The challenge

District of Columbia Public Schools (DCPS) in Washington, D.C., instructs more than 56,000 students in 144 schools and learning centers. DCPS is the 48th-largest school system in the United States and an institutional member of the Consortium for School Networking (CoSN)–one of the country’s premier voices in educational technology leadership.

Like all K-12 environments, DCPS is concerned with managing internet usage by both students and staff. Of special concern are communications sent outside DCPS’s traditional control systems via a variety of mechanisms, including eMail, web mail, and instant messaging. These messages could contain sensitive, confidential, inappropriate, or even threatening content.


CPS students sign an Internet Acceptable Use Policy (AUP) stating they will abide by the communication channels and content guidelines. Another restriction on the use of the internet in schools is the fact that student internet traffic is governed by numerous government regulations. School administrators must demonstrate compliance with the Children’s Internet Protection Act (CIPA) and other laws to obtain federal subsidies under the eRate and other ed-tech funding programs. AUPs are a preferred tool to help demonstrate this compliance and ensure student safety.

In addition, DCPS, by nature, maintains sensitive information on its students, including identity, grading, and health information. Much of this information requires protection under federal regulations, including the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). FERPA compliance, like CIPA and the eRate, is tied to federal education funding.

Over the years, DCPS Information Security Officer Joseph Renard had installed enterprise-level internet filtering and bandwidth-monitoring software to help enforce the school system’s AUP. This software could identify which PCs and laptops were sending inappropriate material, but it could not block the transmission of such material, nor could it control the information flowing to non-blacklisted locations.

DCPS determined the risk of violations to its AUP and federal regulations needed to be mitigated. The ideal solution would need to handle many problems, including enforcing the district’s AUP, protecting students from inappropriate or threatening content, concealing student and staff identity information, and ensuring compliance with federal regulations.

The solution

Like most information technology organizations, DCPS has a limited number of personnel to manage the systems required to support and ultimately improve teaching and learning, and to keep these systems and its network secure. To be successful, the system DCPS chose had to meet certain criteria. First, the district needed a solution that could be installed quickly with minimal impact on enterprise architecture. Second, this solution had to provide a single view of all traffic flowing on the network; this differed from traditional point solutions tied to an individual application, thus requiring too many products and resources to manage. Finally, given the constraints on human resources, the district wanted a system that could automatically enforce the rules, not just report violations and require an analyst to follow up with the user.

In October 2004, Renard purchased and implemented the Fidelis Extrusion Prevention System (XPS) from Fidelis Security Systems to meet these requirements. He was attracted to the Fidelis XPS’s enterprise-friendly architecture, its all-channels visibility, and above all, its ability to block the data transmission based on policies across all traffic on the network. Renard installed Fidelis XPS to watch traffic flowing to the network’s egress point to the internet. These sensors analyze network traffic over all channels in real time according to pre-installed and customized rules for DCPS. These rules, or policies, range from controlling network channels to inspecting content for acceptable use and compliance.

The district’s AUP has two key aspects. First, it does not allow the use of instant messaging or peer-to-peer traffic. This has become increasingly difficult to enforce, because new versions of these applications have features to subvert firewall controls, including technologies such as port-hopping and the ability to tunnel through approved protocols. As a result, the DCPS solution had to be able to control the channels of communication available on the network. Second, the district’s AUP prohibits sending information that is pornographic, threatening, racist, or otherwise inappropriate. Any solution also had to control the content flowing within these channels.

According to Renard, “First, we needed a solution that would enable us to enforce our policies via the applications approved to run on our network–blocking unapproved channels regardless of how they flow on the network. Second, we needed to block the transmission of certain kinds of inappropriate messages. Fidelis XPS enables us to use a very focused approach to enforcing our AUP and ensuring student safety.”

In addition, Renard was concerned about the security of DCPS’s student and faculty records. This risk could present itself in many ways, ranging from an employee accidentally disclosing information to an insider stealing identity information or a hacker successfully penetrating DCPS’s systems.

“We have seen significant data leakage at universities,” said Renard. “The leakage of electronic student records would present a significant impact on our students, potential legal liability, and potential negative impact on federal funding. Fidelis XPS addresses what otherwise could be a worst-case scenario.”

The results

Fidelis XPS has improved student safety, recovered bandwidth, and continually addresses threats to identity data, Renard says. The solution also has prevented the transmission of messages with inappropriate and even threatening content. Renard believes blocking these messages has increased student safety by preventing potentially serious incidents.

In addition, Fidelis XPS has significantly increased Renard’s ability to enforce the district’s AUP while maintaining students’ ability to learn and use the most current electronic communications tools. This has produced the side benefit of recovering bandwidth and reducing the need for future upgrades by eliminating the rogue channels, particularly instant messaging and peer-to-peer traffic, running on the network.

Finally, Fidelis XPS also provides DCPS with the tools to address possible threats to critical student and other data. “Computer security is always a challenge of balancing the security of students and regulatory compliance with the need to provide students with the latest learning technology,” Renard concluded. “Fidelis XPS has the ability to block the unauthorized transmission of data over all network channels and enables us to focus our security efforts and strike this balance.”