PALO ALTO NETWORKS GETS TOP MARKS FOR SECURING STUDENTS
The McLean County School District 5 needed to address several problems. What it didn’t know was that it already had the solution. “In addition to solving some typical IT problems school districts face, we needed to provide security for 4,300 students to work remotely on laptops,” says Justin Lightfoot, Network Administrator, McLean County School District 5, located in Illinois.
Like many states, Illinois is leveraging the benefits of technology to save money, enable students to work remotely, digitizing exams and grades, and incorporating online learning into its curriculum—all while trying to mitigate security risks and optimize bandwidth. “We want teachers to use things like YouTube and Discovery Education in the classroom while blocking students from using bandwidth for social media or to access unauthorized sites and applications,” says Lightfoot. “However, we don’t want to be an overlord that simply denies or shuts people down. Our goal is to enable access, embrace the learning advantages of the Internet, and help mold students into responsible digital citizens.”
THOUSANDS OF LAPTOPS LEAVE SCHOOL
The district’s datacenter supports school applications and operations. Its 10-gigabyte Internet pipe connects 13,500 students and 2,500 faculty and staff at 28 elementary, middle and high schools. “Bandwidth availability was a problem,” says Lightfoot. “We had to ensure bandwidth was preserved for learning, mission-critical activities, and online test-taking. In addition, security and control are paramount because we have to comply with the Children’s Internet Protection Act (CIPA) to shield students from inappropriate content.”
Enterprise security platforms from Palo Alto Networks®—two PA-2050s block threats and safely enable access for users. With only a 10-person IT staff for the entire district, conserving resources is always top of mind. Until installing Palo Alto Networks, dealing with infections had been draining resources. “Email phishing and other threats caused problems,” says Lightfoot. “We spent 45 percent of our time cleaning machines, helping users with virus-caused issues, and educating people about what to avoid.”
School's out, but risks remain
A new initiative added to the IT workload; the McLean School District decided to provide laptops to all of its middle school students. Like the McLean School District, many school districts nationwide are embracing the ‘one-to-one computing’ initiative, which strives to give each student a device to access the Internet, digital course materials, and digital textbooks. Lightfoot and his colleagues now needed to support the state’s move to digital, optimize bandwidth, secure users and the network, and protect 4,300 users outside of school walls, with up to another 3,000 users to be added shortly.
VPN access for the district’s remote users was provided by Cisco ASAs, but this solution was costly, cumbersome to manage, and ineffective. “Since we have a small staff, each person is responsible for any technology they introduce to the network,” says Lightfoot. “They have to manage, update, troubleshoot, and help users with it, so it’s important to bring in technologies that won’t absorb more time and effort.” A new solution was needed.
AN EASY ANSWER
The district’s longtime trusted IT advisor, Burwood Group, was summoned. “We completely trust the expertise and people at Burwood Group,” says Lightfoot. “Their credibility is top notch.”
Burwood Group pointed out that the district’s existing Palo Alto Networks enterprise security platforms come with WildFire and GlobalProtect functionality built in. WildFire extends Palo Alto Networks enterprise firewall platform—which natively classifies all traffic across nearly 2000 applications—and uniquely applies this behavioral analysis regardless of ports or encryption. A WildFire subscription protects against advanced malware and threats by proactively identifying and blocking unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs), and directly executing them in a scalable cloud-based, virtual sandbox environment. This provides the district with full visibility into web traffic, email protocols (SMTP, IMAP, POP), and FTP. When an unknown threat is discovered, WildFire automatically generates protections to block the threat across the cyber kill-chain in near real-time.
“We were very happy to learn that WildFire and GlobalProtect could secure the rollout of mobile laptops and better protect our network from advanced threats,” says Lightfoot. “It made no sense to pay for other products when Palo Alto Networks could provide such extensive capabilities and a high degree of peace of mind.”
The district felt the impact of WildFire immediately. “We could see exactly what is coming in and right away WildFire stopped phishing viruses trying to enter via email attachments,” says Lightfoot. “We don’t even have to worry about them anymore. It’s very helpful to see which files people try to download from email, who are the repeat offenders, and which risky apps they use. The ability to limit such activities and threats also saves bandwidth.” The district is also saving money because WildFire replaced its incumbent antivirus products.
