Network Security Infrastructure

Computer network nowadays is regarded by everyone of us as an indispensible campus IT infrastructural service. It is a bread-and-butter type of utility service that provides access to our intranets and the global Internet. On the one hand our campus network does bring information-at-your-fingertips convenience to us, but on the other hand it also introduces possible security risk exposures. It is therefore vital for us to institute appropriate level of network security while ensuring its high availability.

Briefly speaking, ITSC has employed a 3-pronged approach to mitigate network security threat in our environment:

Preventive security measures
Proactive network management
Reactive security responses

Preventive Security Measures

Prevention is always better than cure. The following are some notable preventive measures that are incorporated in the design and development of our campus network:

HKUST network is principally a switched network environment that makes it difficult for network eavesdropping.

A set of load-balancing network firewall systems is being operated in a high-availability (HA) mode to protect our campus from the global Internet:

adopt network filtering of common vulnerable traffic protocols by following good security practice as recommended by authentic security advisory sites like SANS and CERT, e.g. NetBIOS protocols are filtered at the network border
apply filtering of unwanted traffic associated with well-known network worms or attacks like Code Red and Nimda

Flexible control is made feasible through additional distributed security control at our border and backbone routers, as well as some intelligent switches, by specifying access control lists for restricted network access

Deployed managed network devices as our standard to ease remote network management, thus providing timely response in the event of a network incident. For instance, it is not uncommon we spot a compromised computer generating high level of traffic which interferes our network environment and affects other users. By tracing the traffic source with the help of our network database, we are able to promptly disable the concerned network port from remote and contain the problem.

Proactive Network Management

Proactive efforts are also spent to identify possible malicious network activities through ongoing network monitoring:

Hackers commonly conduct network port-scanning activities prior to launching an attack, with the intention to locate vulnerable service ports of servers and desktops. Such kind of scanning activities are being monitored by us through automated hourly, daily and weekly port-scan reports. For malicious incoming port scanning activities from the Internet, we will report the incident via automated mails to the remote ISP or network domain administrator for further follow-up. For scanning activities initiated from within the campus, we will contact the related user or technical support staff. From our past experience, this really helps in identifying, in a timely manner, stations that are compromised by hackers, but without prior awareness of the owner.

Network-based intrusion detection systems (NIDS) are deployed to provide early warning of suspected intrusion activities. By constantly updating the signature database to keep track of latest attacks, we are able to determine when there is a need to adjust our security settings accordingly in advance, before an attack prevails in our environment. Reports from these systems also enable us to easily identify compromised systems within campus that are launching network attacks under remote control by hackers.

By correlating network graphs and reports based on our comprehensive network statistics, we are able to spot security related anomalies, e.g. abnormally high connection rate, or atypical level of network flooding. Automated threshold alarms are also set up to signal any anomalies for events that we are concerned, in order we can take timely response to minimize impacts.

Our IT staff also keep close tap of latest security alerts from authentic security sites, assess their impacts on us, and take appropriate measures to safeguard our environment. For instance, on receiving the security alert of the Linux Slapper worm back in Sep 2002, our engineers proceeded to institute additional protection at our network firewalls. With such proactive measure, our campus was subsequently much less hit by this worm when compared to some other UGC sister institutions.

Reactive Security Responses

It is understandable we cannot catch or avoid each and every network security problem in advance, and under such circumstances, we need to complement the above by reactive security response activities like the typical ones below:

There are times when a network worm gets spread so rapidly that security alerts or incident reports are not yet released by authentic security sites at the very beginning. In that case our engineers have to conduct detailed investigation ourselves with the help of low level traffic analyzers, and take interim remedial fix in order to contain the problem before more information is available from the security community.

Occasionally our network may also be under distributed denial-of-service (DDoS) attack from the Internet, thus flooding our network pathways. In that case we need to find out the attack sources quickly and coordinate with our upstream ISP to set up corresponding network filters before the culprits are subsequently isolated from the network.

From time to time we also received reports from our users on suspected network security breaches on their machines. Based on the symptoms and subsequent findings from our engineers, we may assist in the following way:

impose interim security filters to stop further hacking or intrusion activities, while at the same time follow up with related network administrators for remedial actions
provide advice or recommendation to affected users on possible remedial actions, e.g. applying patches to harden their system, or removing non-essential but vulnerable system components, etc.

The Road Ahead

It is our ongoing aim to provide a more secure campus network environment, though it is well aware that the above 3-pronged approach is no panacea for emerging security problems. Inevitably there still exists some security incidents which we can only react when they happen, like the SQL Slammer case. Nonetheless, ITSC will continue to explore better ways for enhanced network security along the following directions:

Introduction of more intelligent network gear to provide finer and more effective distributed security control, e.g. confine the scope of impact during a distributed denial-of-services (DDoS) attack to a smaller region

Installation of additional firewall systems at suitable enforcement points within campus

Explore when it is mature to deploy emerging intrusion prevention systems (IPS) in addition to existing intrusion detection systems (IDS)