Bobbi Novell, technology director for the Warren County R-III School District in Missouri, is a firm believer in the layered security approach.
Jun 09 2011

Mitigate Risk with Layered Security

A full-fledged security approach keeps online learning safe at Warren County R-III School District in Missouri.

July 2011 E-newsletter

Mitigate Risk with Layered Security

Play It Safe with DLP

Understanding Endpoint DLP

M86 Secure Web Gateway

The layered look is definitely “in” within the Warren County R-III School District ― and it has nothing to do with ever-changing trends in student fashion. Rather, by implementing a layered approach to network security, the Warrenton, Mo., district has opened a new chapter in enhanced learning opportunities.

“Technology is as native to today's students as electricity is to a light switch,” says Bobbi Novell, technology director for the 3,000-student district. “It has to be there ― and be reliable and safe. It's a challenge!”

That challenge has been significantly mitigated by the district's new security solution, which includes a firewall, web and e-mail filtering, and antivirus software. Deployed in 2010, the combination is earning high marks when it comes to safeguarding data and facilitating online access at Warren County's high school, middle school and three elementary schools.

“The biggest benefit is how it affects the classroom experience by supporting education and helping students to become productive, successful 21st century learners,” reveals Novell. “That's our goal ― to help every student achieve their highest potential possible. That's what technology is there for.”

Growing Trend

With the increasing popularity of online resources and Internet-based instruction, Warren County isn't alone in its quest to bolster network safety. In fact, there is a growing trend among K–12 school districts nationwide to shore up protection, according to Robert Ayoub, global program director for network security at research group Frost & Sullivan.

“In the past, many districts did very little to address security,” Ayoub acknowledges. “Districts are now taking it much more seriously.”

Yet doing so can present a unique set of challenges. “Compared to a traditional business where you may be more worried about keeping attackers out, school districts have to balance that with protecting students and faculty,” Ayoub says. “Students are notorious for pushing the limits and exploring sites that they shouldn't be. Yet there's a lot of private information that school administrators need access to, such as medical records, addresses and social security numbers.”

Toward that end, many educational institutions are investing in the layered approach, a security system that relies on several tools and policies to safeguard multiple areas of the network. By defending against a plethora of threats ― including worms, theft, unauthorized access, insider attacks and other security considerations ― a layered solution prevents a single point of failure and helps cast a wide net to offer pervasive protection.

“Security works best when it's in layers,” Ayoub emphasizes. “The more controls that can be deployed, the better. But by having firewall, antivirus and filtering at a minimum, districts can address a large percentage of the problems.”

The approach has certainly been a success at Warren County R-III School District. “If any one of our layers is ever compromised, then another layer will protect us until the problem can be fixed,” Novell confirms.

Yet that wasn't always the case. A number of struggles plagued the district prior to the implementation of its new layered solution, beginning with issues stemming from an aging firewall.

“The biggest problem with our previous firewall was that it was old,” explains Steven Schaefer, district technician. “While the rest of the network infrastructure had been updated, the firewall had not.”

As a result, the model was no longer supported by the manufacturer as it reached its end of life. More important, it could not accommodate Virtual Private Networks (VPNs), which the district desired to allow its 450 employees to access information from outside the multiple campuses. “The educational day is no longer limited to 8 a.m. to 3 p.m.,” Novell points out. “It has to be anywhere, anytime.”

Enter the SonicWALL Network Security Appliance (NSA) 4500, ideal for midsize organizations and distributed environments requiring high performance. The NSA 4500 integrates multicore hardware with deep-packet firewall inspection, including gateway antivirus, antispyware and intrusion prevention, an application firewall for perimeter and internal protection, plus an extensive array of advanced security and networking features. 

Even more, the firewall enables high-performance VPNs, which can easily scale to thousands of endpoints and branch offices.  “With this product, we can take computing outside of the walls and outside of the school day,” Schaefer says.

While supplying students with web access is a top priority, the district must also protect against the students surfing harmful or inappropriate sites. Furthermore, ensuring that the network remains free of potential contaminants is a critical concern. “Internet safety is very important,” Novell emphasizes. “It doesn't do any good to provide access if we are constantly fighting viruses and intrusions.”

Those potential problems have been alleviated with the addition of iPrism Web Filter from EdgeWave (formerly St. Bernard Software), an award-winning filtering solution that secures organizations from Internet-based threats such as malware, spyware, IM, P2P, and inappropriate content at the perimeter. By integrating managed service scalability with proven appliance-based control, the solution helps organizations mitigate the risks of legal liability, prevent security breaches, and prevent productivity loss while optimizing network performance. The appliances are also simple to configure and administer, with minimal maintenance requirements.

