Keeping the Gateway
Open and Secure
Protecting the network
often means limiting
access to the Internet;
but at colleges and
universities, the Internet
is a key component
to education.
Doug McKeown
Systems and Networks Administrator
Saint Mary’s College
Notre Dame, Ind.
6 • Network Security
On campuses nationwide the concern over increasingly more virulent
computer viruses continues to grow. At Saint Mary’s College in Notre
Dame, Ind., the need for higher-speed Internet access and more
functionality also meant boosting security measures at the gateway
and on e-mail servers.
E
nter WatchGuard’s Firebox unified threat management
(UTM) appliance and McAfee virus software to completely
overhaul the school’s approach to network security. At Saint
Mary’s, the IT team is aiming to offer unlimited open access to
information for its students while keeping the gateway secure.
Doug McKeown is the systems and networks administrator at
Saint Mary’s College. For the last three years he has managed the
servers, platforms and networks at the college, which has 1,506
students and approximately 500 faculty and staff.
“We have a gigabit backbone, network fiber and 100Mb to the
edge of the network,” says McKeown. Saint Mary’s College has
a wireless on-campus network, four T1 lines and is now looking
at a DS3 upgrade on all equipment on the WAN. “We have many
peer-to-peer applications that speed things up, and we needed to
bring in more functionality for the satellite programs in Rome
and Ireland,” he says. DS3 is a dedicated phone connection
that supports data rates of about 43Mbps. Also referred to as
a T3 line, it consists of 672 individual channels, each of which
supports 64Kbps.
But all that speed and added connectivity makes the network
vulnerable, thus the need for increased security at the gateway.
For enhanced network protection, McKeown decided to bring
in WatchGuard’s Firebox X8000 firewall with multiple gigabit
interfaces on the perimeter. Since the current setup was at least
five years old and its capacity was about to be exceeded with the
addition of the DS3 connection, McKeown and his team needed
something more robust.
“We looked at several firewall options, including Juniper
Networks, SonicWall and WatchGuard,” McKeown says. He
considered several features as his criteria before purchasing: the
speed of transaction rates and connectivity — including how
many different connections the box could carry — to the firewall.
“We have a student network, Internet connections, the DMZ
[demilitarized zone] where servers live that are open to the world
and a number of backup networks, so we need five or six physical
connections,” he says. “When we looked at all the models and
compared price and performance, we chose WatchGuard mainly
because [that product] gave us everything we wanted — and the
ability to grow.”
WatchGuard’s Firebox series offers a high-performance line of
UTM appliances that offer out-of-the-box security at the gateway.
The Firebox series is capable of gigabit-per-second throughput
and integrates stateful packet firewall, VPN, zero-day attack
prevention, antispyware, spam blocking and URL filtering into
a single appliance, reducing the time and cost associated with
managing multiple-point solutions.
The good news is that while McKeown is still in the testing
stage of the implementation, he’s already seen security improve by
approximately 20 percent over the current firewall setup, mainly
in the area of denial-of-service blocks and antivirus scanning.
“Security reporting is about 99 percent better,” McKeown
says. “I have a much clearer and more concise picture of what is
happening across the wires.”
Understanding Higher Ed
The structure of higher education requires that students have
unlimited network and online access. Understanding the delicate
balance between security and access that’s required in higher
education gave CDW•G’s network engineers a distinctive edge in
McKeown’s eyes. “They understand higher education,” he says.
“I had six phone calls with the CDW•G engineers determining
which product to choose. It’s not just getting the best price
— CDW•G has experts on staff in our area of expertise. It’s
different from commercial business in that in most businesses
you’ll have complete control over the network,” he says.
In most businesses, security means telling users they can have
access to only certain sites. In private business, you can control
the desktop, but in higher education, students come from all over
the world and bring in various kinds of computers that they own.
And while the school will likely have a basic set of requirements,
not everyone will have the same make, model or brand.
“You have to be a lot more flexible in higher education,” says
McKeown. “You have to allow the educational process to take
place with the Internet as a resource because there’s so much out
there [that] we don’t censor.”
“When students go home and plug
into their DSL connection without all
the network protection we provide
here, they become vulnerable to
attack. When they return, they
walk the virus in the door.”
— Doug McKeown, Systems and Networks Administrator,
Saint Mary’s College, Notre Dame, Ind.
Within reason, the students can look at anything they like
online. “We do control peer-to-peer applications and file
sharing,” he says. “We don’t block them, we just made them very
slow. We’re not going to spend $50,000 a year for file sharing.”
Keith Fowlkes, CIO at Saint Mary’s College, agrees. But the
bigger security picture involves many of the same strategies that
most businesses use, including layered security on the network
and on e-mail servers.
“We’re in the process of creating a classic approach to security
on the network, which includes a trusted network, an outside
connection [an untrusted network] and a DMZ,” Fowlkes says.
