Steve Surfaro, a member of the security council of ASIS International, a highly regarded worldwide association of security professionals. "It detects behavior associated with embedded worms, mal-ware or peer-to-peer software. Most of the time, firewalls will detect threats at an incoming level, but won't necessarily be able to detect the actual activity of a new threat. If a new worm has launched itself inside a network and anti-virus definitions have not been updated, there is no sensing that threat, except for with a program like this."