“We needed a product that was easy to customize and could keep up with the hundreds of thousands of new sites that come on the market each day,” reports Schaefer, acknowledging that the district's previous filter posed several problems, including incompatibility with its thin client computing environment and frequent  testing by users trying to block or circumvent the software.

“With our previous system, we couldn't do any live monitoring as it was happening,” he adds. “The new solution allows us to watch Internet access in real time, and that can be very helpful.”

The technician also values the product's flexible reporting capabilities, which let the district quickly gather information at several levels, as well as easily identify patterns. “We can definitely be more proactive,” Novell says.

The user-friendly filter also delivers the customization options the district was seeking. “We can recategorize sites on the fly to give users access as they need it,” Schaefer points out.

For instance, a teacher wishing to visit a specific site during class simply clicks to request the URL be unblocked. “It's very easy if a site is blocked for the user to request it be opened up,” Schaefer says.

Another major boon for the district is the filter's compatibility with thin client computing. “The new solution doesn't care if it's a stand-alone computer or a virtual desktop or what the hardware is,” explains Schaefer. “Plus, it's much less work for the team, and we are able to troubleshoot much more quickly. It's just a much more sophisticated system and allows a lot of customization on our end.”

Automated Protection

Also contributing to a sparkling-clean network is Kaspersky Anti-Virus software, which offers real-time automated protection from a range of IT threats. Tim Harman, the district technician responsible for this area of network security, reports that the biggest challenge with the previous solution was that, much like the filter, it also conflicted with the thin client environment.

“They couldn't run together,” he says. “And as a result, a lot of malware was getting past, and we were seeing a lot more infected machines and viruses getting through.”

Harman says the Kaspersky product operates in harmony with thin client computing, and the software downloads update more frequently. “We have a much better edge on malware now,” Harman reveals. “Plus, the smaller footprint really helps, and the product requires fewer resources.”

“We've been very happy with this product,” Novell agrees. 

The district is equally pleased with its new Websense e-mail security solution, which blocks some 70 percent of incoming e-mail, according to technician Ron Greer.

“Only about 30 percent of what we receive is actually legitimate e-mail,” reveals Greer, noting that more than 60,000 e-mails per week attempt to infiltrate the district's mailboxes. Some 40,000 of those are blocked by Websense blacklists, while another 6,000 or so are thwarted by the product's secure digital fingerprints and word scores. In the end, only about 14,000 are actually delivered to the end user, Greer reports.

Another way that Websense keeps potential intruders at bay is by updating every hour. “We very rarely get an e-mail that shouldn't be there,” says Greer.

“There have been no complaints of spam e-mails,” adds Novell. “It's virtually eliminated it. I think that's incredible.”

Indeed, the various components of the district's layered-security solution have met all of the district's objectives ― and then some.

“Our goal is to educate students to become functioning citizens in a digital 21st century society,” Novell says. “We want them to be able to seamlessly step right into college or the workforce, and this solution helps us to do that.

“We have the freedom to go to sites and search engines because we can enforce safe searching,” Novell continues. “Now we have a viable functioning platform for students to get out on the Internet. They can collaborate, they can share. A teacher can teach outside the normal classroom.”

The district's security upgrades certainly haven't gone unnoticed by instructors. Aaron Wokurka, who teaches seventh-grade science at Black Hawk Middle School, reports that the overall network is now much easier to use. “All the computers work because the security is excellent,” he says. “A public computer usually is infected with viruses, spyware, key loggers and so on. However, in our lab all our computers function properly.”

Wokurka also has a newfound confidence that his students will not inadvertently surf into harm's way. “Through website filtering and firewall protection, I know that whatever content they are viewing at school will be both safe and appropriate,” he says.

Lock Up Your Data

With the number of security threats on the rise, a layered network security approach has become an essential part of maintaining both privacy and integrity. These are the typical critical layers of protection:

Protection Against External Threats

  • Intrusion prevention safeguards a network inside and out from lethal worm invasions and other malicious attacks.
  • Firewall and virtual private networks secure Internet access points and guards network privacy.
  • Antivirus protection guards computers by automatically eliminating viruses, worms and Trojan horses. 
  • Vulnerability scanning scans a network to identify – and dramatically reduce – the number of vulnerabilities.

Protection Against Internal Threats

  • Web and e-mail filtering enhances productivity while eliminating network and legal threats.
  • Event management monitors the security event logs of all Windows NT/2000/XP servers and workstations, alerting IT managers to internal intrusions or attacks in real time.
Paul Howell