IT secures Polar server

November 7, 2008

In response to a security breach last year, Bowdoin's Information Technology (IT) department has tightened access to the Polar server The server is used to host student and campus organization Web pages and other data.

In April, personal student information including Social Security numbers and health insurance records were discovered unsecured on a different Bowdoin server, available to anyone with a Bowdoin e-mail account.

IT Security Officer & Systems Consultant Steve Blanc said that after the breach, "we made several immediate changes to how we protect our systems. We started a security assessment with Forrester Research, and we are working with their recommendations to remove any sensitive data from the system."

In an e-mail to students, Blanc wrote that "first steps are being made to increase the security of Polar," one of the items Forrester identified as insecure. He listed three changes, the first being that "anonymous File Transfer Protocol (FTP) access is being turned off."

"Previously, anyone from the internet could log onto the server with anonymous credentials," Blanc said. Now, those seeking to gain FTP access to Polar must input their Bowdoin username and password in order to be logged on.

According to Blanc, the second change "was to disconnect file systems that weren't being used," specifically the scratch and department drives. Though these locations will no longer be accessible from Polar, they will be available through other servers.

The third security change Blanc described limits access to the network from the Internet, so that access off-campus must come through Bowdoin's Virtual Private Network (VPN). He said that previously, "anywhere from the internet, you could access Polar. There was a provision in our firewall to allow that."

Blanc said the change would be beneficial, "since VPN encrypts all the information."

"The server itself is not heavily used," he added. "We identified everyone who had used the server in the last 30 days...and notified approximately 30 accounts of the changes."

"We are actually going to be replacing Polar soon, which is a Unix shell server, with a Linux shell server," he added. "The server is at least 10 years old...and it's difficult to maintain patch updates."

Comments are permanently closed.