SUNY Old Westbury Fends off External Network Attacks

Huge numbers of attackers assault the network of the State University of New York Old Westbury.

They come from China, Eastern Europe, compromised cyber cafes around the world and most cable and DSL systems in North America, said CIO Marc Seybold. He's even seen compromised machines probing the network from Afghanistan and Uzbekistan.

These attackers test their power and search for vulnerabilities. He suspects that they're compromising personal machines and building a chain of computers several layers deep to cover their tracks. If the attackers started trying to compromise companies like Google or banks first, the FBI would find out quickly.

"But the schools are subject to such widespread attacks from so many directions that it almost looks like we're the practice runs," Seybold said.

About 2,000 of the college's 4,200 full time equivalent students come to campus each day, and many of them bring hundreds of smartphones, tablets and laptops. Many of them leave their Wi-Fi on, even when they're not accessing the network. And that leaves them vulnerable.

The college has taken a number of steps to defend against these attacks.

It established a deep perimeter of intrusion detection and prevention devices, an intrusion-detection system, firewalls and antivirus machines that surround the network.

SUNY Old Westbury started tracking user IDs to traffic flows with Riverbed's network performance management solution. That way, it doesn't have to wade through millions of IP packets and run a statistical analysis on them to find out what machines are compromised.

"If you can do the analysis by binding the actual flows with users, you've got an enormous leg up," Seybold said.

For example, one person on campus consistently has traffic flowing in and out of Afghanistan. But another person may not have had traffic flowing from that country until today. That would raise a red flag for the IT team.

Someone would call the person to find out whether they sent or expected messages from that location. If they didn't send messages, technicians will reimage their machine to take care of the problem.

While Afghanistan tends to stand out, the college hasn't had many attacks from that country. 

He recommends that other universities restructure their environment so it's hard for someone without a user ID to access the network. Then they should analyze behavior based on binding user IDs to application flows.

Because more traffic typically comes in than out, problems will stand out immediately if you analyze the outgoing traffic by user. And they won't get lost in the background noise of incoming traffic.

In one building a few years ago, the network performed poorly for two weeks. Technicians didn't know what to do, and employees were not happy.

The college started a 30-day trial of the Riverbed product. Within 15 minutes, it isolated six or seven machines in that building that were infected with malware.

The IT team used network consoles to shut down ports those machines were connected to. And the entire building went back online. At the end of 30 days, Seybold was so impressed with the things it found that he actually purchased the unit. And that's pretty rare, he said.

By analyzing behavior, binding user IDs to app flows, and looking at outbound traffic, SUNY Old Westbury is defeating network attackers one by one.