April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2

1. EDUCAUSE & Internet2Security Professionals ConferenceThe Challenge: Securing a Large Multicampus NetworkKirk Kelly – Pima Community CollegeScott Ferguson – Pima Community College April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2 http://www.pima.edu/admin/presentations

2. Outline http://www.pima.edu/admin/presentations • Who is Pima Community College (PCC) • PCC technology infrastructure • Specific incident • Lessons learned • New security devices • New network architecture • Questions

3. Pima Community College Located in Tucson, AZ • 8 campuses • 9 centers Enrollment • 61,769 – Credit • 13,639 – Noncredit • 75,408 – Combined

4. Student Profile • Average age: 27 • 41% ethnic minorities • 56% female • 69% part-time • 68% daytime • 25% evening • 7% weekends

5. Current Data & Phone Network • 15,000 data network connections across the college • 7,000 devices connected to the network @ 100/1000mbits • Campuses, DO, and MS connected at 1 Gigabit speed via City I-Net Fiber ring • Wireless at all locations • 2,500+ phone lines across the college • Over 70 (IDF/MDF) rooms

7. Wiring Closets, Before and After

8. W32/Blaster Announced • August 2003 • Blaster, Nachi, Welchia • Blocked port 135, etc. at the edge • Thought antivirus updates were in place • No problems first day while others across the Internet are having major problems • Day two an infected laptop plugs in • Infection spreads quickly and network is shut down

9. The Awakening • All services stopped • All IT meeting with the Chancellor at 6:00pm • 35+ employees worked all night • All core systems back online by 1:00pm the following day • Some remote sites offline for 2-3 days

10. What Did We Learn? • Antivirus updates handled differently at every campus • MS patches were way behind • Firewalls & routers were underpowered and over tasked (new firewalls installed two months earlier) • No way to control or secure campus links • Network not segmented • Poor communication between command center and staff • No HVAC • No keys

11. Desktop Antivirus and Updates • All computers centralized into two domains • McAfee ePolicy Orchestrator • WSUS for MS security updates

12. Intrusion Detection? • Demo of an Intrusion Detection System (IDS) • Visited U of A • Discovered an IDS needs constant babysitting • Demo of an Intrusion Prevention System (IPS) • No more staff on the horizon • No central data security position or team

13. Purchase an IPS • Decision to purchase IPS • Updates • Threat Management Center • Inline on Internet connection • Inline to all WAN links • “Wire Speed” packet inspection at gigabit speeds

26. Firewall • Needed more horsepower • Needed firewall ports to support all WAN links • Needed more DMZs • Needed more advanced features • Purchased new firewalls • 24 gig ports • Virtual firewalls • Redundant boxes for redundant links • Processor management

27. Changes to Network • Needed multiple DMZs to support a centralized server approach • Created a Frame Relay T1 Failover Network • Switch to gigabit • Network segmentation • Redundant Internet connection (BGP with City) • Created public access network • Wireless rides on public network

28. Additional changes • Established a disaster recovery site • Payroll and native Banner only • Redundant Internet link • Re-architected college DNS/DHCP • From 10 distributed servers to 4 centralized • Chose an appliance solution • HA pair for internal, 1 at disaster recovery site, 1 for external DNS

29. Future • Clean access type things….. • Patch, spyware and antivirus checking • Quarantine • Goal to provide students access and maintain security • Portal, students in LDAP • VoIP pilot and phased installation • Wireless security • Wireless with U of A and City of Tucson • Inet tie in

30. Questions? kkelly@pima.edu sferguson@pima.edu