The Mount Pleasant, Texas, Independent School District faces security challenges common to many K-12 school systems: a diverse and changing–sometimes precocious–user base, a relatively open environment, and few financial resources.
"One of the biggest problems we have is that a lot of students like to experiment," says Noe Arzate, systems administrator and security guru for the district. In particular, students like to prove to each other that they can access off-limits systems and web sites, Arzate notes. With 5,000 students and roughly 900 employees spread across eight sites, there’s reason for concern.
The district’s schools are equipped with computer labs, and typically one account supports multiple users. If a high school student wanted to access resources at a middle school, for example, or tried to access the grading, finance, or other sensitive computer systems, Arzate had no way to detect the unauthorized activity, let alone stop it. In addition, vendors–such as professionals hired to provide staff training–often are on site. These visitors could "plug in their laptop, and they’re ready to connect to pretty much every system in our network," he says.
Mount Pleasant’s facilities were protected at the perimeter by an intrusion protection system (IPS) and anti-virus software. However, "we didn’t have a way to protect the internal network," Arzate says. "We didn’t really know what users were doing." He wanted a way to control who gets onto the network and to monitor and control how network resources are used. "We could create policies in Active Directory, but it gets complicated," he explained.
Arzate also wanted a way to contain malware. "Anybody can come from home with a floppy and spread a virus. But to deploy an IPS unit on all the different segments would be very expensive," he notes.
For three years, Arzate searched for an easy-to-use, affordable LAN security solution that would allow him to track and control traffic within the district’s network. His search ultimately led him to ConSentry Networks and its LANShield access control platforms.
ConSentry provides a full set of LAN security services, including network admission control to restrict who gains access to the network; visibility into all traffic; identity-based control to limit resources to specific user groups or roles; and malware control. A Layer 2-7 "aware" device, ConSentry’s LANShield Controller operates in line between wiring closet switches and core switches or routers, which gives it complete visibility into LAN traffic. Using deep-packet inspection, the LANShield Controller tracks all user activity and all traffic flows on the network, tying users to flows and enforcing policies. This type of detailed visibility into user activity allows Arzate to define a range of access-control policies, including those based on MAC and IP addresses; applications and content at Layer 7 and above; users and roles; network destinations or zones; location; and time. Controls can be very granular, because the LANShield Controller reportedly has visibility into all user activity, including login/logout time, applications run, resources reached, and transactions performed.
"The ConSentry controller is a great complement to the other security solutions we have in place," Arzate notes. Using LANShield’s admission control and captive portal feature, he can control who gains access to the LAN, from students, teachers, and administrators to guests and contractors.
With ConSentry’s visibility capability, Arzate says he’s able to see what a user did and how and when he or she did it, enabling him to correct any problems that might have caused a security breach. The Controller’s identity-based controls allow him to limit which servers and other resources users can access. For example, only teachers and key administrators will have access to the grading system. Similarly, guests will be restricted to internet access.
In addition, ConSentry’s malware controls supplement the district’s existing IPS and anti-virus controls. The LANShield Controller provides more accurate detection of attacks than security tools operating at lower layers, while blocking at a finer level of granularity. And ConSentry’s patent-pending malware algorithms reportedly can detect zero-day or zero-hour worms by differentiating worm traffic from normal user behavior, for example.
The LANShield Controller is a drop-in appliance, which was a significant draw for Arzate. A completely transparent platform, the Controller reportedly requires no changes to the existing LAN design or hardware, has no impact on LAN traffic, has no dependencies on specific host or authentication infrastructure, and does not require users to interact with the network any differently.
With limited funds, "we can’t afford to reconfigure our network just to implement a solution like this," Arzate says. "So the fact that we were able to just switch a couple of patch cables and have the system up and running without any major reconfiguration was a big plus."
Using the LANShield Controller’s visibility function, "I’ve been able to see some computers generating unnecessary traffic inside the network," Arzate says. He’s also used the LANShield Controller to pinpoint a denial of service attack. The IPS identified a printer as the source of anomalous traffic; however, the Controller showed Arzate that a computer connected to the printer was actually the source of the problem–it was using the printer to perform port scans on other systems.
Arzate plans to implement access-control policies in phases, one site at a time, beginning with a few simple policies, followed by more granular ones.
"I’m going to create policies that limit what users can do. For example, only the people who need access to that financial server are going to be able to connect to it. I’ll do that with all the different servers," he says. Likewise, Arzate will use policies to restrict what types of resources students can reach via their group accounts.
ConSentry’s solution gives the district more control over LAN users and resources, which translates to more "uptime"–and better student instruction.
"Teachers lose a lot of time when they don’t have a computer," Arzate explains. "They can’t put grades in, and they don’t have the resources to provide the instruction." Being able to control how the network is used and block suspicious traffic "is going to save a lot of time and … a lot of money," he concludes, because less time will be needed for troubleshooting. Links: