Next-Generation Firewalls Do More than Block Traffic
Students are tech-savvy. So are the people who want to exploit them and the schools they attend. Those are just two of the many reasons why school districts are increasingly upgrading their firewalls to next-generation platforms that do more than just block unauthorized traffic.
Case in point: In August 2015, Winona Area Public Schools wanted to consolidate multiple services onto a single platform, including web content filtering, encryption, VPN, application control, QoS, IPS and directory services integration. It did that by replacing an Astaro ASG 625 and the Sophos Enduser Protection Suite with Fortinet’s FortiGate 1000D.
“It is great having content filtering working within the same appliance,” says Kevin Flies, Winona’s information systems director. “It is much easier to determine why a particular site may or may not be working.”
Cutting Back on Complexity
Consolidation also reduced complexity that was a byproduct of having the server and firewall in separate buildings. For example, although both could be managed remotely, IT staff had to log in to multiple applications every time they made updates and other changes.
“With Fortinet, we can manage all of these resources from a single interface,” Flies says. “I think the simplest way to sum that up was ‘one OS, one interface, one system, one location.’ ”
Some districts upgrade to next- generation firewalls (NGFWs) around the time they start providing students with notebooks and tablets. That was the case at suburban Seattle’s Lake Washington School District, which deployed a Palo Alto Networks PA-5020 to enable deep packet inspection for identifying and thwarting file sharing.
“This rapid expansion of the devices on our network mandated more capacity at all levels and the ability to better deal with modern cybersecurity threats,” says Sally Askman, director of technology. “Furthermore, we were looking to minimize the number of devices (a separate firewall, URL filter and deep packet inspection device) while bringing high availability to our network core.”
Getting More Processing Power
By February 2015, Lake Washington needed even more core processing power to support skyrocketing sessions, so it upgraded to a pair of PA-5060s configured in an active-passive way for redundancy.
“This change allowed us to remove our Internet aggregation device, URL filter appliance and firewall, and consolidate them all into a single NGFW,” Askman says. Earlier this year, Lake Washington added Microsoft Direct Access, enabling the district to tunnel student devices back to its network to become URL filtered by the PA-5060. That allowed the district to retire its external filtering agents and appliance.
“Our students can get on any Internet connection, and we know that they have a barrier of protection with the NGFW for malware and inappropriate websites,” Askman says. “We now have excellent visibility in the traffic traversing our firewall through a single pane.”
Districts that have upgraded to NGFWs say they provide insights and protections that traditional firewalls can’t deliver. But when comparing different vendors’ NGFWs, it’s important to scrutinize how user friendly all of those capabilities are. If they’re not, they’re less likely to be used, undermining security.
“Application control is a feature we did not use in our previous firewall, as it was cumbersome and convoluted,” Flies says. “Fortinet easily allows you to set priority levels on application categories.”
File sharing such as bit torrent and firewall-bypass software are two common vulnerabilities that NGFWs help stop via techniques such as deep packet inspection. They also can thwart malware that communicates with servers by blocking that traffic. “This could really help to narrow down the location of a malware breakout quickly if it were to occur, and mitigate the damage, as the malware is not able to send back to the hacker server,” Askman says.
Flexibility and Future Proofing
Because they’re software-defined and signature-based, NGFWs also give districts more flexibility and future proofing. For example, instead of just blocking ports, NGFWs can block specific application signatures, which change over time. That’s one major benefit that Hillsborough County Public Schools got when it deployed FortiGate. The Tampa, Fla., district also became better able to address changes in traffic types, such as those involving tablets, which have apps that aren’t running typical HTTP.
“Most of the traffic, even Google images, have started using secure connections — HTTPS — and we had a tough time getting that addressed because of the way Google handles it,” says Rick Laneau, executive officer for IT compliance. “With the new firewall, we started doing man in the middle.
“That blocked a lot more. If somebody has a generic firewall that isn’t doing decryption, you’re letting anything go through unfiltered.”
Hillsborough also got deep visibility into what’s traversing each port. That turned up a few surprises.
“We actually block more than we originally thought we were blocking,” says Scott Gafner, IT manager for infrastructure and shared services. “Our traffic utilization went down because once we started blocking, we think the kids started dropping off and going to their own cellphones’ data plans.”
This visibility also enables districts to prove that a device wasn’t connected to its network when it accessed explicit content — key for ensuring compliance with the Children’s Internet Protection Act. That was the case recently when a parent called to complain about a student sharing offensive images on a cellphone, and the NGFW determined that the pictures were downloaded over cellular.
“It gets blamed on the school network, but we know it didn’t come from that,” Laneau says.