Channel
March 2003, Issue No.38
What's inside ...
● Campus I.T. Security
❍ Network Security Infrastructure
● HKUST Card
● Mobile Network Development Updates
● New Internet Printing Service
● Lecture Theaters and Classroom teaching facilities enhancements
● Computer Barns updates
● EZproxy - Off-Campus Access to Library databases
Channel
Channel - March 2003, Issue No. 38
Campus I.T. Security
Globally speaking, the number of computer and network security incidents has been increasing remarkably in the past few years. Such a worldwide phenomenon is having various impacts on our campus I.T. infrastruture, ranging from the so-called Denial-Of-Service (DOS) to virus infection on end-users' desktop / notebook computers. In order to maintain a stable and secure computing environment, it is advisable that every one of us, including computer system administrators, software developers, advanced users and normal end users, should take appropriate precaution against various possible forms of cyber
attack.
In general, the scope of Campus I.T. Security comprises the following 3 tiers:
● Network
Mainly related to network infrastructure including the design of topology, the networking device deployed and their configurations, etc.
● Service Provider Side
Includes servers managed by ITSC, individual units or even users' desktop machines that are providing services to others (examples of such servers include Linux
machines for scientific computation or research purposes, Microsoft servers for file sharing, Unix or Microsoft web servers for various dedicated purposes, etc.)
Owners of these "servers" will usually keep their machines from security loopholes / backdoors by configuring system and software parameters properly, installing security patches periodically, defining appropriate access control, etc.
● End-User Side
Includes users' personal machines like desktop or notebook computers. Users will usually protect their machines by installing anti-virus software, disabling unnecessary features and software, etc.
Facing such a diversified scope of security problems, ITSC has been taking 2 different types of measures to maintain the Campus I.T. Security:
The primary purpose of preventive measures is to minimize the possibilities of security problems on our campus I.T. infrastructure. It is obviously more ideal to prevent a problem from happening at all than to remedy the demages after it occurs. In this hope, ITSC has been taking an active role in proactive and preventive measures like defining campus border router and firewall
configuration, implementing Intrusion Detection System, securing ITSC's server operating system and applications, installing anti-virus software on our email servers, providing anti-virus software to end users, etc.
We will also perform risk assessment and keep users informed of virus
information and high risk virus alerts via news announcement / mailing list to departmental support staff, provide briefing / training to Computer First-Aid Officers and ITSC Student Consultants. Some details on our approaches and examples can be found below:
● Approaches taken to Install Security patches for ITSC's servers
● Anti-virus for Email System
● Virus Prevention for File Server and End User
By the use of Intrusion Detection technology, potential security problems can be discovered earlier, hopefully before the real attack. Usually, once network
intrusion or security problems are detected, reactive measures will need to be taken, as described below.
2. Reactive Measures
In principle, security incidents can never be totally eliminated because there are always malicious people in the world. The existence of bugs or design
loopholes in hardware or software also compound the problem in a fast
advancing IT industry. Considering the anti-virus technology as an example, it should be obvious that any virus-preventing capability must come after a
particular virus is first identified somewhere. It may just take a few days for an anti-virus technology to be able to deal with a new breed of virus. However, the threat cannot be totally eliminated.
ITSC has been the central focal point on campus in case any computer and network security incident is noted. We will respond to different security related cases and coordinate with departments accordingly, providing consultation and professional advice to users on remedial actions. We will also investigate into cases should a potential security loophole or vulnerability is observed.
The following shows some typical reactive measures that ITSC has taken in the past:
the default ports employed by the SQL Slammer.
● Reacting to abuse complaints such as machines being exploited to send
SPAM messages and coordinate with related parties closing the loopholes / backdoor.
● Investigating into hacking cases and providing recommendations for
securing the involved machines.
Details on our approaches can be found here:
● Approaches taken for Case Investigation
Apart from all the security measures done by ITSC, user's security awareness and
participation also play an important role in securing our I.T. environment. The following lists some security practices that are highly recommended for all types of users:
● Apply security fixes timely and regularly including critical security patches for
operating systems such as Windows, Linux, etc, and security patches for applications such as Microsoft Office, Internet Explorer, Netscape, RealPlayer, etc.
