As any corporate IT administrator knows, network security is no longer a luxury, but a necessity. If your network is not secure, not only do you risk losing valuable corporate information, but you also run the risk of being liable if your network is used to disrupt other sites, as with Distributed Denial of Service (DDoS) attacks. With this in mind, corporations are spending more and more on network security, even while other corporate spending is being curtailed.
The educational sector faces the same security challenges as corporations, but schools often lack the financial resources to deploy robust network security solutions. Even for those schools that do have the financial resources, most lack the technical know-how to implement and manage effective security offerings. A school district typically does not have a dedicated IT staff, and security deployed incorrectly can create as many problems as it solves.
The difficulties facing school districts were made painfully clear to me as a technology consultant when I began working with the Pikes Peak Board of Cooperative Educational Services (Pikes Peak BOCES). A not-for-profit cooperative, Pikes Peak BOCES enables about 22 school districts to pool monies and share a variety of resources, such as special education teachers and systems administrators. Since telecommunications charges for Internet access are astronomical for schools on the high plains and some types of communications lines might not be available, Pikes Peak BOCES acts as a service provider enabling seven rural school districts to connect their local area networks to the Internet via a third-party high-speed network.
Network access for these school district's 25 servers and 2,000 desktops, used by 5,000 students, consists of both a 7 megabit DSL line and a T1 (with public IP) to the Internet. The most obvious way to protect this type of network is with a firewall. Typically, a firewall acts as a secure gateway in and out of the Internet, controlling the exposure the different networks have to each other. It keeps each school's network from attacking others, from attacking the Pikes Peak BOCES' network, as well has keeping out attackers from the Internet.
However, a typical firewall is installed to protect a single network. Since the Pikes Peak BOCES network consists of several different autonomous networks from nine different locations, the traditional firewall approach is an imperfect fit. Initially, Pikes Peak BOCES deployed Novell's Border Manager, but it didn't prove to be very reliable. The software simply couldn't handle the complexity of the network. Moreover, with the number of computers accessing the Internet, Pikes Peak BOCES needed the firewall to perform other functions as well, such as Web content filtering and proxy caching to reduce bandwidth. While the proxy caching function worked well enough, Border Manager could only block about 75 percent of the Web site classifications the school districts didn't want students to access. Given the persistence of students, this percentage was considered much too low.