Schools Implement A New Generation Of Comprehensive Firewalls

“It’s not unusual to have elementary school students roaming around with cameras and shooting photos to post on a classroom Web site,” says Schwartz, wide area network (WAN) coordinator for the Eanes Independent School District in Austin, Texas. “Kids can use the network from home or use our Web-based e-mail to send homework to their teacher or ask questions.”

Both Schwartz and Sherrod, district director of information systems, know that more frequent network usage—no matter how innocent—results in more security risks and worries. As teachers integrate technology tools such as digital cameras and handhelds into the curriculum, school IT departments must put stronger countermeasures in place to prevent viruses, spam and unauthorized access from penetrating the network.

Security: Fall 2004

For many school IT professionals, the fall 2004 assignment remains the same as in years past: Balance network and Internet security with relatively hassle-free access for users. However, this year, the exam includes challenges brought by heavier network traffic and an even faster-growing flood of potential security risks.

Firewalls and virtual private networks (VPNs) remain the first line of network defense for today’s computing systems. According to Palo Alto, Calif.-based research firm Frost & Sullivan, total annual revenues for both types of products will reach nearly $6 billion by 2007.

Just as fall brings a new crop of students, so, too, does it bring a new crop of firewall and VPN tools. One trend this year is the use of multifunction security appliances, with integrated intrusion prevention, VPNs, antispam and antivirus capabilities, and centralized security management. Some antivirus makers offer suites that include instant messaging security and spam-killer functions.

Many new-generation technologies are already running at pioneering schools.

“Security has always been a key requirement for the district, which means defending from every direction, whether it’s viruses, spam attacks or hackers,” says Eanes’ Schwartz. “It’s a never-ending concern.”

That concern increased when the district installed an Internet Protocol (IP) communications fiber-optic network that connects nine schools and administrative headquarters to the Internet and to each other. To protect the voice and data network, Schwartz’s team chose security appliances with stateful inspection firewalls, which examine not only the address and application of each packet, but also the content of the packet. Stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. If the packet does not belong to a valid connection, it is dropped.

Schwartz gives the multifunction tools high marks for performance and scalability. With support for up to 10 Gigabit Ethernet interfaces, the appliances should easily meet the school district’s growing network demands, he says.

Central Administration

Troy School District required central control of network security when upgrading to a new fiber-optic WAN. Traffic on the Troy, Mich.-based district’s network had grown rapidly as a result of rising demands for data, voice and video services from the district’s 12,000 students. Four years ago, the Troy School District significantly upgraded its communications service from a T1 line, with 1.5-megabits-per-4 second transmission capability, to a burstable T3, with 45Mbps.

From the start, Troy District Director of Technology Steve Shotwell and his team believed that centrally managed network security offered the best way to prevent any unauthorized access and avoid inadvertently creating a back door. The group already managed a network of 90 file servers and 4,116 computers in classrooms, labs and offices.

The technology team then added a firewall security suite to control remote access for outside users, as well as access to the district’s intranet. On a typical day, between 400 and 500 of the district’s desktop PCs and wireless notebook PCs can simultaneously connect to the Internet from 19 schools and four county facilities without a hitch, Shotwell reports.

“To me, reliability means no downtime or help desk calls,” he says. “We’ve had the firewall for four years now, and we’ve never had a failure.”

In Colorado, the Pikes Peak Board of Cooperative Educational Services (BOCES) faced a different challenge: how to provide low-cost security to 10 local school districts using five different kinds of local area networks and experiencing heavy unsupervised Internet access traffic.

To complicate matters, the third-party Internet service that BOCES supplies to schools from its Colorado Springs headquarters included both a 7Mbps digital subscriber line and a T1 line, says Brian Bylund, technology coordinator.

Some schools don’t limit what can be downloaded, so unwanted traffic was consuming bandwidth. Due to a tight budget, the new firewall needed to handle Web content filtering, spam and e-mail blocking, virus protection and bandwidth management. BOCES implemented a firewall that centrally manages Internet access for servers at each school. This lets IT monitor logs in real time to quickly spot attacks anywhere on the network.

Outsourcing Protection

Outsourcing firewalls and intrusion-detection operations and maintenance to outside providers represents another trend that’s gaining traction. Some organizations favor this approach because it frees IT staff to handle other projects and eliminates the need for specific expertise in some technology areas.

That motivation led the technology group at Lausanne Collegiate School, a private school in Memphis, Tenn., to outsource network security, as well as content and e-mail filtering, to local service providers.

“We don’t have the security knowledge and expertise they do,” says Technology Director Stewart Crais, who believes it’s smarter to focus limited IT resources on the K-12 school’s 410 notebook-toting students and teachers. “We try to save our time for customer service,” he explains.

Lausanne contracted with an Internet service provider to handle T1 Internet connectivity, firewall, VPN managing and Web content filtering. The ISP also provides offsite e-mail filtering using a spam firewall. “I really like the spam service because it doesn’t route the junk e-mails to us,” Crais says.

When outsourcing network security, however, carefully check the provider’s financial profile, select a trustworthy partner and develop basic security expertise in-house, in case things go wrong with the relationship or the systems.

As good as today’s firewall and VPN technologies are, the traditional rule still holds: “Trust, but verify.”