● Have good understanding on installed software and familiar with its required
configuration.
● Disable unnecessary services and software.
● Enforce proper access control when file sharing is required.
● Disable unused accounts.
● Apply strong password policy.
● Install Anti-Virus Software and perform periodic update of virus signature database.
In any cases, users are advised to consult their departmental support staff or seek
recommendations from ITSC at [email protected] should you have any queries or problems related to computer and network security. It is sure that a stable and secure I.T. environment can be achieved with the efforts from everyone of us.
Approaches taken to Install Security
patches for ITSC's servers
Installing security patches into a server operating system or software applications are not simple tasks and require extensive knowledge in the area. Sometimes, it may introduce other software bugs into your server operating system, or the new security patches may not be compatible with the existing applications running on the server.
In general, we will study the seriousness of the vulnerability, access its impact and relevancy, test its compatibility with the existing setup, backup the affected system and arrange a suitable time to install the patches.
Anti-Virus for Email System
The spread of computer virus via email is getting very common nowadays. This kind of virus usually disguised in the form of an email attachment, contains malicious codes that would get executed when a user opens it. Worse still, such virus-containing emails would not only come from unknown or suspicious sources, but also apparently from friends or colleagues, mainly because their machines had been infected already.
To protect our users from receiving virus-containing emails, minimize the chance of virus infection and stops known virus propagation, ITSC has implemented an anti-virus
mechanism on our Email System since 2001. So far on average daily, around 1% of email messages, including both incoming and outgoing emails being handled by our email system, are found to have contained viruses and have been rejected by our email servers to prevent further spreading to our end users.
● Incoming Mail
With virus detection on email server, incoming messages detected with know viruses will be rejected automatically and the sender will be notified (receive a bounce back message). It is expected that the risk of those notorious email viruses would be significantly minimized.
● Outgoing Mail
There might have cases that user do not aware any of their documents were infected (e.g. user's machine is not equipped with up-to-date anti-virus tools) and send to others as mail attachment. With the latest virus detection feature, the outgoing mail would not be delivered and user shall receive a bounce back undelivered message e.g. virus "name of the virus" found. In this way, users will be aware that their
machines may get virus infected and should take action to clean up asap.
Most of the known viruses should be detected with the anti-virus software on our email
server, however there is always a risk of new viruses going undetected. Hence, users should also be very careful in handling email attachments, update the virus definition database on their computers regularly, etc. For details, please refer to our web site on Anti-Virus in Campus.
Virus Prevention for File Server and End
User
Basically, anti-virus needs to be implemented on both the server and the client side as well.
File Servers
Apart from installing anti-virus software for email server, ITSC has evaluated different anti-virus software for Windows server and coordinate with
departments on the purchase of a cost effective solution. Administrator are advised to define appropriate access control as viruses can easily get through file shares without any access control. Besides, Windows XP users are advised to disable the simple file sharing feature.
End Users
Installing anti-virus software on user's machine is essential as typical virus cases are introduced because end-user has open or executed viral
attachments, files, screensaver, etc. Sometimes, a viral attachment may arrive in users' machines if they are accessing their mailboxes offered by other
Internet Service Providers.
New viruses appears almost every day and updating the anti-virus software is also important. ITSC has performed in-depth study on automatic updating
mechanism and advise our users to perform automatic virus definition database updates.
Approaches taken for Case
Investigation
From time to time, ITSC has received complains from system administrator of external bodies or being seek help from departments or end users.
External Bodies
Usually, these are complains about machines within HKUST being used /
involved in a cyber attack, or being used to send spam emails to others. We will work with these system administrators to locate the machines involved and isolate them from our network if the attack is vigorous.
In general, we will contact the related end user to fix the issue and provide professional advice for them. If the machine is in open area like departmental laboratory, we will also seek help from departmental support staff.
