There's a good reason school networks are so hard to protect. They are remarkably diverse. A typical K-12 network could easily include laptops, desktops, a lab, Apple and Intel platforms, wireless and wired components, and on-site and remote access. Throw in a large number of users and an unavoidably high turnover rate, and it becomes hard to see how these networks are ever safe.
Securing these complex campus and district networks can seem daunting. But just as technology creates opportunities for mischief, so too does it deliver new tools to prevent it. Here's advice on how to keep your network safe.
First, update existing filtering methods, virus software and patches. This can't be stressed enough. Fortres Grand, N2H2, Norton, Power On Software, SurfControl, Symantec and other vendors continually enhance their products and technologies to handle new threats. Indeed, subscription-based services are increasingly popular partly because they eliminate update concerns.
Second, stay informed. Subscribe to security e-newsletters, especially those from hardware and software vendors used by the district. Apply patches and updates quickly. To automate patching tasks, large districts might look at Shavlik Technologies' HFNetChkPro package, which has an impressive ROI.
Third, explore newly developed solutions. For instance, packet-filtering and signature-based blocking both scan data-packet protocols on the fly to block unauthorized P2P activity and more regardless of source. Telemate.net's NetSpective WebFilter network appliance uses signature-based blocking. Palisade Systems' ScreenDoor software will block access by protocol, port or server address.
Wide reach also characterizes Vericept's VIEW Filter. It monitors all TCP/IP traffic--Internet, intranet, e-mail, attachments, chat, IM, P2P and more--for out-of-bounds activity plus it has adaptive URL blocking. SpectorSoft's Spector Pro software similarly tracks e-mails, chat, IM and even keystrokes via "stealth recording," sending an alert when suspicious activities or banned topics are detected.
Security Solutions Get Sneaky
Clearly, to protect networks from both smart programs and the clever people behind them, the newest breed of security solutions employ some deviousness as well.
Decoy servers, for example, simulate active servers with faked data and email traffic to attract any attacker. Once there, all activity is recorded for tracing back to the culprit. These are a class of intrusion detection systems (IDS). Symantec offers a robust Decoy Server. So does Palisade Systems, whose SmokeDetector program can mimic up to 19 server operating systems on one box. Also, IDS and/or filtering are built into some firewalls now, such as those from 3Com or Cisco Systems.
Detours are another approach. WebSense has Web-page requests pass through some control point (firewall, proxy server or caching device), where it checks them against a customizable set of parameters before sending along. NetSweeper transforms this "detour defense" into a turnkey solution by adding the router/proxy server. Being hardware-based, this system's filters and rules are extremely hard to circumvent.
Dedicated network-security appliances, in fact, have emerged as a trend. Decoy servers are one distinct type; others are more hybrid in nature. Most of this hardware dovetails with optional subscription-based services too, resulting in a comprehensive defense.
Symantec's Firewall/VPN Series, for instance, fits nicely with their filtering and virus software. VPN, for Virtual Private Network, basically creates a "tunnel" within the Internet for remote secure access to LANs. SonicWALL's Education Editions are tailored just for mixed platform K-12 networks. These security appliances include a firewall, VPN capability plus a free year of their content-filtering service that was just enhanced to Version 2.0. Add-ons include virus protection and a management module.
A new and elegant solution to remote-access security is the IVE, Instant Virtual Extranet. Introduced to K-12 schools this spring, security vendor Neoteris describes the network appliance as an "extranet in a box."
The IVE sits between an internal LAN and all outside users, intercepting all requests. After authenticating them, the IVE then spawns a second, separate and encrypted session with the LAN to pass along only copies (proxies) of the request and return results. Remote users never actually connect to the LAN, only to the IVE.
The IVE employs the same Web-based encryption--SSL--as banks and online shops do for transactions. This supplies secure access to e-mail, internal LAN resources, Web resources and more from any remote computer. Plus, for secure messaging, standard Windows programs like Microsoft Outlook and Lotus Notes work fine, eliminating costly VPN client software and all of its hassles.
Uniquely, the IVE controls LAN access at the application layer, enabling highly granular control. One can restrict incoming access to a single server or certain files and applications, for example, or limit outgoing requests to specific domains.
Finally, it's a real plug-and-play appliance. No DNS changes; no additional security configuration; no patches to Microsoft IIS servers. Just plug the IVE into the network for an instant school extranet portal.
"It took me 10 minutes to set up and zero maintenance since," confirms Julio Velasquez, director of information technology for Somerset Area School District in Pennsylvania. Needing to provide secure remote access to the district's Windows network for hundreds of teachers, staff and administrators--with a minimum of administrative headaches--the former CTO turned to Neoteris' IVE.
It was a good decision. "Teachers manage their own computers with it in place," he explains. "They can change their own passwords and more, and the IVE just handles it."
After a successful pilot with district faculty and staff, Velasquez says he'll open the IVE up as a secure portal for students and parents, too. "The beauty is it creates secure access for any remote computer, so it's perfect for our situation with constant student and parent turnover." Neoteris was not the "cheapest solution" at the outset, continues Velasquez, "but when you figure in the personnel costs, man-hours and more it saves, the ROI became pretty compelling."
Terian Tyre is a contributing editor.