Next-Gen Firewalls Give Schools Traffic-Shaping Abilities

Textbooks, notebooks and chalkboards used to be the main means for young scholars to master the fundamentals of reading, writing and arithmetic. But as children increasingly pursue their studies online — and arrive at school with mobile devices that are gateways to online education and entertainment — K–12 IT leaders now find themselves more focused on protecting their ­networks, controlling applications and optimizing bandwidth.

Next-generation firewalls (NGFWs) play a role in achieving those ends, featuring what has long been expected in a firewall, such as stateful protocol inspection, while also offering more advanced capabilities, such as deep packet inspection to target traffic anomalies or known malware. Integrated intrusion detection and prevention capabilities ensure that traffic doesn't have to pass through separate security layers and performance doesn't suffer.

"With increases in hardware ­performance, next-generation firewalls are very efficient at monitoring and properly protecting an organization's network," says Dr. Eric Cole, a faculty fellow at the SANS Institute.

Application awareness that ­identifies and controls traffic and ­enforces security policy at the ­application layer also means the IT department can apply rules to specific applications concerning ­access — when or by whom, or not at all — and prioritize bandwidth or maximize consumption. It's ­important to restrain students' use of school networks for fun, for example, so that teachers' and ­administrators' use of the ­network for ­academic functions isn't compromised.

The Region 9 Education Service Center, which provides consulting services to 37 districts and one ­charter school in north central Texas, recently introduced NGFWs into 30 of its schools in the form of Cisco Meraki MX80, MX90 and MX400 devices. As a result, the center now can access visualizations of and control network traffic flow. The signature, protocol and anomaly-based inspection methods in the Meraki devices' integrated intrusion detection engine, for example, enable IT to isolate any application that ­performs suspicious activity, says Darren Francis, deputy director of ­administrative support services.

Traffic shaping — for which the center or a district allocates bandwidth and priority access based on application type — is an increasingly critical function of the Meraki NGFW technology, helping to ensure key ­services don't suffer from slowdowns or other performance issues. The center is able to give ­priority status to educational videos streamed to district schools as part of an H.323 video service it hosts, or to community college class lectures streamed to high school students via its video network, says Technical Specialist and Technology/Network Database Administrator Clint Close.

The center also supports other streaming media efforts, including online art instruction. The ability to prioritize such traffic, especially for rural schools with more limited bandwidth options, is a "big deal for us," Close says. "A lot of streaming video may be on YouTube, and there might be great educational content, but it doesn't need to get there first."

NGFWs Provide Flexibility and Safety

The investment in NGFWs means the center's users can go ­beyond allowing or blocking ­traffic: "This lets us be more granular in the way we control what we give access to, or even which groups have access to something," Francis explains.

Teachers, for instance, can access a resource online to use as part of their lessons, without opening the site up for general use by students. The technology also helps schools master the challenge of providing open access to information, while preventing students from accessing restricted content. IT can prevent ­students from diving into web mail applications or social media, for ­example, while still affording Internet access for research.

"An older firewall provides little to no help in accomplishing that," says Jason Wood, senior security ­analyst at the consultancy Secure Ideas. "Next-gen firewalls are ­designed to address that issue."

With content filtering support, NGFWs also can help schools achieve compliance with the Children's Internet Protection Act, which mandates that students be blocked from ­inappropriate Internet content. That was a top ­priority for Jonathan Ferrara, information technology manager for Revere (Mass.) Public Schools, where about 7,000 students enjoy access to computers. Additionally, a notebook computer program is ­being piloted for Revere's fifth-grade students, while 1,600 high school students rely on tablets as their primary learning tool.

"In order to protect kids according to the CIPA guidelines, we needed a next-generation firewall," Ferrara says.

More Functionality, Lower Costs

By collapsing multiple functions — intrusion detection/prevention, anti-virus, anti-spam and web content ­restrictions — into a single device, a next-gen firewall provides another important benefit to K–12 IT leaders trying to juggle multiple requests and issues with limited staff.

"The idea of having functions such as bandwidth restrictions and content filtering controlled within a single device can reduce some of the demands on network administrators," Wood says. "Now, they don't have to deal with keeping their firewalls, IDS/IPS, web proxy and spam filtering systems working in harmony."

Simplifying management of the environment also offers the potential for financial savings, Wood says. As schools leverage such devices to reduce recurring network capacity upgrades, for example, additional savings may result.

Ferrara, meanwhile, believes that next-gen firewalls are as necessary today as any other basic infrastructure. "You need heat, so you have to pay for that," he says. "If you want to have security and optimize bandwidth, you have to push to the next level."