If we failed to rectify the problem or handle the spamming complains in time, the affected server (or at worse the HKUST mail domain) may be blocked /
blacklisted at related parties' mail servers.
Departments
Occasionally, departmental server may be hacked by outside hacker through known system loopholes / backdoors if the related security patches have not been applied. For these cases, ITSC will provide professional advice to the department involved such as locating the origin of the problem and the required procedures to close the vulnerability.
End Users
End users may receive virus hoaxes that look like virus warnings and seek advice from us, or they may observe strange behavior with their desktops like slow performance, unknown file introduced, etc. and seek help from us.
Sometimes, user may receive rejected mails that they have never sent out. In fact, these rejected mails might be caused by common virus sending spam messages to invalid accounts using any entries in the address book of an infected machine. In these cases, we will help our user to sort out the originating site and advise user to file complaints to them.
Channel
Channel - March 2003, Issue No.38
Network Security Infrastructure
Computer network nowadays is regarded by everyone of us as an indispensible campus IT infrastructural service. It is a bread-and-butter type of utility service that provides access to our intranets and the global Internet. On the one hand our campus network does bring information-at-your-fingertips convenience to us, but on the other hand it also introduces possible security risk exposures. It is therefore vital for us to institute appropriate level of network security while ensuring its high availability.
Briefly speaking, ITSC has employed a 3-pronged approach to mitigate network security threat in our environment:
● Preventive security measures
● Proactive network management
● Reactive security responses
Preventive Security Measures
Prevention is always better than cure. The following are some notable preventive measures that are incorporated in the design and development of our campus network:
● HKUST network is principally a switched network environment that makes it difficult for
network eavesdropping.
● A set of load-balancing network firewall systems is being operated in a high-availability
(HA) mode to protect our campus from the global Internet:
❍ adopt network filtering of common vulnerable traffic protocols by following good
security practice as recommended by authentic security advisory sites like
SANS and CERT, e.g. NetBIOS protocols are filtered at the network border
❍ apply filtering of unwanted traffic associated with well-known network worms or
attacks like Code Red and Nimda
● Flexible control is made feasible through additional distributed security control at our
border and backbone routers, as well as some intelligent switches, by specifying
access control lists for restricted network access
● Deployed managed network devices as our standard to ease remote network
instance, it is not uncommon we spot a compromised computer generating high level of traffic which interferes our network environment and affects other users. By tracing the traffic source with the help of our network database, we are able to promptly disable the concerned network port from remote and contain the problem.
Proactive Network Management
Proactive efforts are also spent to identify possible malicious network activities through
ongoing network monitoring:
● Hackers commonly conduct network port-scanning activities prior to launching an
attack, with the intention to locate vulnerable service ports of servers and desktops. Such kind of scanning activities are being monitored by us through automated hourly, daily and weekly port-scan reports. For malicious incoming port scanning activities from the Internet, we will report the incident via automated mails to the remote ISP or network domain administrator for further follow-up. For scanning activities initiated from within the campus, we will contact the related user or technical support staff. From our past experience, this really helps in identifying, in a timely manner, stations that are compromised by hackers, but without prior awareness of the owner.
● Network-based intrusion detection systems (NIDS) are deployed to provide early
warning of suspected intrusion activities. By constantly updating the signature database to keep track of latest attacks, we are able to determine when there is a need to adjust our security settings accordingly in advance, before an attack prevails in our environment. Reports from these systems also enable us to easily identify
compromised systems within campus that are launching network attacks under remote control by hackers.
● By correlating network graphs and reports based on our comprehensive network
statistics, we are able to spot security related anomalies, e.g. abnormally high
connection rate, or atypical level of network flooding. Automated threshold alarms are also set up to signal any anomalies for events that we are concerned, in order we can take timely response to minimize impacts.
