Clint Close and Darren Francis deployed Meraki next-generation firewalls to help Region 9 Education Service Center’s schools better manage and secure network traffic flow.

Jan 02 2014

Next-Gen Firewalls Give Schools Traffic-Shaping Abilities

The latest firewall technology helps schools optimize their networks and boost security.

Textbooks, notebooks and chalkboards used to be the main means for young scholars to master the fundamentals of reading, writing and arithmetic. But as children increasingly pursue their studies online — and arrive at school with mobile devices that are gateways to online education and entertainment — K–12 IT leaders now find themselves more focused on protecting their ­networks, controlling applications and optimizing bandwidth.

Next-generation firewalls (NGFWs) play a role in achieving those ends, featuring what has long been expected in a firewall, such as stateful protocol inspection, while also offering more advanced capabilities, such as deep packet inspection to target traffic anomalies or known malware. Integrated intrusion detection and prevention capabilities ensure that traffic doesn't have to pass through separate security layers and performance doesn't suffer.

"With increases in hardware ­performance, next-generation firewalls are very efficient at monitoring and properly protecting an organization's network," says Dr. Eric Cole, a faculty fellow at the SANS Institute.

Application awareness that ­identifies and controls traffic and ­enforces security policy at the ­application layer also means the IT department can apply rules to specific applications concerning ­access — when or by whom, or not at all — and prioritize bandwidth or maximize consumption. It's ­important to restrain students' use of school networks for fun, for example, so that teachers' and ­administrators' use of the ­network for ­academic functions isn't compromised.

The Region 9 Education Service Center, which provides consulting services to 37 districts and one ­charter school in north central Texas, recently introduced NGFWs into 30 of its schools in the form of Cisco Meraki MX80, MX90 and MX400 devices. As a result, the center now can access visualizations of and control network traffic flow. The signature, protocol and anomaly-based inspection methods in the Meraki devices' integrated intrusion detection engine, for example, enable IT to isolate any application that ­performs suspicious activity, says Darren Francis, deputy director of ­administrative support services.

Traffic shaping — for which the center or a district allocates bandwidth and priority access based on application type — is an increasingly critical function of the Meraki NGFW technology, helping to ensure key ­services don't suffer from slowdowns or other performance issues. The center is able to give ­priority status to educational videos streamed to district schools as part of an H.323 video service it hosts, or to community college class lectures streamed to high school students via its video network, says Technical Specialist and Technology/Network Database Administrator Clint Close.

The center also supports other streaming media efforts, including online art instruction. The ability to prioritize such traffic, especially for rural schools with more limited bandwidth options, is a "big deal for us," Close says. "A lot of streaming video may be on YouTube, and there might be great educational content, but it doesn't need to get there first."

NGFWs Provide Flexibility and Safety

The investment in NGFWs means the center's users can go ­beyond allowing or blocking ­traffic: "This lets us be more granular in the way we control what we give access to, or even which groups have access to something," Francis explains.

Teachers, for instance, can access a resource online to use as part of their lessons, without opening the site up for general use by students. The technology also helps schools master the challenge of providing open access to information, while preventing students from accessing restricted content. IT can prevent ­students from diving into web mail applications or social media, for ­example, while still affording Internet access for research.

16.6% Estimated compound annual growth rate of the next-gen firewall market

SOURCE: "Global NGFW Market 2011–2015" (TechNavio, November 2012)

"An older firewall provides little to no help in accomplishing that," says Jason Wood, senior security ­analyst at the consultancy Secure Ideas. "Next-gen firewalls are ­designed to address that issue."

With content filtering support, NGFWs also can help schools achieve compliance with the Children's Internet Protection Act, which mandates that students be blocked from ­inappropriate Internet content. That was a top ­priority for Jonathan Ferrara, information technology manager for Revere (Mass.) Public Schools, where about 7,000 students enjoy access to computers. Additionally, a notebook computer program is ­being piloted for Revere's fifth-grade students, while 1,600 high school students rely on tablets as their primary learning tool.

"In order to protect kids according to the CIPA guidelines, we needed a next-generation firewall," Ferrara says.

More Functionality, Lower Costs

By collapsing multiple functions — intrusion detection/prevention, anti-virus, anti-spam and web content ­restrictions — into a single device, a next-gen firewall provides another important benefit to K–12 IT leaders trying to juggle multiple requests and issues with limited staff.

"The idea of having functions such as bandwidth restrictions and content filtering controlled within a single device can reduce some of the demands on network administrators," Wood says. "Now, they don't have to deal with keeping their firewalls, IDS/IPS, web proxy and spam filtering systems working in harmony."

Simplifying management of the environment also offers the potential for financial savings, Wood says. As schools leverage such devices to reduce recurring network capacity upgrades, for example, additional savings may result.

Ferrara, meanwhile, believes that next-gen firewalls are as necessary today as any other basic infrastructure. "You need heat, so you have to pay for that," he says. "If you want to have security and optimize bandwidth, you have to push to the next level."

Putting the Brakes on Bandwidth Demands

The ability to apportion bandwidth limits and mandate priority access at the application level, or even exclude services, can help schools avoid endless upgrades to network capacity in the face of unchecked demand.

At Revere Public Schools, a 7,000-student district north of Boston, Information Technology Manager Jonathan Ferrara was able to use next-generation firewall technology to ­eliminate student access to a streaming music service. IT logs showed the app was the second most used by ­students, but never for academic purposes.

"It's amazing how that freed up so much more bandwidth for other things we needed," Ferrara says. "You don't want to have to spend your budget on [capacity] upgrades. You want to make better use of what you have."

Similarly, Cisco Meraki next-gen firewall devices enable the Region 9 Education Service Center in Wichita Falls, Texas, to see exactly what devices are connected on its ­network. One of its district schools recently complained about slow Internet performance, and the center was able to determine that tablets were consuming most of the ­network traffic — about 82 percent.

Clint Close, Region 9's technical specialist and ­technology/network database administrator, says most of those tablets belonged to students.

"We can either add more bandwidth or shape the traffic — that is, take the whole group of student tablets and give them 20 of the school's 50 megabytes," Close explains. "Once they hit that, they slow down, but no other devices are affected. That way, student tablets can't consume all of the bandwidth the school purchased."

<p>Dan Bryant</p>