May 2008 — News
Print this article | Email this articleClick here to receive your FREE subscription to T.H.E. Journal
Osage County: Security in a Small School District
The district has a 3Com SuperStack 3 Firewall as the first layer of security to perform intrusion prevention. That's a product that 3Com stopped selling in 2005. Because he's had good luck with 3Com products, including switches, the phone system, and the legacy firewall, Becker said he's staying with the company product line and deploying a TippingPoint firewall to bring it up to date. (TippingPoint is a subsidiary of 3Com.)
The next layer of protection is provided by Microsoft Proxy Server running SurfControl (now Websense) Web Filter, which restricts Internet access for all but a few of the computers in the district. Becker, who is still evaluating his options, may replace this early edition of Internet Security and Acceleration (ISA) Server during the summer with some combination of an updated version of ISA Server and Cymphonix, a Web gateway solution recommended by Walling Data Systems, one of the software distributors the district works with.
That upgrade is driven by two desires: to do less manual intervention and to gain better management over image-heavy sites, Becker said. For example, his current system can't automatically handle anonymizer or remote proxy sites. Students who attempt to go to MySpace, for example, are blocked from that site at the proxy server. But last year, they figured out that by going through Vtunnel, a Web site that helps users "beat Internet filtering," they could get around the internal security. Becker discovered the ruse by studying his logs. "My current SurfControl doesn't detect that," he said. The kids caught going around the security layers were called in for a meeting with him and the high school principal.
Now Becker checks his logs daily, searching for specific sites the students like to get into--including MySpace, Yahoo, YouTube, and Gmail. He'll watch network traffic real-time if he knows a substitute is working a class. "Sometimes the kids like to see if the substitute is going to be on top of things. I'll just monitor and see what kinds of things they're up to." That type of support activity, he said, would be a "monster" if the district were larger.
Likewise, the current security setup doesn't handle images well. "One thing we haven't blocked is Google images," said Becker. "It's harder for our older security software to pick up problems with images."
The next layer of security happens at the workstation, with the district's use of AVG, an anti-virus program. There, too, Becker would like to upgrade to the latest edition (version 8) in order to protect against malware.
