UW Information Technology

May 28, 2021

UW-IT bolsters security for research and education

Abstract crypto cyber security technology on global network background. Digital theme. 3D illustration

By Gretchen Konrady

It’s called spoofing, but it’s not just something for laughs on YouTube. It’s when malicious entities slither around on networks that connect to the internet, pretending they’re from a known, trusted source while they try to steal data or otherwise wreak havoc.

Now, the routing infrastructure of the UW-IT-operated Pacific Northwest Gigapop (PNWGP) service features reinforced defenses against these attempts to spoof legitimate network traffic — new protections that comply with the Mutually Agreed Norms for Routing Security (MANRS) initiative. PNWGP is a nonprofit corporation serving research and education organizations throughout the Pacific Rim.

MANRS is a global initiative that advocates for crucial fixes to reduce the most common routing threats that aim to get at systems and data. Supporting MANRS is the Internet Society, whose mission is to work for an open, globally connected, secure, and trustworthy Internet for everyone.

The routing security best practices urged by MANRS have been implemented by IT Infrastructure for the first time, a project that began with PNWGP, a nonprofit that serves research and education organizations with cost-effective, robust, reliable, high-bandwidth and high-capacity. The voluntary effort is bolstering security for the research and education organizations that connect to the PNWGP network and in turn, the internet.

“Basically we are saying to customers of the network, ‘We want to ensure you don’t send along source IP addresses on the internet that are not yours,’” said David Sinn, a UW-IT senior network engineer.

Dave O’Meara, IT infrastructure services assistant director, had been looking to update UW-IT-run networks so that routing security policies and technologies could comply with MANRS. Of the networks UW-IT operates, Dave knew PNWGP was the ideal candidate to start with. One reason was because the network got a core upgrade in 2014 that offered a ready infrastructure.

Dave also knew that David — lured back last year to the University from Amazon — was the right engineer to lead the effort.

“We completed the work for PNWGP first, given the simpler and more easily understood and controlled factors involved in its design and use by customers,” David said.

The ITI Regional Networks team envisions additional types of MANRS compliance for PNWGP besides spoofing, and implementing MANRS certification for the other networks the team supports. The Washington State K-20 Education Network is expected to be next, with a bit more challenge involved, explained Noah Pitzer, UW-IT’s regional networks assistant director. He said K-20 is more complex, with many more connections than PNWGP, and with other internet service companies providing backup connectivity for some educational institutions.

Noah said he’s pleased that the first part of the MANRS compliance effort has been completed, and that the UW can attest to doing this additional work.

“PNWGP and UW-IT were already following multiple best practices to prevent spoofing by users of the network, but there was more that could be done. The MANRS initiative is a great opportunity to implement an additional level of due diligence,” Noah said.

“MANRS is a way for us to secure our customers and ourselves from spoofed traffic pretending to be the UW,” David said. “It’s as if we were preventing someone from forging the President’s signature — they could do a lot with that.”