Harry Doctor Jr., center, the IT technology manager at West Windsor-Plainsboro School District, and his staff built out the district’s security infrastructure to support its one-to-one and BYOD programs.

Mar 31 2016

Security at K–12 Schools Ramps Up as More Devices Roll In

K–12 districts increase security measures as more students bring their own devices to school.

When West Windsor-Plainsboro Regional School District in New Jersey launched a one-to-one computing initiative to go with an existing bring-your-own-device (BYOD) program, IT Infrastructure Manager Harry Doctor Jr. faced two challenges: He needed to ensure that every classroom had ample bandwidth and had to address security risks from the influx of mobile devices.

Doctor and his IT team resolved both issues last summer by investing in a state-of-the-art, high-speed network that fortified security. The IT department installed a new Palo Alto Networks next-generation firewall and new F5 Networks load-balancing appliances that also protected the network against denial-of-service (DoS) attacks.

“We use multiple levels of security because one appliance can’t do it all,” Doctor says.

As school districts embark on one-to-one computing and BYOD initiatives, they must architect their networks with security in mind. That includes deploying network security appliances, such as next-generation firewalls and network access control (NAC) devices, and segmenting their networks into separate virtual LANs (VLANs) to bolster security.

Next-generation firewalls, for example, provide multiple security features, such as stateful packet inspection, intrusion prevention, malware protection and web filtering.

“It’s the Swiss Army knife of network security,” says Eric Parizo, senior analyst for enterprise security at Current Analysis.

Some districts use NAC appliances to ensure that mobile devices meet security requirements, such as having the latest anti-virus software or patches installed. If devices need remediation, users are sent to download anti-virus software or update their software before they can connect to the network.

As for network segmentation, a district can split its network into separate VLANs, so students on a Wi-Fi network can’t access critical servers and applications. Furthermore, if a student introduces a virus or malware, it can’t propagate through the rest of the network.

“They can put intrusion prevention devices between the virtual networks to make sure nothing bad escapes from one low-security network to a high-security network,” Parizo says.

Implementing Layered Security at Schools

West Windsor-Plainsboro Regional School District, which implemented BYOD about five years ago, launched its one-to-one initiative in 2014. Since then, the district has issued Chromebooks to fifth-, sixth- and seventh-grade students and will expand the program to eighth graders next year and into high school in future years.

To prepare for a full one-to-one rollout of Chromebooks, the district last summer upgraded the network with Cisco Nexus 9500 Series switches, providing redundant 10-gigabit-per- second speeds at the network core. The IT department also installed 120 more access points throughout its 10 schools to improve wireless coverage.

The two new network devices — the F5 Big-IP 4000 Series load balancer and a Palo Alto Networks PA-5050 firewall — augment existing Cisco Web Security Appliances (WSAs) that the district uses for web content filtering, which blocks students from inappropriate or malicious websites.

When students connect devices to the district’s open Wi-Fi network, the network traffic first travels to the F5 device, which can stop 65 types of DOS attacks, Doctor says. The network traffic then passes through a cluster of Cisco WSA devices, and then the Palo Alto Networks firewall.

“If the Cisco WSA content filter misses something and a malicious URL gets through, we have the Palo Alto [Networks] firewall to catch it,” he says.

The next-generation firewall does more to defend the network than the district’s previous traditional firewall, Doctor says. Besides serving as the district’s secondary web filter, the Palo Alto Networks device can block threats with built-in intrusion prevention, malware and spyware protection and application filtering, which prevents students from accessing unapproved applications.

The district subscribes to Palo Alto Networks’ WildFire service, which monitors the web for the latest outbreaks and updates the firewall every 15 minutes with the latest threat protection, such as new anti-malware and anti-spyware rules and new malicious websites that must be blocked.

“It’s critical to have good protection on the network edge, and the Palo Alto Networks firewall keeps our kids safe,” he says.

How VLANs Boost Security

The San Lorenzo Unified School District, which has 16 schools in San Francisco’s East Bay, is in the midst of a one-to-one deployment. The goal is to provide Chromebooks to students in grades two through 12, and tablets to kindergarten and first-grade students. So far, 124 of the district’s nearly 500 classroom teachers have devices, says Sam Sakai-Miller, director of technology integration services.

To support the one-to-one program, the district installed a new Ruckus Wireless Wi-Fi network during the summer of 2014. The IT department configured the network to support WPA-2 encryption and 802.1X authentication standards and created several service set identifiers for the network. The additional SSIDs are hidden from view, but if the existing SSID becomes compromised, the district can shut it down and use one of the other SSIDs, says Frank Ng, the district’s network systems analyst.

The Alameda County Office of Education serves as San Lorenzo Unified’s Internet service provider. The district uses the county’s Palo Alto Networks next-generation firewall to protect its internal network. Most security threats are blocked by the firewall, but to improve network security, the IT department also segments its internal network into different VLANs for staff, students, servers and multiple wireless networks.

“We use access control lists on the internal network to prevent students from accessing our different VLANs and machines,” Ng says. “Students have limited access to things internally.”

The Best Security System Has Room to Adapt

IT administrators at Seminole County Public Schools in Florida view network security as a continuous work in progress.

The district, which has 66,000 students in 67 schools, is adopting a digital learning curriculum, and to support the effort, the district allows BYOD and currently owns enough desktop computers, notebooks and tablets to provide a 3-to-1 student-to-device ratio.

Seminole County Public Schools standardized on the Dell SonicWall SuperMassive 9600 next-generation firewall and uses its additional security features, including intrusion prevention, malware and virus protection and virtual private network technology, says Tom Condo, supervisor of information services operations.

The IT department recently deployed mobile device management software to secure school-owned mobile devices. The software prevents users from installing inappropriate or potentially insecure applications, Condo says. But the IT department can’t manage BYOD devices the same way.

To improve BYOD security, the IT staff this year will explore purchasing NAC software to ensure devices meet minimum security requirements.

“You can’t prevent students and staff from installing apps on their own devices,” Condo says. “The NAC would allow us to sandbox their devices to make sure they have the latest recommended security patches before they get on the network.”

Jesse Dittmar

aaa 1