Security

Arkansas Research and Education Optical Network (ARE-ON)
Briefing on Security

The global higher education community has taken a major step forward, philosophically and technologically, as optical networking has replaced the older transport methodologies. Therefore, the security needs of such a dynamic data transmission environment must change accordingly. Typically, higher education networks secure the network at the applications level, and monitor the transport
level. This model offers a more diverse set of options to a very diverse set of end-user communities. Unlike a typical utility computing environment, higher education networks transport an ever-changing variety of applications to an ever-increasing population on a global scale. The applications encourage collaboration, shared resources, and are focused on creating new technologies, tools, and knowledge in multiple content areas.

ARE-ON has three distinct layers of security. First, and rather uniquely, ARE-ON is working with the FBI to create a training model for system administrators to help these extremely valuable human resources be aware of, and tuned into the cyber-terrorism threats that are growing more dangerous on a daily basis. All ARE-ON staff are encouraged to become active InfraGard members in order to stay current on threats from all potential sectors of the information economy.

Second, the ARE-ON backbone is principally a transport network, serving as a data transport for Layer 1 waves, Layer 2 frames, and Layer 3 packets. As such, ARE-ON is positioned to serve its membership by providing reliable access to such services as national research and education networks, the Internet, inter-member communications, IP and non-IP based communications, and other services that meet the networking and communications needs of its members. In addition, ARE-ON is able to provide secure point-to-point data connections over its backbone for its members using Layer 1 waves, Layer 2 VLANs, and Layer 3 tunnels.
 

Therefore, the ARE-ON backbone will be constantly monitored per well-established protocols practiced by production quality networks for many years. Such services are quite common and inexpensive due to the purchasing power of the collective higher education community. Much of ARE-ON’s focus on security is in protection of the backbone network and central network resources upon which all of our members depend (cyber assets per the RAMCAP definition). These take place in four strategic areas:

Physical

• ARE-ON facilities will all be in restricted access areas protected by door locks and/or swipe card systems as appropriate.

•  ARE-ON equipment will be housed in locked cabinets and/or cages as appropriate.

•  Dry contact alarms will be monitored at each location for the appropriate threat, which could be as diverse as a door being opened, a temperature or humidity out-of-range alert, power loss alert, or motion-detected alarms.

•  Environmental monitoring will be deployed at all locations.

• Video camera surveillance will be deployed at all appropriate locations, especially those where ARE-ON owns the facility and manages the security.

•  All facilities are to be protected by battery backup for short-term power loss and generator for longer-term power loss.

•  ARE-ON will be a member of Arkansas OneCall to ensure that its underground cables are protected from accidental damage when digging is done in their vicinity.

Logical

•  ARE-ON will maintain a separate out-of-band management network that is accessible only through secure authenticated means, such as a VPN. This limits the ability for attackers to get into the management infrastructure to cause a denial of service or other attack.

• Network devices and servers at all core sites will have alternate remote access capabilities that will enable ARE-ON technicians access into the devices in the event of a physical network outage or an ongoing network attack.

•  Authentication of ARE-ON devices will be via RADIUS servers, which provide for authentication, authorization, and accounting functions for tracking who accessed any particular device in the network.

• All ARE-ON devices capable of doing so will log all syslog messages to dual, geographically diverse syslog servers.

• All ARE-ON network devices will have automated configuration backups stored at off-site locations.

• ARE-ON plans to deploy network monitoring using netflow data, syslog entries, and SNMP traps with a correlation function that will enable specific automated alerts in the event of unusual network events, especially high-profile denial of service attacks.

• ARE-ON uses network management software that monitors availability and tracks utilization of its network devices and communications links, with alerts in the event unusual conditions or outages occur.

• ARE-ON will use best practice standards, such as BCP38, in the configuration of its network devices to eliminate vulnerability to some common threats on the Internet such as packets from spoofed IP addresses.

• ARE-ON will periodically conduct security audits of its own network using security penetration techniques to probe for vulnerabilities.

• ARE-ON will maintain a disaster recovery plan that will enable relocation of its network operations center and key personnel in the event of a disaster.

Leadership

• ARE-ON’s CTO and network engineers will all be members of InfraGard.

• ARE-ON will apply for membership within the REN-ISAC.

• Mike Abbiatti, ARE-ON’s Executive Director, has been invited by the ASME ITI to chair its Higher Education Standards Committee. Mr. Abbiatti has been a strong advocate of RAMCAP Plus.

• ARE-ON will provide leadership, training, and resources to enable disaster planning and disaster preparedness on all of its member campuses. The training will be offered through the ARE-ON Institute.

• ARE-ON will undertake an effort to establish a federation of its member campuses to provide trust relationships and common standards between the campuses so that each campus maintains its own identity
  management system and process, but tie together to enable cross-campus authentication and authorization for select applications such as Shibboleth.

Policy

• ARE-ON will participate in all state efforts for defining security policy, procedures, and standards as they apply to higher education and its members.

•  ARE-ON’s Membership Memorandum of Understanding states that member institutions must create and manage their own security policies, ensuring that they are in compliance with appropriate state and ARE-ON security policies. It also states that ARE-ON shall act in good faith and make every effort to cooperate with a member institution to avoid or minimize the level of disruption or suspension of service in the event of attacks or breaches of the network, but that it may take the steps necessary to protect the network and its members if attacks occur that require strong measures.

• ARE-ON will obviously comply with all state and federal guidelines such as CALEA, HIPAA, FERPA, etc. as they apply.

•  ARE-ON will respond as appropriate to all state and federal subpoenas or other legal instruments, including National Security Letters.
  

Third, securing university networks is a task that is best done at the university level. Each institution has an active Security Committee. Individual ARE-ON member campuses will deploy their own layered threat protection, including firewalls, VPNs and encryption, intrusion detection and prevention, authentication and authorization, data backup and disaster recovery, and physical security, which includes everything from door locks to automated emergency notification systems to be activated in the event of a local emergency. ARE-ON serves in a support role for the campuses, but will not be actively involved in the day-to-day security management of an individual campus member.