Layered Security Lockdown
September 2010 E-newsletter
Security Lockdown
The first sign that the multilayered security solution deployed within Washington's Lynden School District was working effectively? A whole lot of grumbling.
“We were hearing it from the students,” Technology Director Jeff Leischner recalls with a laugh. “They weren't able to get through the content and web filtering anymore.”
That was a welcome – and dramatic – change from the district's previous security solution, which had been considerably less than reliable at preventing students from accessing forbidden domains such as Facebook, MySpace and online gaming sites.
“They would get through before using anonymous proxy sites,” explains Leischner, who subsequently logged countless hours investigating the security breaches and reporting names to principals at each of the district's five schools. “It was a very time-consuming process.”
Indeed, the hodgepodge of technologies from a variety of manufacturers was creating a host of challenges for the 2,600-student district, which includes three elementary schools, one middle school and one high school.
“They weren't playing well together,” Leischner says of the former devices. “I had four different things to manage, and that was taking up a lot of my time.”
Even more, the system lacked the reliability Leischner desired. With only 85 percent of spam being blocked, staff members had to sort through up to 150 junk messages each day. In addition, teachers were routinely thwarted from accessing educational websites. Yet another pitfall was the plethora of maintenance fees associated with each product.
The district opted for a layered security solution from Fortinet centered around a pair of FortiGate-111C appliances, also referred to as unified threat management (UTM). “It really blew my socks off,” says Leischner.
A Refined Solution
The FortiGate-111C appliances provide a full suite of security services from one hardened platform, including antivirus/antispyware/antimalware, intrusion prevention, web filtering, firewall and traffic shaping, and IPSec/SSL VPN.
“Schools face the challenge that they have to protect against the latest and greatest threats and cannot always access the endpoint if they are owned by the students,” explains Robert Ayoub, global program director for network security research at Frost & Sullivan. “A UTM device is network-focused and allows schools to turn services on as they are needed.”
Furthermore, UTMs boast an attractive price point, as well as easy manageability. “UTMs provide a single platform and, typically, will be much more cost effective compared to deploying a number of products from different manufacturers,” says Ayoub.
The district also deployed the FortiAnalyzer 100B network monitoring device, which provides a comprehensive view of network usage and security information, minimizing the effort required to monitor and maintain acceptable-use policies, while also identifying attack patterns and prosecuting attackers. And the solution is rounded out with the FortiMail-100 appliance.
Tight integration between Fortinet security components benefits the Lynden School District. “With it all consolidated into one system, it saves a lot of time and management hassles,” Leischner says.
The district's coffers are also reaping the rewards of the new solution, which has shaved off nearly $7,000 per year in annual support and maintenance upgrades. “For a district our size, that is a very significant savings,” he says.
Even more impressive is the level of reliability the new solution delivers. “One of the biggest security improvements overall,” says Leischner, “is that after I monitored it for a while, I was confident enough to know that I didn't have to be looking at it all the time.”
As a result, the technology director can now focus his attention on more pressing IT matters, as opposed to policing firewall breaches. “Students know that [unauthorized access] will not be tolerated, and if you try it, you won't get anywhere anyway,” says Leischner.
“Security in the area of technology is a high priority for our district,” acknowledges Superintendent Jim Frey. “We want to ensure that we use technology to enhance student learning in a safe and responsible manner.”
The school district's spam problem has been dramatically reduced, Leischner notes.
Terry Bugas, a computer specialist and technology coach with the district, says, “The layered security solution has benefited our staff by saving time wading through excessive amounts of junk/spam e-mail on a daily basis.”
Students may have initially voiced their displeasure with the district's bolstered network security, but teachers and administrators have little to say – and that's a positive thing.
“The staff doesn't really see what's going on with the firewall. They see what affects their daily life,” Leischner explains. “The fact that I don't hear people complaining about it lets me know it's the right solution, and I know that it's working. It's very streamlined now.”
Bugas concurs. “The staff has more confidence that inappropriate websites will be blocked by the system when students and staff are doing research or viewing information on the Internet,” she says. “And now we have the flexibility to unblock websites when they are appropriate for school use, but have been captured due to wording.”
Forward-Moving Tech
While Leischner is impressed with everything the UTM solution is accomplishing, he's equally enthusiastic about the future possibilities. “There's a lot more I can do with it that I haven't even taken advantage of yet,” he says.
For starters, the technology director has yet to activate the firewall's full VPN capabilities, but plans to facilitate remote access for staff soon.
In addition, because the Fortinet solution has a comprehensive packet shaper built in, Leischner can circumvent potential bandwidth issues.
“I can assign a particular amount of bandwidth to a specific application or web page,” he explains, adding that on a busy school day, as many as 70 percent of the network's 1,200 workstations may be operating at the same time.
Leischner also plans to take advantage of the firewall's load-balancing feature, which will prevent user overload while providing redundant failover capabilities.
