A New Jersey public school system found a way to serve increasing broadband needs, while protecting its network, reports Greg Masters.
Brick is a township on the central New Jersey coast which is bordered on the east by three beaches. An inlet, Kingfisher Cove, splits the topography down its middle before emptying into the Atlantic Ocean. While decades ago it was primarily an agricultural area, following development of the Garden State Parkway in the 1950s, the region has become a popular destination for summer vacationers. Almost hourly, trains on the New Jersey Transit's North Jersey Coast Line shuttle passengers between Penn Station in midtown Manhattan and the next town over from Brick, Bay Head, a 2½-hour scenic ride that includes stops in Asbury Park and Point Pleasant.
Brick's year-round residents enjoy a quiet atmosphere that – despite the incursion of chain stores and fast-food restaurants – still maintains an aura of the 1950s, with kids riding their bikes on rural streets canopied with trees that are generations old. In fact, in a 2006 survey extrapolated from FBI statistics, the town was cited as one of the safest places to live in the United States (though the FBI has since refuted the use of its crime statistics in compiling quality-of-life charts).
The township has a population just more than 75,000, according to the 2010 census, and the school district serves 10,000 students in pre-kindergarten through 12th grade. While the environs might make some nostalgic for a more bucolic time, the majority of the population has been swept along like everyone else into the 21st century, keeping up with the latest gadgets and electronics. And, with the explosive growth of digital media used by the students and faculty, Ross Ellicott, manager of network operations for Brick Township Public Schools, has realized that increasing bandwidth was a priority. He went looking for a solution that would alleviate the engorged traffic on the school district's network, while at the same time safeguard the data being transmitted.
“Brick Township has seen extensive growth in the adoption of Flash-based education sites, such as Study Island [test preparation software programs] and Everyday Mathematics [an online curriculum], YouTube teaching and rich interactive- and multimedia-based websites,” Ellicott says. “Simultaneously, students are increasingly taking up bandwidth by connecting to streaming music and video websites, like Pandora, Hulu and YouTube.”
Both students and faculty were taking advantage of an open, wireless “guest” network that had become what he terms an “iGarbage bin” of wireless devices. This strategy was deteriorating the network's internet bandwidth. In addition, there are off-hours events, namely sports, where visitors, coaches, media personnel and other guests require internet access.
“As a result, bandwidth was and still is off the charts, and we found that our firewalls were no longer sufficient,” he says.
But increasing speed and availability on the network was not the only priority. Ellicott and his team faced other challenges as well. Of most concern was that cyber threats have increased.
As cyber criminals can now hack into the network from the application level, the district found that first-generation firewalls were not sufficient to deal with the emergence of application-based threats, says Ellicott (right).
His team found there were many false positives, as cyber criminals managed to send emails that looked legit, but weren't. Eventually, they had trouble detecting which threats were real and which weren't, plus schools throughout the district had difficulty logging into the network to complete their work or lessons. These and other problems threw the day-to-day operations of the school system into chaos – causing his team to work 24/7 to try and resolve the issues.
“Basically, stateful firewalls [a firewall programmed to keep track of network connections so as to differentiate legitimate packets for various connections and block those that don't match a known active connection] to me are dead,” he says. “The attacks that are happening today are emanating from within and going out. It's all botnets and rogue applications now. People try to lure you into clicking on an email, or you pass by a website infected by a virus and you get rogue anti-virus and rogue pop-ups.”
And, his team found that most intrusions were arriving with people using mobile devices. This was particularly alarming as there are technical concerns unique to the education sector. Ellicott's team wondered how these devices were being used. Assuming that most users were students, the question for his team was: How does an unnoticed Droid or iPhone assist in a test-taking scenario?
Plus, from the technical side, these devices have run riot on the network, he says. “It is the struggle of balancing the benefit of the internet versus business compliance and productivity,” he says.
A safe, secure and fast network
The Brick Township school district has five full-time members on its IT team, in addition to Ellicott – a director; web and help desk personnel; and two building-level technicians. Two part-time employees are available for building-level work as well.
The district connects 3,500 devices, including 1,500 IP phones, across 16 building locations, Ellicott says. In addition, there has been a big increase in staff and students connecting to the network using iPhones and Android mobile devices. Prior to upgrading the school district's internet bandwidth, his team had no choice but to shut down its guest wireless network. What the Brick IT team originally thought would be a few guests, in fact ballooned to more than 500 registered devices.