The DMZ is essentially a network that outside people can see and
use in some sense, but all the information is firewalled. “We’re
using a tiered strategy where we put several different layers of
security on the network — not only the firewall — but also
everything from core-router access controls to filters to different
types of encryption methods.”
The e-mail setup gets the same layering mechanism treatment.
Saint Mary’s is using the Sun Microsystems Java Enterprise
solution. “We’re primarily a Sun Solaris shop, but we’ve
implemented both calendaring and e-mail,” Fowlkes says. E-mail
security also involves a layered approach with spam and virus
filtering outside the machine to internal virus scanning and spam
scanning software on all the servers. 4
Network Security • 7
Saint Mary’s IT staff of 20 has installed a variety of different
virus protection software including Barracuda Networks and
McAfee on the servers in addition to some homegrown systems
that the team has developed internally. However, the IT team is
moving toward the antivirus e-mail gateway for the WatchGuard
appliance, along with a site license for McAfee virus detection
software on the desktop.
Getting Online on Campus
When Saint Mary’s students first arrive to attend classes, one of
the first steps is getting set up on the network. The best way for
Saint Mary’s IT staff to keep the network safe for all is to use a
proprietary sign-on system.
“Students come to school and when they try to plug into the
network the computer is not recognized by the network and
therefore has no access,” McKeown says. The students instead
get a registration page — which is an in-house application —
and there they will find all the antivirus and software updates
to download. Once they install the updates and reboot the
computer, they can access the network. “There’s a port for every
pillow — every student has a full Internet connection,” he says.
The Hewlett-Packard network switches allow McKeown and
his team to detect virus behavior before it becomes a problem.
“If we notice a computer on the network starting to send a lot of
virus-like activity, we can shut the connection down,” he says.
“If a student gets a virus and the port gets shut down, they do not
get to turn it back on until they contact Resnet.”
8 • Network Security
Resnet is the residence hall network that provides support to
students living on campus. There’s one support person for up
to 20 students. If a student has a problem with their network
connection, they contact their Resnet consultant who will
troubleshoot, diagnose, repair the problem and get them back
on the network.
But McKeown acknowledges that it’s almost impossible to
have complete control of the student desktop. “With multiple
computing taking place, we can’t control what type of machine
is outside our firewall. Therefore it’s hard to create a VPN-type
solution because we don’t see the computer the VPN may be
installed on,” he says. “We have to come up with alternative
authentication to allow students to get in from their apartment
in town and not have their computer on the network and open
to anyone.”
In his first few months at Saint Mary’s, McKeown recalls that
the entire network went dead because there was a virus running
rampant. That hasn’t happened since because the network was
replaced with HP servers over the last few years and students are
encouraged to keep their virus patches up to date so they won’t
become vulnerable to attack.
In addition, McKeown is preparing to centralize authentication,
boost password management, and develop an LDAP (Lightweight
Directory Access Protocol) repository on a Sun/Java server,
with McAfee virus scanning. Centralized authentication will
mean that all passwords and password management (expiring
of passwords and strength of passwords) will be contained and
controlled in one repository.
“The only time we get a virus on the network is one that comes
in from the outside,” McKeown says. “When students go home
and plug into their DSL connection without all the network
protection we provide here, they become vulnerable to attack,”
he says. “When they return, they walk the virus in the door.”
Security continues to be the utmost concern, and password
control is key. McKeown recommends that students change their
passwords often. Higher education sites are a favorite for hackers
to attack, he says. It’s a constant concern. While WatchGuard
will prevent many of these attacks, it can’t account for human
error. One student’s password given out will allow someone to
gain access to the network and at that point, he says, it’s about
minimizing the damage internally.
A Delicate Balance
Although many higher education sites and networks can be
vulnerable, it’s important that the open nature of these networks
remains. Understanding that balance between openness and
safety is important to working with IT in higher education.
That’s one of the main advantages of Saint Mary’s relationship
with the team at CDW•G.
“The education group [at CDW•G] seems to know what
colleges need in terms of service,” McKeown says. “We need
quotes from them for $50 purchases — up to $50,000. They are
super at meeting our needs no matter how small the purchase,
and they approach it with the same attention and enthusiasm as
they would a larger purchase.”
But it’s not all about price. McKeown and Fowlkes rely on
the CDW•G team for advice on how to bring in new equipment
that will work well with the system setup already in place.
“The CDW•G person I spoke with about WatchGuard knew
WatchGuard and HP equipment well enough to know how the
two would interact, and that was invaluable to me,” McKeown
says. He uses the CDW•G team as a resource. “It hasn’t failed
me yet.”
According to Fowlkes, Saint Mary’s expects a lot of growth over
the next five years. “We’ll be looking to CDW•G for many things,
including software licenses, hardware purchases and peripherals.
We’ll rely on CDW•G for many of those purchases.”
Did you know that CDW•G offers configuration, product
support and customized professional services?
Network Security • 9