at a glance

CHALLENGE:
User experience was cumbersome due to the need to retrofit modern devices to use fixed, site-specific web security configuration, proving frustrating in mobile (BYOD) environments and deployments in which devices move between locations regularly.

SOLUTION:
Leverage Palo Alto Networks next-generation firewall in conjunction with in-house developed (now open-sourced) integration components that allow for a truly fluid, secure and safe web experience.

RESULTS:
Dramatically improved overall user experience allowing users to seamlessly connect using any device with no client device changes when moving between locations such as home and school networks. Introduced support for modern web applications reducing the number of support desk requests to create exceptions for non-’web-friendly’ tools to almost zero.


Background


Catholic Education South Australia (CESA) is a parent body that sets directions and policy development for Catholic schools in South Australia. It works in partnership with Catholic schools to provide a range of facilities and resources to support Catholic education and families. The focus is to promote excellence in teaching and learning for the 6,000 staff and 49,000 students at 103 Catholic schools across the state. 
 

Business and context

The rising rate of technology adoption in schools, plus the increased focus by school leadership around helping schools access the resources available to support this adoption, presented scalability issues. CESA’s Wide Area Network team had started to see a sharp increase in the number and range of devices being used in schools. In turn, the complexity and range of online services that the user base needed to access meant that current solutions would not scale to meet the demand.
 

The problem

As the user base and the number of devices with the requirement to define access around complex web services increased, it became critical to find and remove as many obstacles for users as possible. This had to be done without increasing complexity or compromising online user safety.

Simon Sigré, Senior Network Engineer, CESA, said, “Every school has a unique set of requirements. For example, a boarding school may want to limit access to applications like Skype, making it available at certain times of day and unavailable the rest of the time. To do this in the past involved quite a lot of manual effort. To try to automate the process would require the ability to see the future accurately and even then any solution would likely be out of date quickly.

“We knew we needed a future-proof solution that would enable this kind of high-level decision-making and policy-setting to occur once, before the workload became impossible.”
 

The decision

CESANet trialled a number of technologies extensively, running one pilot for a number of months with thousands of users before the pilot groups concluded that it could not satisfy all of their requirements.

Simon says, “The project scope was crazy. We wanted users to be able to access anything from anywhere, using any device, anytime they needed to without needing constant assistance from already-overwhelmed local IT departments or our service desk. Because we operate in the education sector, we had to fulfil our obligation to provide a safe learning environment. As a result, we had to make sure the solution was effective, fluid, and auditable and, above all, would deliver a safe online experience for our staff and students.

“The solution would need to be device-agnostic since we didn’t want to have to mandate which devices could be used. It had to eliminate the need for any configuration to be done by the end-user and it had to let the user move seamlessly between home and school networks without constant profile changes on devices. It had to be something that we (the provider) would use ourselves and be happy with.”

After hearing about the Palo Alto Networks next-generation security platform from its partner SecureWare, the CESANet team began to investigate ways to work with Palo Alto Networks next-generation firewall technology to make it deliver the required functionality and protection.

Simon says, “We have learned through extensive experience that no one was going to be able to walk in and hand us a solution off the shelf that met our customers’ needs because it simply does not exist. We would have to solve this problem in conjunction with a strong vendor and partner. But we needed a firm starting point and we believe Palo Alto Networks and its partner SecureWare provided one.

CESANet employed an approach commonly used by other signature-based technologies to turn the traditional firewall deny-based approach on its head; a 180-degree flip in thinking.

Simon says, “In traditional web security implementations, you name what you want to allow and deny everything else. But this is a retrospective approach that slows down the user experience while they wait to be granted permissions, which can sometimes take days. Meanwhile, the users can’t access the services they need.” 

CESANet leveraged Palo Alto Networks PAN-OS, deploying it so that it would keep out the specifically-identified dangerous apps, sites and content while letting everything else through. 

Simon says, “We asked the pilot schools to tell us what they wanted to deny access to. We then built high-level, meta-data-based groupings that dynamically update. Everything else would be allowed. We had never seen our customers so excited to hear about a change in thinking. 

“Some ICT Administrators prefer to be asked to allow certain things, but that method is not scalable. When you have as many users with as many unique requirements as we do, scalability is vital. Technology should not limit the choices available to the business, it should enable them. 

“Our Palo Alto Networks implementation allows school leadership to define a position as to how they want ICT to be used in a school and our solution, ceFilter, simply enables that. We have built a robust set of templates that a school can use to get started and they can then tweak them from that point forward. Templates come with a high-level position statement that explains the rationale and a leader can use this to remove the bulk of the complexity of getting started.”
 

Benefits

After months of trial and error, the CESANet team had a solution they were happy with and that could be deployed and locally integrated rapidly.

ceFilter uses Palo Alto Networks as well as other market-leading products from other vendors to deliver an in-house-driven web-filtering solution that lets all users have a safe online experience.

Simon says, “We are very proud of what the team achieved by leveraging the Palo Alto Networks security platform. A user can walk into any one of our participating schools, which is about 95 percent of them, and bring their own device and get to work without any special configuration or client-side obstacles. The user experience is safe and secure. There is no difference between how easily the device connects regardless of whether the user is at home or at school.

“Undesirable sites are off-limits, security is in place and web traffic utilisation is visible to leadership. The process is as seamless and easy as using a home network and it has significantly reduced the workload on the support staff. 

“As part of our ceFilter platform, safe-search settings are enforced, ensuring our users get the full advantage of the built-in protection that search providers offer. This enforcement is done transparently and seamlessly, and works from any device, from any browser, preventing circumvention and allowing all users access to a safe environment.” 

To enable this functionality, CESANet has implemented a mechanism to prevent search providers such as Google from defaulting to encrypted searches. This ensures these settings remain enforced and would be complex to circumvent. These settings currently work with the leading search providers and are easily scalable to include any other providers that allow this mechanism, making it a viable and effective solution both now and in the future.

Simon said, “In an effort to guarantee a frustration-free user experience regardless of device, CESANet has developed a means of authenticating users to ceFilter from authenticated wireless networks. This script is continually refined and allows for the constantly-growing number of mobile devices to access web resources in a way that is both safe and accountable.

“We have achieved exactly what we set out to do, which was to create a solution that would put the participating schools way ahead of the curve. We have now made the integration pieces available to the open-source community and some of these components are now being used by other Palo Alto Networks customers around Australia and internationally.  

“We could have gone to market and simply picked a web security platform off the shelf that would meet most of our requirements, but that’s not what our customers want. The end result is amazing and the development will continue as more Palo Alto Networks users add to the knowledge and experience that we have shared. 

“We haven’t finished yet, either. We are developing two additional pieces of software, all open and community-driven, and all with the aim of significantly improving the user experience and reducing the workload on the IT department.”