● Our IT staff also keep close tap of latest security alerts from authentic security sites,
assess their impacts on us, and take appropriate measures to safeguard our
environment. For instance, on receiving the security alert of the Linux Slapper worm back in Sep 2002, our engineers proceeded to institute additional protection at our network firewalls. With such proactive measure, our campus was subsequently much less hit by this worm when compared to some other UGC sister institutions.
Reactive Security Responses
advance, and under such circumstances, we need to complement the above by reactive security response activities like the typical ones below:
● There are times when a network worm gets spread so rapidly that security alerts or
incident reports are not yet released by authentic security sites at the very beginning. In that case our engineers have to conduct detailed investigation ourselves with the help of low level traffic analyzers, and take interim remedial fix in order to contain the problem before more information is available from the security community.
● Occasionally our network may also be under distributed denial-of-service (DDoS)
attack from the Internet, thus flooding our network pathways. In that case we need to find out the attack sources quickly and coordinate with our upstream ISP to set up corresponding network filters before the culprits are subsequently isolated from the network.
● From time to time we also received reports from our users on suspected network
security breaches on their machines. Based on the symptoms and subsequent findings from our engineers, we may assist in the following way:
❍ impose interim security filters to stop further hacking or intrusion activities, while
at the same time follow up with related network administrators for remedial actions
❍ provide advice or recommendation to affected users on possible remedial
actions, e.g. applying patches to harden their system, or removing non-essential but vulnerable system components, etc.
The Road Ahead
It is our ongoing aim to provide a more secure campus network environment, though it is well aware that the above 3-pronged approach is no panacea for emerging security problems. Inevitably there still exists some security incidents which we can only react when they
happen, like the SQL Slammer case. Nonetheless, ITSC will continue to explore better ways for enhanced network security along the following directions:
● Introduction of more intelligent network gear to provide finer and more effective
distributed security control, e.g. confine the scope of impact during a distributed denial-of-services (DDoS) attack to a smaller region
● Installation of additional firewall systems at suitable enforcement points within campus
● Explore when it is mature to deploy emerging intrusion prevention systems (IPS) in
Channel
Channel - March 2003, Issue No. 38
WWW & Server Technology
HKUST Card in Campus Computing Environment
HKUST Card has been issued to all students through Admissions, Registration & Records Office in Feb 2003. It is a smartcard stored with user's information such as student ID, name, department, etc. Students can use this card as their personal identification for access to University resources and services.To further enhance our computing environment, ITSC has designed a new type of digital certificate, namely Personal (Smartcard) e-Cert specifically for the HKUST Card. Students can apply for their digital certificates and store on the HKUST Card. Within the first 3 weeks after issuing the HKUST Card, more than 2,000 students have applied for their Personal (Smartcard) e-Cert certificates. It is expected that more and more HKUST members will get their Personal (Smartcard) e-Cert for electronic transactions on both Intranet and Internet when the HKUST Card will be issued to faculty and staff members in the coming future. We believe this smartcard, together with the Personal (Smartcard) e-Cert, will play an important role in our campus IT infrastructure in various aspects like
● Efficient Proof of Identity
● Secure Authentication
● Improved Access Control
● Reduced Administration Overheads
● Faster Electronic Transaction, etc.
With the HKUST Card, you can enjoy a number of services in a different way now and in future.
For more information, you may refer to our web page at
http://www.ust.hk/itsc/hkustcard/
We look forward that, with more and more applications developed by us and other
departments, this smartcard will bring us to a secure and efficient computing environment and lead us to a new digital era.
