School District Gives Linux Security Technology High Grades

As any corporate IT administrator knows, network security is no longer a luxury, but a necessity. If your network is not secure, not only do you risk losing valuable corporate information, but you also run the risk of being liable if your network is used to disrupt other sites, as with Distributed Denial of Service (DDoS) attacks. With this in mind, corporations are spending more and more on network security, even while other corporate spending is being curtailed.

The educational sector faces the same security challenges as corporations, but schools often lack the financial resources to deploy robust network security solutions. Even for those schools that do have the financial resources, most lack the technical know-how to implement and manage effective security offerings. A school district typically does not have a dedicated IT staff, and security deployed incorrectly can create as many problems as it solves.

The difficulties facing school districts were made painfully clear to me as a technology consultant when I began working with the Pikes Peak Board of Cooperative Educational Services (Pikes Peak BOCES). A not-for-profit cooperative, Pikes Peak BOCES enables about 22 school districts to pool monies and share a variety of resources, such as special education teachers and systems administrators. Since telecommunications charges for Internet access are astronomical for schools on the high plains and some types of communications lines might not be available, Pikes Peak BOCES acts as a service provider enabling seven rural school districts to connect their local area networks to the Internet via a third-party high-speed network.

Network access for these school district's 25 servers and 2,000 desktops, used by 5,000 students, consists of both a 7 megabit DSL line and a T1 (with public IP) to the Internet. The most obvious way to protect this type of network is with a firewall. Typically, a firewall acts as a secure gateway in and out of the Internet, controlling the exposure the different networks have to each other. It keeps each school's network from attacking others, from attacking the Pikes Peak BOCES' network, as well has keeping out attackers from the Internet.

However, a typical firewall is installed to protect a single network. Since the Pikes Peak BOCES network consists of several different autonomous networks from nine different locations, the traditional firewall approach is an imperfect fit. Initially, Pikes Peak BOCES deployed Novell's Border Manager, but it didn't prove to be very reliable. The software simply couldn't handle the complexity of the network. Moreover, with the number of computers accessing the Internet, Pikes Peak BOCES needed the firewall to perform other functions as well, such as Web content filtering and proxy caching to reduce bandwidth. While the proxy caching function worked well enough, Border Manager could only block about 75 percent of the Web site classifications the school districts didn't want students to access. Given the persistence of students, this percentage was considered much too low.To find a better firewall solution, I researched a variety of products. I initially considered using a dedicated hardware-based firewall rather than running software on a server. However, products from Check Point and some others proved too expensive for the Pikes Peak BOCES. Other server-based solutions, like Microsoft's now discontinued Proxy server and the ISA server which replaces it, couldn't handle the size and complexity of Pikes Peak BOCES' network.

Finally, I came across a Linux-based product that could turn an inexpensive server into an all-purpose security device. The Astaro Security Linux, from Astaro Corp., handles the firewall, the Web content filtering, the Email blocking, virus protection, and the bandwidth management. I installed the product on a $1,500 off-the-shelf, Pentium 3 server with 512 megabytes of RAM.

The security appliance acts as a firewall to control the way all of the platform Web servers, which Pike Peak's BOCES manages, are exposed to the Internet. For example, as I administer the network, I can watch the Astaro logs work in real time and see various attempts to attack or exploit any software vulnerabilities. This capability prevents attackers from trying to take advantage of Web server software Pikes Peak BOCES doesn't want exposed to the Internet.

Pikes Peak BOCES, as with many school districts, struggles with the contradicting needs of providing students with Internet access, while protecting them from inappropriate content.

The easy solution to this problem is to install filtering software. Filtering software, though, has inherent problems. Key words set off false alarms and the purveyors of blocked sites find ways around the filters. The tradeoff is clear: provide open access and run the risk of exposing students to pornography, violence, scams, and other inappropriate content; or clamp down on the network and risk blocking legitimate traffic and hindering valid student research.The Astaro Security Linux offers a solution to this problem. Technology licensed by Cobion provides content filtering bundled into the base product. Cobion's data center analyzes 120 million new websites every month and publishes 100,000 updates daily, pushing these updates directly to the firewall. Each Astaro security appliance automatically runs its surfing requests against its content filters through a URL cache, assuring that only legitimate traffic gets through. In other words, the filtering database is dynamic, adapting to the changing Internet, rather than simply relying on a static pool of keywords and URLs.

With some help, I adjusted the URL filtering categories so that each school district could have its own content filtering profile. Initially, the product was catching more than what some school districts wanted. All school systems decided to filter pornography; so no one can bypass the Pike Peak BOCES' security, but the schools differed when it came to sites with potentially violent content.

For instance, some of the schools with martial arts classes wanted to allow weapons sites to get through, relying on the adult supervision of students as the ultimate filter. For example, if a marital arts site that sells knives and uniforms is blocked because it sells knives, then the students wouldn't be able to order their martial arts uniforms. If a school doesn't have the ability to provide close supervision but still wants certain content to be available, Astaro provides a "whitelist" capability so that select websites within a blocked category can be allowed through.

Once inappropriate content is blocked, what then do you do with the deluge of unwanted content? While filters protect students from pornography and violence, most do not handle the endless stream of unwanted spam that bombards email addresses.

Cobion also provides a global spam database of 15 million analyzed entries in 58 categories, which enables the firewall to dam the flood of unwanted spam.Additionally, Astaro's own technology enables Pike Peak BOCES to filter and to block Email carrying attachments infected with file types known to carry viruses, such as executables and visual basic scripts. Astaro's anti-virus technology allows for scanning of infected content in Email, as well. Soon after installing the Astaro firewall, it was put to the test during an outbreak of the Klez virus. Pikes Peak BOCES blocked about 400 infected Email messages a day. The $3,500 yearly license fee for the Astaro software paid for itself based on this event alone. If the virus had infiltrated the Pikes Peak BOCES network, we would have been done for.

Conserving and allocating bandwidth has enabled Pike Peak BOCES to lower its own network costs and pass the savings onto the school districts. For example, Astaro's quality of service (QoS) feature prevents certain school districts from monopolizing the available bandwidth. This is how Pikes Peak BOCES controlled file-sharing programs such as Napster. It just configures them to make them too slow to use. Based on a cost justification for 2002, all of the features in the software security appliance helped to save some school districts more than $1,200 a month on Internet access, not including the content filtering or the firewall.

In addition to security features such as the firewall, a software security appliance needs to be reliable, easy to maintain, and always current. If the appliance server hardware fails, I can install the Astaro software on a similar server within 20 minutes. Since the software contains its own IP address, it functions as a self-contained entity capable of automatically making its own updates, such as patches and new virus signatures. I have set up the software to Email me a backup configuration file every night. This way I always have a backup CD of the latest version of the Astaro software ready if I need to re-install it. It puts my mind at ease and keeps me from worrying about my networks each night. What more can you ask for?