Computer and Network Security Strategic Plan (IDS & Firewall Elements)

Any security plan must address "defense in depth". In other words, no single security measure can be counted upon to be totally effective against the types of sophisticated, network-based attacks that are now commonplace. No one protection mechanism is capable of defeating all standard attack scenarios. Accordingly the Computer and Network Security Strategic Plan called for an integrated combination of Intrusion Detection, filtering support, training and personal desktop security tools. Training and personal desktop support have thus far been largely funded outside the context of the overall plan. Therefore progress in those areas is not addressed below. What is addressed is the progress and planning related to overall intrusion detection system (IDS) and firewall support.

Intrusion Detection System (IDS)

Intrusion detection systems are essentially "burglar alarms". Penn State is seldom attached by a brand new method that's never been seen before or which exploits a totally new system vulnerability. Far more often, the University's systems are attacked through previously documented vulnerabilities using scripted attack tools that are easily downloaded from the Internet. The common attack tools behave in predictable patterns. They search for a particular vulnerability or set of vulnerabilities and then use a known sequence of commands to actually exploit the vulnerability and take over the system or account. Because both the probing activity and the attempted exploitation methods are predictable, they can be detected. Intrusion detection tools compare the signature (or characteristics) of such known attacks against incoming traffic from the network and if an attack is detected, an alarm is triggered. Generally the level of the alarm or response can be configured and can range from automatically shutting down the attack, to logging for later analysis, to immediate notification to a human analyst.

During the period August to November 2001, Penn State pursued a contractual arrangement with Verisign to examine options and alternatives for enhancing the University's network security posture, particularly with regard to the firewall/filtering and intrusion detection space. The Verisign contract is complete, though individuals frequently refer to the results of their recommendations (including ongoing initiatives) as the "Verisign effort". What Verisign recommended as the most cost effective solution for wide-ranging support was a combination of freeware products, SNORT to handle the intrusion detection task and Hogwash to handle the filtering/firewalling. Their initial recommendation addressed implementation at the core level but allowed for local deployment as well subject to availability of funds. While other alternatives were explored (such as multi-layered conventional firewall support) these options were not recommended due to cost and to the desire for an integrated interchange or reaction between the IDS and filtering implementations, such as SNORT/Hogwash can provide. It was recognized that in certain locations, conventional firewall capabilities or implementations may be essential due to regulatory requirements (e.g., HIPAA) or a desire for tighter security than the default solution can afford.

Since the completion of the Verisign study, preliminary investigation and analysis of SNORT/Hogwash capabilities has been underway, with early emphasis on the SNORT component. Primary considerations are determination of performance impacts for two possible modes of operation (in-line and mirrored), the integration and evaluation of existing (commercial and open source) tools and/or development of software to facilitate centralized management and monitoring, the number of staff required to monitor SNORT/Hogwash output effectively, the number of false positives or conversely "missed" signatures, and the ease/difficulty of configuration. It is anticipated that the SNORT/Hogwash deployment will grow incrementally. At the present time the plan is to pursue a limited deployment of approximately 6 to 10 networks by Fall Semester 2002 at the unit level (vs. core). These may not all be introduced simultaneously. Thus, there may be some systems considered part of the "Fall" deployment that are actually implemented during spring/summer. These implementations may include a mix of SNORT only, SNORT/Hogwash and Hogwash only. This will enable us to gain valuable experience with the tools and to develop better-centralized management and data reduction monitoring tools and strategies prior to any implementation at the core level. From this experience, the number of devices that can be effectively managed with the staff resources available and, as a result, the most effective deployment strategy can also be determined. Unit testing will also help determine whether SNORT alone, SNORT with Hogwash, or Hogwash alone will be pursued, and whether commercial firewalls will be used in conjunction with a SNORT IDS or SNORT/Hogwash solution (and if so how many).

Growing from the research into IDS capabilities, another element in the IDS solution path for the University has taken shape. There are outsourced commercial vendors who provide IDS implementations with 24/7 monitoring. While it would not be cost effective to pursue total outsourcing or "managed security services" for the entire University, there are a number of advantages to a limited outsourcing arrangement that cannot be achieved by an in-house IDS implementation (e.g.,SNORT) alone. The first is the 24/7 monitoring capability mentioned above. In a managed services arrangement, security experts at a Security Operations Center (SOC) are analyzing input twenty-four hours a day and reacting according to the site's direction. The second advantage is that the SOC receives incident data from clients all over the world. With a limited outsourcing arrangement, Penn State will receive immediate notification if a client of the managed services vendor is attacked anywhere in the world in a manner that may impact upon Penn State. Therefore, the very few managed IDS sensor systems that could be incorporated in the architecture will serve an important "early warning" function. Additionally, in some managed services arrangements, the service provider can monitor many of the computer "underground" sites to determine if hacking involving Penn State systems is being discussed or sensitive data related to Penn State systems is being traded in these forums. A 30-day evaluation of a typical managed services solution was initiated in early April 2002. Three "Network Intrusion Detection Systems" (HIDS) are being evaluated in actual College and administrative network settings to evaluate the efficacy of limited managed services.

Filtering/Firewalls

As noted above, the Verisign study recommended Hogwash as a filtering/firewall mechanism. In its original design, Hogwash is configured to implement a reaction to a given signature reported to it via the SNORT engine it is built upon (e.g., log and/or - when running in-line mode - drop "bad" packets). Hogwash should also be capable of configuration as a more conventional firewall (blocking ports, services or network addresses selectively). Hogwash is currently under evaluation, and will be in the unit level implementation analyses planned for fall semester. At that time the viability/utility of Hogwash in both roles (responding to a signature match from SNORT and in the role of conventional firewall) will be evaluated.

Overall guidance/coordination for these efforts is under the auspices of Security Operations and Services within Information Technology Services (ITS). There is an advisory committee structure within ITS and discussions are underway with regard to how to best involve the distributed community at the non-University Park campuses in the evolution of solutions in this space.