Channel
Channel - March 2003, Issue No.38 Network Systems Team
MobileNet Development Updates
ITSC has recently installed additional wireless access points in the past two months to extend the wireless MobileNet coverage to the following locations:
● All 14 IT Classrooms - in addition to the 7 larger IT classrooms, the remaining 7
smaller IT classrooms will be covered. Hence afterwards, all 14 such classrooms will be covered: Rm.1402, 1403, 1505, 2302, 2303, 2306, 2405, 2407, 2464, 2465, 2503, 3006, 4333 & 4334
● All 10 Compact Classrooms - Rm.1401, 1504, 1511, 2304, 2404, 2406, 2502, 3301,
3401 & 3412
● 5 Student Hall G/F "Common Rooms" - for the 5 "common rooms" each located at
the ground floor of UG Hall 1-4 and PG Hall 2
● 4/F Students' Union Area Between Lift 2 & Lift 3 - this covers the meeting rooms
(Rm.4017-4020) and the corridor areas between the two lifts
You are welcome to send in your suggestions on other locations where we should provide this service. For further details of our MobileNet service including its overall coverage, please refer to its home page at:
Channel
Channel - March 2003, Issue No. 38 Mr. Steve Yau, [email protected]
New Internet Printing Service
Introduction
During Jan 2003, ITSC upgraded all our existing print servers to Windows 2000 platform. Other than retaining existing capabilities, the new printing environment also provides Internet Printing mechanism via Internet Printing Protocol (IPP).
Internet Printing Protocol (IPP) means a mechanism to print documents over Internet. This mechanism facilitates greater printing flexibility by providing emerging standard for network printing.
Next Generation of Network Printing Solution
Internet Printing Protocol is designed to become a universal standard for printing. By
adopting IPP, ITSC has laid a state-of-art infrastructure that can leverage next generation of network printing.
What IPP can finally help is to integrate all the printing implementation among different operating environments, like Unix, Linux, Mac, Windows ...etc. Features, like remote
administration, security support (secure communication, authentication and authorization), print accounting service, have been put into the wish list for IPP's future development. (see
RFC 2567)
Our current implementation is based on Microsoft Windows 2000's Internet Printing features which adopts IPP standard v1.0 with Microsoft's own extension. IPP standard version 1.1 has been released and more features on the wish list are anticipating to be released in future.
ITSC will keep a close eye on this trend and extend this service to users of broader community should the new technology becomes available.
Immediate Benefits to Campus Users
Previously, notebook Windows 2000/XP users will find it difficult in accessing network printers since their machines cannot be joint to our Windows 2000 domain.
Now, with IPP, they can readily connect to campus printers and print documents at any access points.
The new service is now ready. Installation procedures and further detailed information for IPP can be found via
Channel
Channel - March 2003, Issue No. 38 Mr. David Shiu, [email protected]
Lecture Theaters and I.T. Classrooms
Enhancements
ITSC has recently made a few enhancements in Lecture Theaters and I.T. classrooms. We have recently purchased two brand new video projectors for Lecture Theaters to replace the old ones, which have already served us for more than three years. The new BARCO video projector is brighter (4,300 ANSI lumens) and has higher resolution.
We are in the process of upgrading our Presentation Computers. To enable our teaching colleagues to present with the modern multi-media presentations, we are now upgrading our PC in LTs and I.T. Classrooms. The new machines are P4 at 2.66GHz, equipped with 512M memory, which should be capable of handling most sophisticated presentation needs. The upgrade is scheduled be completed in March. At the same time, ITSC has taken this
opportunity to re-install the PCs of all LTs and I.T. Classrooms. This includes installing new Programs and dropping old and un-used ones. After this clean-up, the computers show a better startup and shutdown performance.
At the same time, we are introducing the support of driverless USB memory key. USB
memory key appears as a disk drive when plugged into the USB port of a Windows 2000/XP computer and there is no need for users to install any device drivers, as the installation is fully automatic by itself. We have installed some USB ports on the front panel of the PCs in LTs and I.T. Classrooms. This enables our users to easily insert/remove their USB memory keys without too much problems.
Last of all, Library has released an Online Catalogue System which is compatible with Windows 2000 and XP. We have now installed this new version in all LTs and I.T. Classrooms.
