They Don't Play Quidditch
Annie Wright isn’t a typical school. The preschool-12 private school is steeped in traditions. Students wear uniforms with colored ties indicating their grade level. Activities such as school dances in the ‘Great Hall,’ winning the ‘House Cup,’ and a graduation ceremony in which students dance around a maypole are considered normal. Think ‘Hogwarts.’ The picturesque campus even boasts a Harry Potter-like weeping willow tree, a tower, and a wild owl occasionally takes up residence in the Great Hall.
A lot has changed since the school opened its doors in 1884 when tuition, room and board, and laundry service combined cost $350 a year. Today, 400 local students attend the day schools, and roughly 100 boarding students from all over the world live in the dorms.
Atypical Consumption 24/7
It’s not just the campus, makeup of the student body, and excellent education that sets Annie Wright Schools apart. The needs of its 600+ users are also atypical. “We have to protect users inside and outside of class—and at all hours,” says Bob Williamson, Network Administrator, Annie Wright Schools. “Every student, sixth grade and above, is given a Mac laptop. They use these in class, during breaks, at home, and in the dorms. Because of the number of students and adults (dorm parents) living on campus, we don’t have set peak times like most schools; our usage is constant.”
The variety of users requires a better grip on BYOD, application filtering, QoS, and other bandwidth usage than most schools. “Typically, at any time, there are between 800 and 1,200 devices on our network, 50-70 Mbps of Internet usage, and three-fourths of a terabyte every 24 hours on wireless,” says Williamson. “Everyone has a laptop, Xbox, Wii, smartphone, or some other device in class or in their dorm room. Our foreign students often use Skype to talk to family back home. They also access a lot of unfamiliar URLs and use a lot of special apps and tools most IT people have probably never heard of.”
Bandwidth throughput, network responsiveness, and prioritizing application usage by users were challenges. “We need strong, flexible QoS for scheduling and other reasons,” says Williamson. “Throughout the school day, teachers need bandwidth to use social media and online tools in the classroom. Because we’re an International Baccalaureate school, we have to deny access for a few hours for select groups of students while they take exams. At night, we may need to enable students to Skype their parents abroad while allowing 100 people to watch Netflix in their dorm rooms.”
To manage bandwidth and scheduling access, Williamson needs to be able to easily create and tweak application access policies by user. “The dorm parents, adults, and Prefects are allowed 24-hour Internet access, while the rest of the dorm students are cut off at midnight and middle school students by 6:00 p.m. All this has to be done regardless of the device,” says Williamson. “We have so many different levels of usage, and devices; being able to easily manage the matrix of policies is really essential.”
Access Issues Cast a Spell on Users
Only two IT staff keep Annie Wright Schools’ network running; Williamson and a helpdesk person. About 40 Windows-based computers handle administrative and business-critical tasks, while the rest of the school is Mac-based. One Internet gateway and a legacy WatchGuard firewall provided security and throughput. Three VLANs are in place: one for business usage, one for boarders, and one for students and teachers. The school’s IT environment is 100% virtualized using VMware.
Access and network latency issues were constant issues. “We were maxing out WatchGuard all the time,” says Williamson. “It couldn’t handle the volume—especially streaming media. Kids couldn’t get on Skype and it didn’t offer any visibility. Basically, it was a nightmare.” The firewall was also incapable of providing actionable information about network traffic or users. “It took half an hour just to create a report,” says Williamson.
Compliance with the Children’s Information Protection Act (CIPA) is not an issue for Annie Wright Schools because private schools don’t have to adhere to it. “We want to do everything we can to protect students from inappropriate content and illegal activities,” says Williamson. “We also need to monitor what kids post to ensure it’s appropriate. It was literally impossible to track individual user behavior with our previous firewall.”
Annie Wright Schools are mostly Mac-based, so viruses and malware are not as big of an issue compared to Windows-based schools. That doesn’t mean the network was as secure as desired. “Kids play videogames in their dorm rooms, which creates some exposure to BitTorrent,” says Williamson. “With WatchGuard, we couldn’t do layer 4 through layer 7 security; we just opened port 80 and hoped for the best. In terms of mobile, we simply denied access for years because we couldn’t secure or control it. For many reasons, the situation was driving me crazy.”
Time to Find a Magic Wand
The school needed a solution. “I wanted a firewall that filters content and applications by user, not IP,” says Williamson. “It had to work with our scheduling of user access, and separate access out by groups, handle our throughput, and do it all without slowing down the network. It had to do all that in a mostly Mac environment, and because we’re a two-man shop, it needed to be easy to manage.”
