The Current Sitaution:
In METU campus there are 30,000 users, approximatley 5,000 IPs defined, B-class IP block, UNIX central server systems which are administered by Computer Center, servers of the departments which are administered by departmental coordinators, ATM backbone network, local Ethernet networks that are connected to the backbone network via ATM uplink Ethernet connection. .
A closer look at METU anti-virus solutions policy will manifest two main strategic actions that should be undertaken: the activities to be undertaken proactively before the virus have serious effects within the campus and the activities to be undertaken after the virus infects campus computers.
1. Activities to be undertaken before the virus affects the campus
i. Anti-virus filter: A set of two software under GPL licenses, namely Trophie and Virge, comprise the anti-virus filter. These software run together with such open-source software as SendMail and ProcMail; and they are located on central servers.
ii. Executable attached files on electronic lists: After a virus emerges, an anti-virus software update file, which includes the definition files of the virus, is announced within approximately 6-10 hours. However, during this lapse of time, it is essential to prevent the spreading of the virus by channelling the attention to vulnerable parts of the system. Such vulnerabilities involve the executable attached files on electronic lists. To prevent the spreading of virus through these attached files, the list manager program is adjusted so that it eliminates the attachement files that most of the viruses exploit (such files are exe, .pif, .scr etc.).
iii. Port restrictions: To prevent the viruses that spread over the network, the access over certain ports inbetween the units, etither from within or from from outside the campus is blocked (135/tcp, 135/udp, 139/tcp, 139/udp, 445/tcp (NetBIOS portları), 1434/UDP (win32/Slammer), 4156/UDP (Linux/Slapper)).
iv. Testing Vulnerability: The computers within the campus are being regularly tested with vulnerability testing programs against the security vulnerabilities (Nessus, Retina etc.).
v. Anti-virus Software: Anti-virus software are being provided for desktop computers, and, update files, which include the up-to-date virus definitions are distributed over local ftp site.
vi. Virus-specific cleaning programs: The small-sized cleaning programs (fixsobig.exe, fixbugbear.exe etc.), which are exclusively created by anti-virus software companies for specific viruses, are distributed over the ftp site that is reserved for common use.
These precautionary activities may not work well and yield the desired results, especially with the viruses which are products of social engineering designs. (W32/Mimail etc). Therefore, we earnestly need to join forces with other mechanisms as well to overcome the shortcomings that may arise due to the human factor.
vii. Education: Seminars are being held and trainings are provided to users and the computer coordinators in order to instruct both of the groups about how to update their anti-virus software and operating systems; and how to simply take measures to prevent certain vulnerabilites.
viii. Notification: The users can get information about newly emerging viruses through the e-mail notifications sent to the computer coordinators and through our antivirus web site. (http://antivirus.metu.edu.tr).
ix. Sending Feedback: To provide feedback about incidences and instigate taking action against viruses, the users can send the e-mails containing viruses to certain metu addresses (email@example.com, firstname.lastname@example.org, email@example.com).
2. Activities to be undertaken after the virus affects the campus
It is regrettably a true fact that the virus may well infect the systems on the local network before anti-virus companies are even able to release the update files. In addition to this, from time to time viruses succesfully spread throughout the campus only due to the presence of operating systems that are still not updated and uninformed people that execute the infected e-mail attachments. To diminish the harmful effects of the virus on the local network, the following actions are primarily taken,
i. The IP of the infected computer within the campus is detected through the help of virus filter which runs on the e-mail server or through the network traffic control activites. Then the responsible computer coordinator is notified of this IP information.
ii. The IP access of the infected computer is restricted in the emergency cases.
Though the preemptive measures may seem energy and time-consuming to many people, one should remember the fact that without these preemptive measures, more time, energy and important data will be lost to restore the system should a virus infects ones computer. For this very reason, preemptive measures must necessarily be taken.
Despite these preacutionary activities are vitally important for the well being of the systems, sometimes these preemptive measures do not suffice to stop viruses which are designs of social engineering. To render these precautionary measures effective, the awareness of the computer users must be raised and the good habits should be promoted. The users should be aware of the fact that they can prevent the spreading of a virus by simply avoiding a bad habit and they should be instructed about protecting their systems against security risks. Therefore, education of users become as vital an issue as the preemptive measures that must be taken.
Anti-virus solutions are not confined within the boundaries of anti-virus companies services and software packets. Since METU is committed to doing research and because of the fact that METU is always striving to weaken monopolization of companies to liberate itself from the dependent relationships, METU tries to adopt the policy of preferring open-source software rather than implementing proprietary in solving such security matters of central server systems.