Channel
Channel - March 2003, Issue No. 38 Miss Theresa Lo, [email protected]
Forthcoming Enhancements in the Computer
Barns
1. Replacement of LaserJet 8100 Black & White Laser Printers with LaserJet 8150 models
With the heavy usage of the Black &White laser printers in the Computer Barns, a number of the 8100 model Laser Printers have been worn out, causing frequent break downs and paper jams. These 8100 models were purchased almost three years ago, during the summer of the year 2000. These printers will be traded-in to the vendors to obtain an attractive price for the new replacement 8150 model (the same model that is already deployed in various Computer Barns). The procurement is now in progress and the new 8150 printers are anticipated to be in service in May.
2. New AV Facilities in Computer Barns Teaching Areas
The teaching areas of Computer Barns A & C are busy venues booked for IT-based teachings. To enhance the presentation facilities in these teaching areas, some of the existing instructional facilities will be upgraded and integrated to a centralized control system. Since most instructors are already familiar with the audio/visual teaching environment in the University IT-Classrooms, the design of the control system will follow similar to that of the IT-Classrooms.
The new instructional facilities includes :
● S-VHS multi-system, Hi-Fi, Nicam VCR
● DVD/VCD/CD player
● AV Mixer Stereo Amplifier
● Enhanced VHF Wireless Clip Mic System
● Sockets for notebook connection
These facilities are targeted to be made available after the Easter Holidays and through this exercise, we hope to bring convenience and ease of operation of the Audio/Visual Equipment to the users, enhancing the teaching and learning environment in the Computer Barns.
Channel
Channel - March 2003, Issue No. 38
WWW & Server Technology
EZproxy - Off-Campus Access to Library
databases
The use of broadband internet connection has become more and more popular, especially with the affordable cost due to keen market competition in the telecommunication sector. While users can enjoy fast connection to the Internet as well as to the campus network from home, new problems are exposed.
One such problems experienced by many users is the access to on-line Library resources from home with broadband connection. Namely, the commercial providers of those on-line Library resources would usually implement the licensing control by limiting access to a known range of network addresses (i.e. IP addresses). However, users with broadband connection are assigned network addresses by their service providers, which are different than the campus ones. As a result, these users were not able to access the on-line
resources of Library from home.
Last Fall, Library had explored with ITSC the idea of implementing a gateway for these users to access the on-line resources. After reviewing a few possible solutions, it was decided to adopt a technology called EZproxy that is commonly used among academic libraries
worldwide. Namely, users connecting from home can now be "proxied" by a central server on campus when using the on-line Library resources, after a simple authentication step using ITSC Network Password. It is hoped that such a facility would greatly facilitate the access to valuable academic and research knowledge from anywhere, anytime.
More details can be found in the following web page of Library:
Channel
Channel - March 2003, Issue No.38 Mr. Charles Choy, [email protected]
HKUST Now Connected to Internet2
Internet2® is a consortium being led by 200 worldwide universities working in partnership with industry and government to develop and deploy advanced network applications and technologies, accelerating the creation of tomorrow's Internet. Internet2 is recreating the partnership among academia, industry and government that fostered today's Internet in its infancy. The primary goals of Internet2 are to:
● Create a leading edge network capability for the research community
● Enable revolutionary Internet applications
● Ensure the rapid transfer of new network services and applications to the
broader Internet community
ITSC has been working with the JUCC (Joint Universities Computer Centre) to establish a 45 Mbps Internet2 connection through HARNET (Hong Kong Academic and Research Network) to the United States. This Internet2 link is shared by all the 8 JUCC member institutions. After thorough testing, the connection was finally established in late Oct 2002.
In the past few months, the academics and researchers from the tertiary institutions in Hong Kong have started many Internet2 collaborative research activities with their overseas
peers. Examples include
● Atmospheric research
● Distance learning projects using videoconferencing technology
● Bioinformatics databases
● Grid Computing
● Telemedicine
In addition, the HARNET Internet2 connection has been enhanced to support advanced networking features. For example, the next generation network protocol, IPv6, is currently supported together with IPv4. HARNET has also been enhanced to support IP multicast, which allows effective point-to-multipoint network communications.
More information on Internet2 can be found at:
http://www.jucc.edu.hk/Internet2
Choy (e-mail: [email protected]).
