The Mount Pleasant, Texas, Independent School District faces security challenges common to many K-12 school systems: a diverse and changing--sometimes precocious--user base, a relatively open environment, and few financial resources.

"One of the biggest problems we have is that a lot of students like to experiment," says Noe Arzate, systems administrator and security guru for the district. In particular, students like to prove to each other that they can access off-limits systems and web sites, Arzate notes. With 5,000 students and roughly 900 employees spread across eight sites, there's reason for concern.

The district's schools are equipped with computer labs, and typically one account supports multiple users. If a high school student wanted to access resources at a middle school, for example, or tried to access the grading, finance, or other sensitive computer systems, Arzate had no way to detect the unauthorized activity, let alone stop it. In addition, vendors--such as professionals hired to provide staff training--often are on site. These visitors could "plug in their laptop, and they're ready to connect to pretty much every system in our network," he says.

Mount Pleasant's facilities were protected at the perimeter by an intrusion protection system (IPS) and anti-virus software. However, "we didn't have a way to protect the internal network," Arzate says. "We didn't really know what users were doing." He wanted a way to control who gets onto the network and to monitor and control how network resources are used. "We could create policies in Active Directory, but it gets complicated," he explained.

Arzate also wanted a way to contain malware. "Anybody can come from home with a floppy and spread a virus. But to deploy an IPS unit on all the different segments would be very expensive," he notes.

For three years, Arzate searched for an easy-to-use, affordable LAN security solution that would allow him to track and control traffic within the district's network. His search ultimately led him to ConSentry Networks and its LANShield access control platforms.

ConSentry provides a full set of LAN security services, including network admission control to restrict who gains access to the network; visibility into all traffic; identity-based control to limit resources to specific user groups or roles; and malware control. A Layer 2-7 "aware" device, ConSentry's LANShield Controller operates in line between wiring closet switches and core switches or routers, which gives it complete visibility into LAN traffic. Using deep-packet inspection, the LANShield Controller tracks all user activity and all traffic flows on the network, tying users to flows and enforcing policies. This type of detailed visibility into user activity allows Arzate to define a range of access-control policies, including those based on MAC and IP addresses; applications and content at Layer 7 and above; users and roles; network destinations or zones; location; and time. Controls can be very granular, because the LANShield Controller reportedly has visibility into all user activity, including login/logout time, applications run, resources reached, and transactions performed.