In-Depth

Case Study: SUNY-Buffalo Health Science Schools Aim for Network-Admission Controls

The challenge: securing an infrastructure you don’t control

• By Mathew Schwartz
• 07/25/2006

How do you secure an infrastructure you don’t control?

That was the dilemma faced by Brian Murphy, director of health science IT for the University at Buffalo Health Science schools (part of the State University of New York).

To find virus outbreaks and other threats to Health Science computers, Murphy wanted to catalog which PCs were running in his environment, the applications they contained, and monitor for any vulnerabilities.

Complicating his approach, however, is the University of Buffalo’s decentralized IT environment—not unusual for a university—which makes centralized enforcement difficult. “There is no central control that reaches across campus, anywhere,” he says. “There’s a central Active Directory, some unit-level Active Directories, but they all control their own [PC] images. There really is nothing that controls the desktop and enables us to implement a solution.”

Last year, however, he began testing software from Elemental Security Inc., which can enforce PC-level security policies on the fly. Initially he opted to not implement the software and kept looking. When Elemental released version 2.0, however, its new features and the addition of support for Macintosh OS X—plus Windows; Unix versions of IBM (AIX) and Hewlett-Packard (HP-UX); Red Hat Enterprise Linux; and Sun Solaris—he purchased a 4,000-unit license and began rolling it out for University of Buffalo Health Science faculty and staff.

Enforcing Policies in a Decentralized Environment

Murphy says Elemental’s basic paradigm involves groups of PCs with an Elemental software agent running on them. “You define the scenario you want a machine to meet, and you call that a group. The agent will automatically populate these groups, then you can apply policies to that group,” he notes.

Groups are maintained on the fly. For example, when the Elemental server, which enforces policies, detects a PC with a virus, it shunts the PC into the virus group and notifies an administrator. “We go out and remediate that machine. When the Elemental server repopulates, it will see that machine is no longer in the virus group,” he says.

Cataloging PCs and Applications

Murphy was initially drawn to Elemental just as a way to gather information on the PCs in his network. “It gathers all information about hardware on a machine, the running processes, and the software installed—pretty much anything you want to know about the machine itself. It has packet filters that monitor the incoming and outgoing traffic, who’s talking to you, [and] who you are talking to; then there are port filters.”

Those packet filters have come in handy to help SUNY corral users with poor e-mail server habits. “We can make people use the central e-mail server, and that solves a problem the university has historically had of people running their own mail processes.” This has led to outsiders spoofing the addresses or finding open e-mail relays, which sometimes further led to the university e-mail addresses getting blacklisted. “With an Elemental agent, we can see who’s contacting e-mail servers—besides the official ones.”

Implementation Surprises

Murphy runs Elemental on Solaris, backed by an Oracle database, and he says getting it up and running was a relatively straightforward process. “You can pick a set of policies—it comes preconfigured with polices—then see where you are relative to those policies.”

There have been some implementation issues. “I don’t want to oversell this thing,” he admits. For example, “it only works with corporate editions of the antivirus stuff. So I, for example, had a personal edition of the Symantec stuff because I figure I want to be different than everyone else, but it didn’t recognize that.” Also, for assessing patch levels, he says rules must reference the exact patch or signature number, as opposed to being able to say “check that the antivirus signature is less than one month old.” Even so, “My understanding is they’re having discussions with some patch folks, and trying to make it nicer.”

Adapting Elemental to the university’s infrastructure also took time. “For example, when you VPN in—via a split-tunnel VPN—your machine has two IP addresses, and one of the base Elemental groups is, if you’re on-network or off, and we said, ‘they’re both,’” he says. That required some rule tweaking. “We really wanted the perimeter to be the university campus,” and not have Elemental at work when someone was using their PC away from campus.

One implementation surprise, however, was positive. “When we applied the baseline security policies that the things come with, we were actually more compliant than we expected. We were 75-78 percent compliant, and given our whacky environment, I was expecting that to be down around 10 or 20 percent. So it was a small sigh of relief.”

Using the software, however, has meant being willing to work with some bugs, he says. “Elemental is a growing company, and they’re growing very fast, and I think they’re growing almost too fast. Some of the software is not as clean as I’d expect it to be.” For example, he says, the server will sometimes crash, which Elemental has blamed on Solaris 10, but he doesn’t agree. There were also some minor secure-shell problems, since resolved. Regardless, “I think they’re a small group with a great idea, and it’s far enough along that I’m willing to use it.”

Moving From Passive to Active Mode

While Elemental offers automated enforcement capabilities, and can regulate network access, Murphy so far has only used it in passive mode, though he does plan to begin active enforcement. “For the future, what I really want to do is come to a common-sense set of security polices, and actually deploy and enforce those security polices.” For the moment, however, he’s waiting and watching. “My guess is it will be at least a year-long process, and all the while we’ll just collect information,” he says. “My anticipation is we’ll learn more about what’s out there, and make more intelligent decisions about how to proceed.”

Related Articles:

• Best Practices for Effective URL Filtering and Monitoring
• Regulations Spur Adoption of Network Access Control