Lightfoot also appreciates the wealth of information and advance warning WildFire provides. “It’s so easy to use, reliable, effective, and the reporting and analysis capabilities are particularly helpful,” he says. “If a user doesn’t understand why something is blocked I just send them a report from WildFire and then they quickly understand why certain activities are risky.” In fact, one report alone detailed 5,000 threats WildFire identified. The visibility into network activity also allows administrators to monitor user trends. “We can more easily determine when to add websites or applications to our filtering list,” says Lightfoot.
THE KIDS ARE ALL RIGHT
Along with WildFire, GlobalProtect is also helping the district achieve its goals. Palo Alto Networks GlobalProtect extends the features of the district’s firewalls, and secure application enablement policies, to all users regardless of location or device used for access. GlobalProtect allows Lightfoot to run a VPN gateway on his Palo Alto Networks firewalls and apply User-ID™, App-ID™, URL Filtering, and IPS to all Internet traffic.
GlobalProtect also extends the district’s subscriptions to Palo Alto Networks advanced threat detection and prevention services—WildFire and Threat Prevention™—to all mobile users. “GlobalProtect instantly protects all of our students working on their laptops at home,” says Lightfoot. “It’s comforting to know that we’re now CIPA-compliant both on and off campus. I love how GlobalProtect forces all traffic back through our datacenter and enforces content, application, website, and download policies no matter where a student is located.”
GlobalProtect is also delivering savings. “By getting rid of Cisco ASAs and related services we instantly saved $25,000, and we will continue to save $6,500 annually on licenses, maintenance, upgrades, and more,” says Lightfoot. “In addition, the ability of GlobalProtect to actively protect all of our remote laptops outside of school walls will save us at least 32 IT hours per year it would have taken to activate each machine manually.”
The installation of WildFire and GlobalProtect was easy. “Literally, in 4-5 clicks we were done and set up a few policies for all 4,300 of the devices on our network,” says Lightfoot. “Burwood Group helped us migrate our systems, lay out new policies, and make old ones more effective."
UNFORSEEN EDUCATIONAL BENEFITS
The district is realizing some benefits from GlobalProtect that it didn’t envision. “It fortifies and facilitates secure printing, which helps us comply with CIPA,” says Lightfoot. “In the past, teachers who needed to print something at school uploaded files to unmanaged personal cloud apps like SkyDrive or OneDrive. By using GlobalProtect, teachers or staff can send print jobs to school printers while they’re at home. When they arrive at school, they simply scan their badge at the printer and pick up their documents.”
GlobalProtect is also enhancing safety inside the district’s schools for students and staff. “We have about 1,000 security cameras,” says Lightfoot. “If there’s an incident, we can give the police an IP address and password so they can download GlobalProtect and connect to our camera system and see what’s happening live and determine how to respond. We can also give our students an app to download that will turn their mobile phones into walking IP-based cameras. If there’s an emergency, the kids can upload images directly in real-time to our school network to share with police.”
HEAD OF THE CLASS
Palo Alto Networks is protecting the McLean School District’s mobile users, devices, and applications with innovative threat preventions tools backed by the enterprise security platform. GlobalProtect identifies devices accessing the network, and applies all Palo Alto Networks threat prevention tools including URL Filtering, unknown threat detection (via WildFire), and Threat Prevention to provide total control over devices and the information users can access. The solutions are heightening security, saving bandwidth, money, and IT staff time, protecting remote student users, and enabling the usage of new teaching tools in school district classrooms.
“We’re thrilled with GlobalProtect and WildFire,” says Lightfoot. “They’ve delivered everything we needed—and more. Now we’re prepared for the next phase of our laptop rollout plan— for high school students— and primed to meet the growing challenges of BYOD. “Palo Alto Networks is an ideal solution for school districts because no IT person is perfect, and you can’t watch every laptop, smartphone, or student all the time,” says Lightfoot.