Lynden School District adopts a defense-in-depth strategy to protect its most valued asset: its students.
A whole lot of grumbling within Lynden School District's 2,775-strong student body was Jeff Leischner's first clue that the multilayered security solution he'd chosen was doing its job.
"We were hearing it from the students," the district technology coordinator recalls with a laugh. "They weren't able to get through the content and web filtering anymore."
That was a welcome – and dramatic – change from the northern Washington district's previous security solution: an assortment of technologies from a variety of manufacturers that were less than reliable in preventing students from accessing off-limits domains such as Facebook, MySpace and online gaming sites.
"Before, they would get through [to forbidden web pages] using anonymous proxy sites," explains Leischner, who logged countless hours investigating security breaches and reporting offending students' names to principals at each of Lynden's six schools. What's more, he continues, the components of the old system "weren't playing well together. I had four different things to manage, and that was taking up a lot of my time."
Reliability and cost concerns magnified Leischner's frustrations. With only 85 percent of spam being blocked, staff members sorted through up to 150 junk messages each day. Teachers routinely were thwarted from accessing educational websites. And then there were the plethora of maintenance fees associated with each product, which were beginning to add up.
"It wasn't a viable solution I could use for the long term," Leischner acknowledges. "Not only was it not financially sound, it wasn't robust enough to accomplish everything I wanted. I had too many manufacturers trying to accomplish one primary goal of security with the capability for granular accessibility."
Eager to avoid replacing one hodgepodge of products and manufacturers with another, Leischner began looking for an integrated security infrastructure that was both "recognized and innovative," he says. He researched, reviewed and tested a variety of options before deploying a multilayered solution from Fortinet in July.
Two FortiGate-111C appliances deliver a complete suite of security services (including antivirus/antispyware/antimalware, intrusion prevention, web filtering, firewall and traffic shaping, and IPsec/SSL VPN) from one hardened platform. The district also deployed a FortiAnalyzer 100B network-monitoring device, which provides a comprehensive view of network usage and security information, in turn minimizing the effort required to monitor and maintain acceptable-use policies. (The product also identifies attack patterns and prosecutes attackers.) A FortiMail-100 appliance for comprehensive messaging security completes the system.
Fortinet's unified threat management (UTM) approach "really blew my socks off," Leischner says. "I hadn't heard of many all-in-one products that do it all well, but it's really been a great solution."
One of the prime advantages of UTMs is that they effectively address an increasingly common issue plaguing many schools: how to enable students to connect with a variety of electronic devices – often privately owned, personal notebooks or tablets – while safeguarding school networks.
"Schools [are challenged] to protect against the latest and greatest threats and can't always access the endpoints if they're owned by the students," explains Robert Ayoub, global program director for network security research at Frost & Sullivan. "A UTM device is network-focused and allows schools to turn services on as they're needed."
Plus, UTMs boast an attractive price point and easy manageability. "Schools usually have limited budgets and expertise compared to the enterprise, and UTMs address those challenges directly," Ayoub continues. "UTMs provide a single platform, which is easier to maintain, easier to learn and cheaper to deploy."
Security on All Fronts
Leischner confirms that Fortinet's tightly integrated security components have benefitted the Lynden School District in several ways. "With [everything] consolidated into one system, [we've saved] a lot of time and management hassles," he says.
The district's coffers also are reaping the rewards. So far, the Fortinet solution has saved nearly $7,000 in annual support and maintenance upgrades. "For a district our size, that's a very significant savings," Leischner says.
Even more impressive is the level of reliability the new solution delivers. "One of the biggest security improvements overall is that after I monitored it for a while, I was confident enough to know that I didn't have to be looking at it all the time," Leischner says. Now he can focus on more pressing IT matters, rather than policing firewall breaches. "Students know that [unauthorized access] will not be tolerated, and if you try it, you won't get anywhere."
IT security "is a high priority for our district," says Superintendent Jim Frey. "We want to ensure that we use technology to enhance student learning in a safe and responsible manner. Having that infrastructure enables staff to focus on teaching and learning without having to worry about the problems that can occur when our security systems don't function adequately."
The district's dramatically reduced spam count bears this out. "The layered security solution benefits our staff by saving us time [that was previously spent] wading through excessive amounts of junk on a daily basis," says Terry Bugas, a computer specialist and technology coach for Fisher Elementary School, one of three elementary schools in Lynden.
Students may have initially voiced displeasure with the district's bolstered network security, but teachers and administrators have little to say – and that's a positive thing.
On a busy school day, as many as 70% of the 1,200 workstations on the Lynden School District's network may be operating at the same time.
"The staff don't see what's going on with the firewall. They see what affects their daily lives," Leischner explains. "The fact that I don't hear people complaining about it lets me know it's the right solution – and that it's working. It's very streamlined now."
Bugas agrees. "The staff have more confidence that inappropriate websites will be blocked by the system when [they and] students are doing research or viewing information on the Internet," she says. "And now we have the flexibility to unblock websites when they are appropriate for school use but have been captured due to wording."
Leischner is impressed with everything Fortinet's UTM solution has accomplished, but he's equally enthusiastic about opportunities not yet captured. "There's a lot more I can do with it that I haven't yet taken advantage of," he says.
He hasn't activated the firewall's full VPN capabilities, for starters, but he plans to facilitate remote access for staff soon. In addition, because the Fortinet solution has a comprehensive packet shaper built in, Leischner can circumvent potential bandwidth issues. "I can assign a particular amount of bandwidth to a specific application or web page," he explains.
Leischner also plans to take advantage of the firewall's load-balancing feature, which will prevent user overload while providing redundant failover capabilities.