Maine Township High School District 207 needed to secure its wireless network across three schools and prevent students from accessing inappropriate content online. The District wanted to provide seamless, secure access from home and at school while maintaining separate private networks for faculty, staff, and students, as well as a public guest network. The District also needed to address periodic denial-of-service attacks, which disrupted productivity.
As a result, the District securely segmented network traffic to maintain privacy of faculty and staff activity while gaining granular access control and visibility into the wireless network to ensure students are acting within the bounds of school policies. In addition to strengthening overall security and greatly reducing DoS (denial of service) incidents, the District reduced internet latency by 40 percent while simplifying policy management, saving hundreds of hours for IT.
Ensuring A Secure Education Environment
District 207 prides itself on being cutting-edge, having equipped all its students, faculty, and staff with Google® Chromebooks and given them high-quality wireless services across all three of its school campuses. Of course, with the proliferation of internet- connected technology – both school-issued and personal – District 207 must ensure that its networks are secure and students aren’t able to access inappropriate content online. This is not only a requirement of the Children’s Internet Protection Act (CIPA) but also essential for maintaining a productive educational environment.
When initially building out its network, District 207 relied on Meru® wireless access, Cipafilter content filtering, and Cisco® ASA firewalls. However, when Cipafilter proved too difficult to size properly for its growing network, the District moved to Palo Alto Networks Next-Generation Firewalls – initially for URL Filtering only. A few years later, District 207 also decided to replace Meru with Aruba wireless access points and Aruba ClearPass Policy Manager to gain better access control and visibility into the wireless network.
After working with the Palo Alto Networks platform, District 207 gained greater insight and confidence in the platform’s broad range of next-generation capabilities. The district soon realized that they could use the Palo Alto Networks platform as its perimeter firewall as well as URL Filtering. This would eliminate the need for a separate set of firewalls, consolidating administration while strengthening overall protection.
Jon Urbanski, network manager with District 207, explains, "Palo Alto Networks and Aruba work very well together. Initially we were hesitant to put all our eggs in one basket, but since Palo Alto Networks offered such comprehensive security capabilities and was so easy to use with Aruba ClearPass, we decided to go all-in with Palo Alto Networks.
User-specific Security Made Easy
Today, District 207 has adopted the Palo Alto Networks Next-Generation Security Platform in all three of its high school campuses. The Palo Alto Networks platform encompasses Next-Generation Firewall, Threat Intelligence Cloud services, and Advanced Endpoint Protection. It delivers application, user, and content visibility and control, as well as protection against known and unknown cyberthreats.
To protect its schools, District 207 deployed three PA-3020 next-generation firewalls – one for each campus. The district also included subscriptions for Threat Prevention, URL Filtering, and WildFire® cloud-based threat analysis service, which provides central intelligence capabilities and automates the delivery of preventative measures against cyberattacks.
In addition, District 207 uses Aruba to segment its wireless network into separate subnets for each school. Each subnet includes a private network for faculty and staff, a separate secure network for students, and a guest network. Through ClearPass, the district sets policies for which devices and users can authenticate to a specific network, thus preventing students from accessing the faculty and staff network. These access credentials are then passed to the Palo Alto Networks platform, which applies the corresponding URL Filtering policies for that user population.
"Using the Palo Alto Networks platform to secure all traffic to and from our network and the outside world, along with ClearPass as our policy manager for network access, has been a great combination," says Urbanski. "Before, we could only control access based on IP or MAC address, but because of the compatibility between Palo Alto Networks and Aruba, now we can push granular policies that are specific to individual users and devices on both our wireless and wired networks. That has freed up a lot of time for our network team, especially in the summer when we get new staff and roles tend to change. Specific policies can just follow the person to their new role. In a busy year, it could save us hundreds of IT hours."
More Control, Less Hassle
The Palo Alto Networks platform in conjunction with Aruba ClearPass provides District 207 with fine granularity to control network access for both individual users and groups of users. For example, the District runs a fingerprint registration machine that stores sensitive biometric information. Only the administrator for this machine is permitted access. So District 207 created a specific policy set in the Palo Alto Networks platform to ensure no one other than the administrator can log in to it over the network.
In other cases, policies are set per group. Administrators have a "no filter" policy, while students are filtered to prevent access to online content containing violence or pornography. The guest network further restricts access to streaming sites like NetFlix and YouTube.
"With Palo Alto Networks and ClearPass, we have a lot of visibility into the traffic on our networks, and we can easily modify policies based on what we see," notes Urbanski. "With the exception of violence and pornography, we give the kids some leeway to make good choices. But we can also track inappropriate behavior at the user level and add restrictions if necessary."
Traffic visibility and control also help keep malware and zero-day threats at bay. The District used to have issues with ransomware, but WildFire proactively identifies these threats and the Palo Alto Networks platform successfully blocks them. In addition, the Palo Alto Networks platform plays a central role in District 207’s high availability/disaster recovery strategy, which doubles as a means to thwart denial-of-service (DoS) attacks. The District built redundant MPLS networks between its three schools, so in the event of a DoS attack, the affected network automatically fails over to one of the other networks while a DoS mitigation service resolves the issue.
"We set up the Palo Alto Networks platform with multiple egresses for our different networks," Urbanski explains. "Any time traffic is stopped for more than five milliseconds over one connection, it’s rerouted through our Palo Alto Networks Next-Generation Firewall in the other two locations until the mitigation is successful. Then everything fails back with no downtime for the end users."
He adds, "We could actually lose connectivity at two of our three firewalls and still maintain internet service for all three schools. In the past we would be down one to two hours every now and then, often during important student testing days. Now, downtime has essentially been eliminated. We’ve also seen a general decline in DoS attacks since implementing the Palo Alto Networks platform."
Snappier Internet Connections
Urbanski points out that another important benefit of moving to the Palo Alto Networks platform is performance. "When we switched over from the Cisco ASAs to Palo Alto Networks, we immediately noticed that our internet connections were much snappier. I’d estimate internet latency improved a good 40 percent."
He reports that system administration is also easier on the Palo Alto Networks platform. "Setting up security rules on the Palo Alto Networks platform is a breeze. It’s a very easy environment to work in."
When support is needed, Urbanski notes that Palo Alto Networks always responds promptly and effectively. "When we were working out our failover scenarios and needed help, we got a Palo Alto Networks support engineer on the phone right away and he helped us get set up in about five minutes. They’re now our favorite support organization to call because you get the right kind of help from people who really know what they’re doing."
He adds, "I like that Palo Alto Networks enables us to get our business needs accomplished with one platform. I like the support. I like the ease of use. Our network engineer feels the same way – when he needs to do updates, moves and changes, it’s very intuitive and not time consuming."
Enables A Productive Learning Process
Ultimately, the goal of District 207 is to enable the education process in a secure, productive environment. As Urbanski asserts, the District’s chief business officer shouldn’t have to worry whether the firewall is working or not. Students shouldn’t wonder if they can access their assignments as easily at home as at school.
"Our students can go home and do their work with a completely seamless experience," he says. "And our administrators can be confident that our security policies will be applied consistently to prevent inappropriate or malicious activity on our networks."
Urbanski concludes, "I wouldn’t trade our Palo Alto Networks platform for anything. What you might save initially, you end up paying for in troubleshooting and constantly monkeying with a less robust solution. With Palo Alto Networks, we have a platform that simply works the way we intend, and it works well."