University of Colorado at Denver

Enhances Securityat the Point of Intrusion

“Last fall we purchased TippingPoint’s UnityOneIntrusion Prevention Systems (IPS), which wesingle-sourced through Dell. It has really savedus when it comes to screening out worms and viruses.”

Frank Edlin, University of Colorado at Denver, Assistant Vice Chancellor for Computing, Information and Networking Services

FIVE TIPS: PROTECTING YOURCAMPUS NETWORKAs today’s campus networks grow increasingly

complex, it is critical to offer internal and external

protection from cyber threats. Because data can be compromised either from

within or outside your school, IT managers must deploy defense-in-depth, multi-

faceted security solutions. In addition to physical and user security configuration

solutions, Dell offers various network solutions that allow you to enhance

system-level protection. These integrated applications address the demands of

your network at many levels to help you create the ultimate defensible position.

Following are five critical areas that enable protection and constant vigilance

across the network.

Best-of-Breed Intrusion Prevention Systems

Intrusion Prevention Systems are able to inspect all traffic at very deep levels

(through Layer 7) and block malicious traffic at gigabit speeds. The technology

that enables these capabilities has only recently been available with the

creation of high-speed processors and custom ASIC chips. IPS can be placed on

internal or perimeter segments to block cyber threats such as worms, viruses,

Denial of Service attacks and Trojans. They are also remotely updated with

virtual patches that shield newly announced vulnerabilities. Because of its

ability to deeply analyze and classify traffic at the network level, the IPS is

also a network cleansing tool that eliminates malformed packets or controls

non-mission critical applications, such as peer-to-peer file sharing, to protect

bandwidth. Dell partners with TippingPoint for its award-winning IPS solution,

which won the NSS Gold Award in the first-ever multi-vendor, intrusion-

prevention evaluation, www.nss.co.uk/ips.

Anti-Virus and Client-Protection Software

The increased frequency of malicious worms, viruses and other threats require

added security on the client system itself. Perimeter security in the form of fire-

walls and intrusion-detection systems cannot provide sufficient protection. Dell

provides best-of-breed client protection.

Integrated System Protection

LegacySelect Control Capability – a standard feature on Dell OptiPlex

desktops – helps your school quickly transition away from insecure legacy

technologies while retaining some level of legacy support for others.

LegacySelect also gives you the ability to lock down any system’s drives, slots

and ports to help protect its integrity.

Configuration-Change Alerts

Provides notification to IT administrators that a system’s configuration has

been altered.

Firewall and VPN Perimeter Protection

Firewalls are devices that allow you

to filter content, manage Virtual

Private Networks (VPNs), monitor network resource requests, and share Internet

access. Most commonly, a firewall selectively separates an internal network

from the Internet (or other external network). A firewall can also be used to

prevent access to specific computers on the Internet. We recommend that every

network connected to the Internet include a firewall.

Easy as

Click www.dell.com/hied/univbiz or call 1-866-486-4477

Easy as

Click www.dell.com/hied/univbiz or call 1-866-486-4477

Dell and TippingPoint Team Up to Block Viruses

When the University of Colorado at Denver was attacked last fall with a flurry

of software viruses, the immediate result was an all-hands-on-deck emergency.

“We were overwhelmed,” recalls Frank Edlin, Assistant Vice Chancellor for

Computing, Information and Networking Services. “We put six people on full-

time just trying to identify infected machines, isolate them and shut them down,

one by one. We figured that there were about 300 unique users who were

vulnerable, so we dispatched staffers to go out and apply patches. And we

didn’t have the staff to do this on an ongoing basis. Each time a worm came out,

we had to do this all over again. We needed a solution that stopped infections

at the point of intrusion, not after the fact.”

He’s not alone. A long-standing irresistible target to hackers, university

systems are growing increasingly vulnerable to attack. A university’s require-

ment to provide open network access for students often leaves them wide

open to cyber threats. In addition, the number of vulnerabilities and incidents

reported each year is dramatically increasing. Another security barrier for

universities is that they do not physically control all of the hosts on their net-

work, such as notebooks in dormitories. As a result, IT administrators are

“We catch the viruses faster because the inspection vector is narrower.”

Matthias Johnson, University of Colorado at Denver, Principal Systems Administrator

The UnityOne Performance Protection capability helps limit or prevent a student’s ability to consume or distribute copyrighted materials.

implementing a series of diverse and sophisticated checks throughout net-

works to ensure that security is not compromised.

