Hub/Repeater/Wireless Security Concerns
Audience:
All members of the Northwestern Community and users of the University network.
Definition:
The term "security" means not only control over malicious access, but includes the effort and cost of (a) detecting intrusions, (b) recovering from compromised data, (c) diverting local staff/faculty resources, and (d) committing central resources to investigate, remedy, and recover a compromised network or segment. It also must anticipate future security requirements to permit or deny application access based on the person's identity and entitlements.
Policy Statement:
See "Policy Restatement and Enforcement Plan for Unapproved Campus Network Extensions"
Background Issues:
As a hublet user (or repeater, private wireless access point, etc.), what does this change do for me?
Today, if one of the computers on your hublet were to become infected, then NUIT would likely disconnect the hublet from the campus network. All of the computers on the hublet would then lose network access. The infection would continue to operate on the hublet segment and would likely spread to other computers in that segment. So, the results would be loss of connection and possible multiplication of infections on the unmonitored segment.
With this policy change, you must replace your hublet with standard network connections. This is a necessary one-time cost to reach a one-port-per-computer architecture. Wired connections give the best performance - up to 100Mbps per computer. Using an NUIT wireless access point in your space could save money on installation costs, but it is a shared Ethernet bus running at 11Mbps today and likely moving up to 50+Mbps in a two to three years. Wireless is best suited for mobile computers or flexible spaces with moderate transmission speed requirements.
Once the one-port-per-computer infrastructure in place, NUIT will begin deploying port-level services designed to improve security and reduce the effect of attacks. This will greatly improve protection of your computers from intrusions or infections. Under current plans, you will register each computer on its port with the owner's NetID. The computer will be scanned for vulnerabilities before it is given an IP address, eliminating most possible exploits. Then the individual user will log into the network itself using his or her NetID and password. Each NetID (that for registering the computer or that identifying the current user) will have service attributes that can control security systems to dynamically block or permit communication methods on that single port. For example, the computer may be identified to the network with a NetID that calls for blocking of all "ftp" or "smtp" or other specific traffic types.
All of these improvements will reduce the chances for infections or intrusions, making your computers more secure, and reducing the side-effects of a single compromised computer. None of these security measures is possible on a port that has a hublet attaching multiple devices. This is why NUIT is moving the infrastructure in this direction.
More Discussion
Hub/repeater segments are unmonitored concentrations of computers, all of which could be compromised before action by NUIT to isolate the segment from the campus network. This compounds the effect of an intrusion in that segment (by a contaminated laptop, drive-by wireless device, etc.). Local maintenance staff would have to visit every computer on the segment to determine if there was a compromise or infection and determine what information, passwords, or resources were compromised. Unfortunately, in those venues where hub/repeater segments have been installed instead of standard infrastructure, local maintenance may be slim to non-existent due to lack of funds. This extends the outage and further compounds the problem of recovery.
When NUIT isolates a port from the network, and that port connects a hub/repeater segment, then all of the computers on that network are isolated from the campus network. Experience has shown that this is a serious problem for persons in the vicinity of the segment because (a) no one has monitored/documented which computers are attached to the segment and which have standard connections, (b) the impetus to connect to the hub is high as it is viewed as "free" so that many computers are affected, and (c) lack of local support puts individual users out of commission for hours or days until compromised systems are isolated and cleaned. These scenarios are seen by NUIT on a regular basis, and the persons affected are not sympathetic to NUIT's mandate to protect the network from the compromised segment. These situations become increasingly difficult when a departmental/research server is on the isolated segment, potentially affecting research, instruction or administration. This is why NUIT cannot adopt an approach that hub/repeater segments could be "registered" and the operators thereof would be understanding of NUIT's disconnection policy. Customer behavior cannot support any theory that such arrangements would be successful.
Wireless segments are especially vulnerable since they can be accessed from lobbies and outside buildings. Once again, the combination of perceived low cost to deploy, within an environment that does not have funding for standard infrastructure, creates a high possibility that security will be compromised. Misconfiguration of wireless segments is common - omitting the most basic security measures - thus leaving the University network vulnerable to intrusion/compromise/infection from drive-by agents. Maintenance of such segments is also a low priority, as is any authentication in concert with the balance of the University network.
The future security model is based upon per-port security. This enables two levels of security: (a) equipment validation and (b) user validation. When a computer is attached to the network port, authentication will be necessary to obtain a network address - during which time the computer can be checked for vulnerabilities, viruses, etc., from a central service. After passing that validation, the computer user will identify himself or herself to the network, and receive access as granted by services across the network. In this way, only appropriate persons will have network connectivity to sensitive or costly resources. The cost-savings effectiveness of equipment validation proved itself during the return of students to the dormitories over the weekend of 19-21 September 2003. Because NUIT had equipment validation deployed in the dormitories, it was able to detect and automatically patch vulnerable Windows computers as well as isolate infected computers without visiting 5,500 desktops. By comparison, a large state university, which has a shared port architecture in the dormitories, was forced to turn off all ports and manually inspect every one of 9,000 computers before allowing them individually onto the network. This equipment/user validation on the administrative and research networks at Northwestern will allow greater security up to limiting who may attach a computer to each subnet by NetID. This is a practical concern as student laptop computers "borrow" department network connections and potentially infect local systems.
Important Dates
Review Date- December 2016
- October 2005