Network bouncers

Late at night and on the weekends, when most members of the University staff are resting or sleeping, CIT networking manager Peter Olenick sits at his home computer, standing guard.

As head of the University's ad hoc network security team, one of Olenick's duties is to watch the network traffic graphs for irregularities that might indicate a network attack.

While he was monitoring the graphs earlier this month, Olenick noticed a sudden spike in network traffic — a telltale sign that a denial of service (DoS) attack was taking place. The same kind of attack made news last February by shutting down popular Websites such as Yahoo and Amazon.com.

DoS attacks usually involve flooding the victim computer with packets — the small chunks of data that are used to transmit information over the Internet — until that computer becomes so busy processing the bogus packets that it can no longer respond to legitimate users.

The packets are sent by programs planted into compromised computers — the owners of such machines usually have no idea that their system is being used as part of a DoS attack.

The attack Olenick observed, however, was thwarted within a few hours. He and his colleagues were able to isolate from the University network the system sending the packets and notify the computer's owner that the machine had been compromised. "We closed it down as soon as we detected it," he said.

Olenick and many of his coworkers at CIT form an unofficial team to manage the security of the University's network. While other universities like Stanford have formed specialized groups to deal with this issue, Princeton has no such organization.

"What we've attempted to do is to use the expertise of all people involved and try to make it a group effort," Olenick said.

Ira Fuchs, technology adviser to the president and former University vice-president for CIT, said financial considerations played into the University's decision not to staff a formal security team.

"I think part of the reason was we didn't feel at the time that we could afford to dedicate a full [full-time employee] to only worry about network security," he explained.

Irwin Tillman, a network specialist at CIT, added that "probably everyone that's involved in security is doing that in addition to other responsibilities."

Yet the University's current staff members already have their hands full trying to keep up with the number of attacks on the campus network. "More people are poking at the machines than you could possibly follow up on," Tillman said. "There's always something you're not going to catch."

Get the best of ‘the Prince’ delivered straight to your inbox. Subscribe now »

Protecting the University's network remains a monumental task no matter who is responsible for it, however. The very nature of college computing makes Princeton's network a tempting target for hackers. Because of the greater demands of an academic environment — which necessitates inter-personal file transfers and data exchange, for example — the network needs a degree of openness that would not be necessary within a corporate network.

The first line of defense for Princeton's network are its two routers — MAINGate and VGate1 — that control access between the University and the rest of the world.

In a corporate network, a firewall located at this point would block all but a few kinds of packets — for example, the HTTP packets that are used to transmit Webpages — from entering.

But because University network users may need to do a lot more through the network than just surf the Web, the University allows all packets to enter except a few types known to be used by hackers, according to Olenick.

Once past the central routers, the University's network branches out through various switches and hubs until it reaches individual computers. At this level, few security measures exist to restrict internal activities. "The campus is relatively open once you're inside," Olenick said.

For example, many passwords are transmitted through the Princeton network "in the clear" — meaning that they are not encrypted — and theoretically could be read by someone who is "sniffing" packets on the University network. Sniffing occurs when a computer on the network is used to eavesdrop on data traveling to other computers on the network.

Other than pranks, however, the University has been generally free of attacks from inside its network. "I can honestly say that I have not found on campus any malicious use of computing facilities," Olenick said.

The sheer number of computers connected to the University's network — about 15,000 devices, according to Olenick — presents another major security issue.

From PCs running Linux, Windows and Mac operating systems to Unix and Silicon Graphics workstations, the configurations and ages of these machines vary greatly — making it difficult for the University to scan its own network. Scanning, a commonly used security measure, would allow CIT to identify exploitable weaknesses in network computers.

"Some pilot efforts were made," CIT spokeswoman Rita Saltz wrote in an e-mail, "but because of the wide variety and age of the network-connected devices, it became obvious that considerable tuning would be needed to conduct such scans without interrupting service in some departments."

Even if the University does not scan its network for weaknesses, others certainly will.

"[The most frequent attacks] I see are those probing for vulnerabilities — and, if successful, the resulting attacks on other sites from the captured Princeton host," Saltz said.

The second-most-frequent form of attack involves University computers that are compromised and used as "drop boxes" to store pirated software, music or movies.

The most dangerous attacks, however, are the ones that are never discovered — "the successful unauthorized entries in which the hacker has put the computer or account 'in reserve' for use at a later time," Saltz said.

Dealing with an attack after it has been detected is also a tough task. CIT can do little more than identify the computer from which the attack originated.

CIT typically can only contact the Internet service provider for the attacking computer and ask it to help track down the problem. Thus, the University is rarely able to take legal action against the attacker. Saltz said she could recall only one case a few years ago where charges were brought against hackers.

However, "The financial magnitude of the crime . . . did not warrant further pursuit of the matter," Saltz said.

The University is making a number of efforts to improve network security. For example, Saltz said future training for Residential Computing Consultants will cover security-related topics. Also, the University is in the process of upgrading dorm networks to prevent the "sniffing" of packets on the local network.

However, in the end, security still depends on the owners of individual computers. When asked about the most serious network security issues facing the University, Saltz said, "The most serious is a tendency for people to assume that network security is CIT's job. It is everyone's job."