Universities must consider security threats from all directions, both

internal and external. University research environments invest large amounts of

money and time into scientific projects that are vulnerable to potential threats,

creating the need for strategic information assurance planning. In addition, many

campuses now have wireless initiatives, and the trend is quickly becoming main-

stream. Freshmen are often issued notebooks at orientation, and protecting this

investment is more important than ever with the expansion of online curriculum.

Finally, the cost of remediation to cleanse an infected machine or infected net-

work is exorbitant, not to mention the cost of downtime and reduced bandwidth

availability when the network is being hit with worms or viruses.

If such words as Blaster, SoBig, Slammer, and Mydoom – just to name

a few – send a chill up your spine, you are a likely candidate for high-speed

intrusion-prevention products. Intrusion-prevention systems are remotely

updated to shield newly announced vulnerabilities, providing immediate protec-

tion prior to scheduled patching. Because intrusion-prevention systems inspect

traffic more deeply than a firewall, universities can block malicious traffic while

maintaining open access.

“Last fall we purchased TippingPoint’s UnityOne Intrusion Prevention

System (IPS), which we single-sourced through Dell,” says CU-Denver’s Edlin. “It

has really saved us when it comes to screening out worms and viruses. It’s

like a traffic cop that watches the cars come and go without slowing down

the innocent drivers, but prevents a car with a hidden missile launcher from

entering the system.”

Edlin and his colleague, Matthias Johnson, Principal Systems

Administrator, state that TippingPoint’s Intrusion Prevention System is nearly 100

percent effective and stops new worms that try to exploit holes that have not

been patched, as well as stopping derivative worms. “We now have virus

protection [we push out] to users,” says Johnson. “We catch the viruses faster

because the infection vector is narrower. When we discover a worm today,

it’s more often a result of someone taking a computer off campus and bringing

it back infected.”

The University of Colorado at Denver contract was completed through

Dell, which distributes TippingPoint’s products through its software and periph-

erals business. “Dell has provided excellent support for the third-party products,

as well as the Dell servers and workstations that we have purchased from

them,” adds Edlin.

GETTING P2P UNDER CONTROLReclaiming Your Bandwidth

The downloading of copyrighted mate-

rials – from music to software programs

to videos to documents – creates problems

of almost infinite variations: What are the

legal ramifications? Will the entertainment

industry hold the institution liable rather than the

individual? What is the cost to the university? Some studies show that the vast

majority of the available bandwidth on university networks is consumed by

illegal peer-to-peer (P2P) traffic. What are the security implications? Hundreds of

millions of P2P clients have been installed. These applications are potential

conduits for a worm or virus that could incapacitate the network. How much

more effective would the educational mission be if this traffic was limited or

stopped altogether?

Firewalls have proven less effective for P2P challenges. When one

firewall port closes, the P2P programs find another. Switches and routers can be

reconfigured to stop specific sessions, but the peer-to-peer applications merely

“change channels” when faced with a roadblock.

Protection and Traffic Control

UnityOne Intrusion Prevention Systems from

TippingPoint gives you high-level control of

peer-to-peer traffic. The UnityOne Performance

Protection capability helps limit or prevent a

student’s ability to consume or distribute copyrighted materials. UnityOne

throttles or blocks over a dozen known peer-to-peer applications, so you can

instantly reclaim significant amounts of valuable bandwidth.

THE REQUIREMENTS FOR INTRUSION PREVENTION

Sophisticated intrusion-prevention

systems, like TippingPoint’s UnityOne,

are growing in importance. According

to Gartner, Inc., an intrusion-prevention system (IPS) must meet specific cri-

teria: Firewalls and gateway antivirus systems are examples of first-gener-

ation, network-based IPS. However, firewalls primarily operate at the net-

work protocol level, and antivirus systems largely implement simple, reac-

tive (that is, non-real-time), signature-based detection and blocking. A true

network-based IPS must:

• Operate as an in-line network device that runs at wire speeds.

• Perform packet normalization, assembly and inspection.

• Apply rules based on several methodologies to packet streams,

including (at a minimum) protocol anomaly analysis, signature analysis and

behavior analysis.

• Drop malicious sessions – don’t simply reset connections.

To do all this, network-based intrusion prevention must perform deep-

packet inspection of all traffic, and generally must use special-purpose hardware

to achieve gigabit throughput. Software-based approaches that run on general-

purpose servers may be sufficient for small enterprise use, and blade-based

approaches may scale up to some large enterprises. However, for complex

networks running at gigabit rates, Gartner believes that application-specific

integrated circuits and dedicated security processors will be required to perform

deep-packet inspection, and to support blocking at wire speeds.

Easy as

Click www.dell.com/hied/univbiz or call 1-866-486-4477