The Layered Approach to Network Security

"Technology is as native to today's students as electricity is to a modern society," says Bobbi Novell, technology director for the 3,000-student district. "It has to be there – and be reliable and safe. It's a challenge!"

That challenge has been significantly mitigated by the district's new security solution, which includes a firewall, web and e-mail filtering, and antivirus software. Deployed in 2010, the combination is earning high marks at Warren County's high school, middle school and three elementary schools.

"The biggest benefit is how it affects the classroom experience by supporting education and helping students to become productive, successful 21st century learners," Novell reveals. "That's our goal. That's what technology is there for."

With the increasing popularity of online resources and Internet-based instruction, Warren County isn't alone in its quest to bolster network safety. According to Robert Ayoub, global program director for network security at research group Frost & Sullivan, districts nationwide are working to shore up protection.

"In the past, many districts did very little to address security," Ayoub says. "Districts are now taking it much more seriously."

Yet doing so can present a unique set of challenges. "Students are notorious for pushing the limits and exploring sites that they shouldn't be," Ayoub explains. "Yet there's a lot of private information that school administrators need access to, such as medical records, addresses and Social Security numbers."

To that end, many schools are investing in the layered approach: a security system that relies on several tools and policies to safeguard multiple areas of the network. By defending against worms, theft, unauthorized access, insider attacks and other security considerations, a layered solution prevents a single point of failure and helps cast a wide net to offer pervasive protection.

"Security works best when it's in layers," Ayoub emphasizes.

"The more controls that can be deployed, the better. By having a firewall, antivirus and filtering, at a minimum, districts can address a large percentage of the problems."

Layer by Layer

The approach certainly has worked for Warren County. "If any one of our layers is ever compromised, then another layer will protect us until the problem can be fixed," Novell says.

Yet that wasn't always the case. A number of struggles plagued the district prior to its implementation of a layered solution, beginning with an aging firewall. "The biggest problem was that it was old," says district technician Steven Schaefer. "While the rest of the network infrastructure had been updated, the firewall had not."

Consequently, the manufacturer was no longer supporting the model when it reached its end of life. More important, the old firewall couldn't accommodate virtual private networks (VPNs), which the district wanted so its 450 employees could access network data from off campus.

Enter the SonicWall Network Security Appliance 4500, which integrates multi-core hardware with deep-packet firewall inspection, including gateway antivirus, antispyware and intrusion prevention; an application firewall for perimeter and internal protection; and an extensive array of advanced security and networking features. The robust firewall also enables high-performance VPNs, which can scale to thousands of endpoints and district sites. "With this product, we can take computing outside of the walls and outside of the school day," Schaefer says.

While supplying students with web access is a top priority, the district also must prevent them from surfing harmful or inappropriate sites and ensure that the network remains free of potential contaminants. "It doesn't do any good to provide access if we're constantly fighting viruses and intrusions," Novell points out.

Those potential problems have been alleviated with the addition of EdgeWave's (formerly St. Bernard Software's) iPrism Web Filter. By integrating managed service scalability with proven appliance-based control, the solution helps districts mitigate the risks of legal liability, prevent security breaches and prevent productivity loss while optimizing network performance.

"We needed a product that was easy to customize and could keep up with the hundreds of thousands of new sites that come on the market each day," reports Schaefer, noting that the district's previous filter was incompatible with its thin client computing environment and was frequently tested by users trying to block or circumvent the software. "With our previous system, we couldn't do any live monitoring as it was happening," he says. "The new solution allows us to watch Internet access in real time, and that can be very helpful."

Schaefer also values the product's flexible reporting capabilities, which let the district quickly gather information at several levels and easily identify patterns. Its user-friendly filter, meanwhile, provides the customization options district officials wanted. "We can recategorize sites on the fly to give users access as they need it," he notes. For instance, a teacher wishing to visit a specific site during class simply clicks to request the URL be unblocked.

The filter's compatibility with thin client computing is equally beneficial. "The new solution doesn't care if it's a stand-alone computer or a virtual desktop," Schaefer explains. "Plus it's much less work for the team, and we're able to troubleshoot much more quickly. It's a sophisticated system that allows a lot of customization on our end."

Also contributing to a sparkling-clean network is Kaspersky Anti-Virus software, which offers real-time automated protection from a range of IT threats. Tim Harman, the district technician responsible for this area of network security, says the biggest challenge with the previous solution was that it also conflicted with the thin client environment. "They couldn't run together," he explains. "A lot of malware was getting past, and we were seeing a lot more infected machines."

Thanks to Kaspersky, "we have a much better edge on malware now," Harman continues. "The smaller footprint really helps, and the product requires fewer resources."

The district is equally pleased with its new Websense e-mail security solution. "Only about 30 percent of what we receive is legitimate e-mail," says technician Ron Greer, noting that more than 60,000 e-mail messages per week attempt to infiltrate the district's mailboxes. Some 40,000 of those are blocked by Websense blacklists, while another 6,000 or so are thwarted by the product's secure digital fingerprints and word scores. In the end, only 14,000 are actually delivered to the end user. Another way that Websense keeps potential intruders at bay is by updating every hour. "We very rarely get an e-mail that shouldn't be there," Greer says.

"There have been very few complaints of spam e-mails," Novell adds. "It's virtually eliminated it. I think that's incredible."

Lessons Learned

Indeed, the various components of the district's layered-security solution have met all of its objectives – and then some.

"We want [students] to be able to seamlessly step right into college or the workforce," Novell says, "and this solution helps us do that. We can enforce safe searching. Now we have a viable functioning platform for students to get out on the Internet. They can collaborate and share. A teacher can teach outside the normal classroom."

The district's security upgrades haven't gone unnoticed by instructors. According to Aaron Wokurka, a seventh-grade science teacher at Black Hawk Middle School, the overall network is now much easier to use. "All the computers work because the security is excellent," he says. "A public computer usually is infected with viruses, spyware, key loggers and so on. However, in our lab all our computers function properly."

Wokurka also has a newfound confidence that his students won't inadvertently surf into harm's way.

"I know that whatever content they are viewing at school will be both safe and appropriate," he says.