Williamson did some research and read about Palo Alto Networks. The enterprise security platform from Palo Alto Networks consists of a Next-Generation Firewall, Threat Intelligence Cloud, and Advanced Endpoint Protection. The firewall delivers application, user, and content visibility and control, as well as protection against network-based cyberthreats integrated within the firewall through a purpose-built hardware and software architecture. The Threat Intelligence Cloud provides central intelligence capabilities, as well as automation of the delivery of preventative measures against cyberattacks. “You simply can’t compare what you get with Palo Alto Networks to WatchGuard, or to any other enterprise security platform,” says Williamson. “The functionality, visibility, and, maybe more importantly, the control and ability to set policies by user, blew me away.”
No Hocus Pocus. Just Results.
The school purchased Palo Alto Networks PA-500 firewall and deployed it as its primary firewall in virtual wire mode. “We put in Palo Alto Networks and throughput shot through the roof. Finally, everyone could get access,” says Williamson. “It can handle the load. Next, we used QoS with it to contain and adjust bandwidth, and assign priority usage by groups and applications. Our international students were thrilled with the results as they could Skype their friends and family without any hiccups.”
“We use the PA-500’s IPS, URL Filtering, scheduling capabilities, and DNS black-holing,” says Williamson. “We protect our multiple VLANs with sub-layer 3, and use Active Directory integration for our Mac end-users, which is a bit unique.” Subscriptions to Palo Alto Networks URL Filtering using PAN-DB, and Threat Prevention, protect the school from advanced threats and malicious content without having to add security staff.
Palo Alto Networks is also safely enabling BYOD. “It really put us ahead of the curve on BYOD,” says Williamson. “Because of the integrated captive portal and its Active Directory integration, I can apply the same firewall rules for users for all different types of devices—which is awesome. We enable rules based on times, access, or content based on the student. We couldn’t do this before. This is important because people live here. They’re on FaceTime on their iPads, phones, and devices all the time.”
Palo Alto Networks enterprise security platform also works seamlessly with Mac environments. “It’s great with Mac,” says Williamson. “OS X is bound to Active Directory. As soon as kids log into OS X it hits the Active Directory, creates an event, and the User-ID process looks through and associates it with their IP. If they have Outlook, Palo Alto Networks picks it up when they open it up. Since Palo Alto Networks arrived you can’t get it out of my hands.”
Forget the Maypole; Dance Around the Firewall
Palo Alto Networks solved bandwidth, scheduling, network latency, access, and IT management issues for Annie Wright Schools, while safely enabling BYOD. “It’s so much easier to create and adjust rules,” says Williamson. “The filtering just works. Instead of having to adjust or add rules as new kids come in, I can just add them and the PA-500 takes care of it. This saves me a lot of time—about two to three days a month—from having to manually apply app access/usage rules.”
Williamson is also saving time and frustration due to Palo Alto Networks extensive reporting capabilities. “We lacked visibility, information, and reporting, but now we can easily run useful reports on Palo Alto Networks in 30 seconds,” says Williamson.
More importantly, Annie Wright Schools are saving money. “We got rid of our old firewall and dedicated URL filtering devices,” says Williamson. “This saved $15,000 in hardware and thousands per year in other costs. We’re spending half as much on Palo Alto Networks compared to WatchGuard and getting far better results.”
The deployment of the Palo Alto Networks PA-500 was a breeze. “It’s easier to set up than anything else I’ve ever touched in over 20 years in IT,” says Williamson. In the near future, Williamson is considering adding Palo Alto Networks GlobalProtect™ and WildFire®. GlobalProtect extends an organization’s secure application enablement policies to all users—including mobile—regardless of location or device used for access. WildFire provides integrated protection from advanced malware and threats by proactively identifying and blocking unknown threats commonly used in modern cyberattacks.
Williamson is happy with Palo Alto Networks’ tech support. “I’ve had excellent tech support,” says Williamson. “One day I was on the phone, with the same engineer, for five solid hours tracking down an obscure issue. He took ownership of it, nailed down the issue and a software update handled it. To have a call with the same person without them passing it off to someone else is really unusual. They called in other people when needed and wouldn’t get off the line until the problem was resolved.”
Happy to Spread the Word
The only difficulty Williamson has had with Palo Alto Networks is mental. “I’ve been doing this for a long time,” he says. “It’s hard to get past the port 80 mentality, but once I did it’s a quantum leap to go from ports to apps. The Palo Alto Networks approach is really simple to understand and embrace.”
Williamson is so impressed with Palo Alto Networks that he’s spreading the word to peers. “I think five to six other schools have bought it based on relaying my experience to colleagues,” says Williamson. “Palo Alto Networks handles everything you can throw at it without skipping a beat—even with Skype and other time-sensitive apps. You can tap out your pipe and it still won’t drop Skype calls or access for others. It’s an incredible solution.”
It’s almost like magic…….