Detjen Jones says the Art Center Design College deployed a pair of UTM appliances because the IT team wanted “a more formal, fully featured approach” to client security.
Jul 15 2010

The Art of Protection

Colleges and universities take a network-based approach to client security
August 2010 E-newsletter

The Art of Protection

Improving Security One User at a Time

Trend Micro Enterprise Security Suite

Client-Side Virtualization

College students are, by nature, a curious bunch. They tend to be constantly (or almost constantly) connected in their personal lives, but to complete their studies, they also need campuswide access to a staggering array of hardware, software and websites.

Curiosity certainly is something colleges and universities want to encourage. And yet, such inquisitiveness presents unique, ongoing challenges for IT departments, which must walk a fine line between allowing students to explore the Internet's seemingly infinite information resources and keeping institutional data and networks safe.

The Art Center Design College relies primarily on hardware to secure PCs and thin clients at both its Tucson, Ariz., and Albuquerque, N.M., campuses. Detjen Jones, head of information technology, attributes the choice to this simple reality: With software, he and his staff can somewhat control the security of classroom and student PCs, but they have much less control over the personal devices students use to tap into the college's network.

After several years of cobbling together a client security approach using network switches, Jones' team last year decided to install two SonicWALL NSA 4500 unified threat management firewalls, which connect the two campuses via a virtual private network tunnel. Plus, says Jones, the appliances give IT staff access to advanced security features, such as tracking, monitoring, scheduling, packet filtering and automatic shutdown.

“We needed a more formal, fully featured approach” to client security, Jones says. “With the SonicWALL appliances, we can easily monitor client connections and outgoing and incoming information, blocking intrusions, viruses and threats long before they have a chance to enter our internal network.”

By creating security layers, the IT team can increase the protection it affords students accessing the college's data infrastructure, while also insulating data from tampering, Jones adds.

Campus computers at both locations also run McAfee antivirus software and Faronics Deep Freeze, which restore computers to their original starting point after each user session.

Protecting clients via both software and network-based tools is smart, says Eric Ogren, founder and principal analyst of the Ogren Group. "Higher education is about the only vertical where network access control has some traction, to make sure student computers have active client security before [they are allowed to connect] to the network."

Soft Sell

The University of Arizona could be viewed as the Art Center Design College's polar opposite in terms of student enrollment (nearly 40,000 versus 600, respectively), but the two share many of the same client security issues. UA's IT department maintains a segregated network for students' personal devices, but staff also must manage university-owned PCs and systems used by administrators, researchers, staff and students.

A recent campuswide IT risk assessment found that although most computers were running the university-mandated suite of Sophos client security tools – which includes antivirus, spyware and firewall protection – some lacked disk encryption capabilities.

“We have a lot of data that has to remain secure, and we need to find additional ways to protect it,” says Cathy Bates, the university's information security officer. “We think the best way to do that is through encryption.”

Bates' team is planning to upgrade to Sophos' latest Endpoint Security and Data Protection suite, which offers device control, network access control, encryption and real-time access to the SophosLabs database of compromised sites to avoid, as well as antivirus and malware protection. The university hasn't yet decided which elements of the suite they'll use, however.

The IT staff also are researching standalone full and partial disk encryption tools.

Regardless of the path UA chooses, Bates believes products are just one component of the overall client security equation. Old-fashioned education is equally important, she says.

“We have more than 250 independent security liaisons who work with academic and administrative units to get the word out about security,” Bates says. “That includes monthly security newsletters and coordinated risk assessments, as well as other methods of campuswide security education.”

Together – Forever

A comprehensive approach to client security uses both software on the client side and tools on the network side. Here's what to look for:

  • A software-based endpoint security suite that comprises data and threat protection (antimalware and antispyware, for example), unified threat management and administration, and content and policy-based assessment and controls (manufacturers include Symantec, McAfee, Sophos and Trend Micro)
  • Software-based hard disk encryption (GuardianEdge Technologies and PGP)
  • Network access control (available from every network vendor)
  • Network security appliances (Fortinet, SonicWALL and WatchGuard Technologies)
  • Firewall (a multitude of software and hardware options available)
Steve Craft