Brick, he says, is a large school district trying to help its teachers and students take advantage of interactive and web-based learning technologies and tools. “We needed a solution that could provide our staff and students with a safe, secure and fast network,” he says.
The search begins
Ellicott and his boss – Leonard Niebo, the director of technology – reviewed a number of solutions to alleviate the congestion on Brick's network. Time was of the essence, so there was not a long evaluation period. The first tool they examined lacked an efficient management interface. One firewall they judged to be less intuitive lacked a full range of features and came with a frustrating technical-support response time.
After evaluating offerings, they chose the SonicWALL Next-Generation Firewall solution. “Frankly, SonicWALL blows away the other firewall offerings I've seen,” Ellicott says. “We had issues with response time for technical support with our previous firewall provider and we constantly received calls regarding internet lag.”
“SonicWALL products differ by their design philosophy, which is based around a single-pass streaming inspection engine that does not rely on proxies for deep-packet inspection,” says Dmitriy Ayrapetov (left), product line manager of network security at SonicWALL, which has its U.S. headquarters in San Jose, Calif. (Dell acquired the company in March for, it is believed, around $1.2 billion.)
The district has since deployed paired SonicWALL E-Class Network Security Appliance (NSA) E6500 Next-Generation Firewalls in high availability (HA) mode, running SonicOS 5.8, and bundled with SonicWALL Total-Secure. In addition to freeing up bandwidth to accommodate the increase in users and the amount of data being transmitted, the solution also provides gateway anti-virus, anti-spyware intrusion prevention, application intelligence and control, content filtering, firmware updates and 24/7 support.
“By not proxying connections, like most other competitors do, we can scan hundreds of thousands of network streams of unlimited size simultaneously without introducing latency through buffering,” says Ayrapetov. This approach is combined with a multicore processor, and that results in a high-performance security engine, he adds.
A critical aspect of the engine is that it can scan everything, regardless of the port, Ayrapetov says. “Pair that power with application intelligence and visualization, and you have a very fast security and application control engine built from the ground up for performance.”
Deployment of the SonicWALL solution went smoothly, says Brick's Ellicott, and he has particular praise for the support team. “We found SonicWALL very easy to work with and responsive,” he says. “When we called with questions, the engineer would return our calls in minutes.”
Plus, the deployment was quick. The Brick school IT team had everything up and running in no time, Ellicott says. Careful planning and documenting the aging firewall's various set of rules and exceptions made the process of switch-over almost seamless.
The firewall's visualization capabilities have given Brick Township granular control, rule creation and the ability to prioritize the applications that are most critical for the school district. In addition, the NSA E6500 has enabled the district to reduce threats and optimize bandwidth, he adds.
“SonicWALL has exceeded our expectations,” he says. “I am saving up to 15 hours a week with the reduction in support calls.” That is human capital that he and his staff can put back into other projects, he says.
Two SonicWALL E6500s now sit in the school district's core server room with redundant WAN links. It also has a SonicWALL NSA2400 at high-population, low bandwidth for internet egress. And, Ellicott says his team is now working to complete a site-to-site virtual private network (VPN) to a remote warehouse, primarily to connect the new voice over IP (VoIP) phone network. They are also working to complete its Active Directory-aware, user-based access controls.
“We cater to children through adult,” Ellicott says. “High school students are crafty and keep our department on its toes, while staff requires greater security and access to different computing platforms. We have a great responsibility to protect not only adults in the district but children as well.”
UPDATES: Keeping current
SonicWALL customers with active security services, such as the Brick Township public school district, receive regular updates by the firewall polling the company's back-end servers, says Dmitriy Ayrapetov, product line manager of network security at the San Jose, Calif.-based provider of internet security solutions. Usually the updates are hourly, but in some cases can become more frequent. There are no reboots necessary when an update is applied.
Additionally, the company's cloud-assist anti-virus feature, called Cloud-GAV, allows the firewall to query an additional six million-plus malware signatures that exist on the backend, Ayrapetov says. The updates there, by definition, are instantaneous.
“Most organization at this point are extremely aware of the benefits of deep packet inspection, but we've seen most avoid deploying this technology because of performance implications or because of negative experiences with vendors who focus on protecting just a few common ports,” says Ayrapetov.
“Our vision is to eliminate this performance concern and to reassure our customers that all ports are protected and administrators can regain control of their networks even if all applications start streaming over HTTP,” Ayrapetov says. “We give them this visibility without a sacrifice in performance. Security gets turned off if it hinders productivity and work, and we are working to provide security that enhances productivity.”