Security in a Box

These days, security has become a loaded word. Security has increased just about everywhere—on subways and buses, in airports, and at courthouses. Security is critical on information networks, too. As many school IT specialists have learned the hard way, hackers, viruses, spam, and spyware lurk behind every corner. To combat these multiple threats, many districts are investing in integrated security appliances, devices that combine a variety of applications into one piece of hardware. Find out whether these all-in-one tools might be the right approach to increasing security in your district.

1. Why do districts need to worry about security?

Recent private-sector surveys reveal that 82 percent of corporations were hit by viruses, worms, or other attackers this past year, and one-third of those said that their networks were breached by unauthorized users. School networks are even more vulnerable because they are, by their very nature, open environments. Hackers, therefore, pose an especially critical threat to school networks. To make matters worse, the time it takes between the discovery of network vulnerabilities by a cyber miscreant and the appearance of code to exploit them has dropped from months to weeks to mere days.

2. How do integrated security appliances protect networks?

Integrated security appliances work on the premise that two heads are better than one, incorporating three or four (and sometimes more) "heads" of technology into one device. Most integrated appliances include technology for firewalls, which harden the perimeter of a network by blocking traffic that fails to meet certain requirements; virtual private networks (VPNs), private networks that use encryption to transmit data within public networks; and some form of intrusion prevention technology, which prevents network attacks by intercepting and forwarding packets of data in real time. Many devices also incorporate software designed to prevent specific network threats—programs more commonly known as antivirus, antispam, and antispyware. In September 2004, market research firm IDC dubbed these threat-specific tools unified threat management appliances and noted that they comprise the fastest-growing segment of the integrated security market.

Integrated appliances are worthwhile from a funding standpoint, too. Because eligibility for technology funding through federal programs like No Child Left Behind and E-Rate hinges on compliance with the Children's Internet Privacy Act, investing in appliances that block certain kinds of content makes financial sense. Districts can employ these appliances to make sure that objectionable material never makes it through the network's door.

3. Where do integrated appliances sit on the network?

Network managers can install integrated security appliances just about anywhere on a network, but the most effective place to put them is at the perimeter of a local area network (LAN). In this position, the integrated appliance forms a first line of defense against security threats and enables users to log on to the LAN without fear of attack. Once the appliance is up and running, it can dissect and validate incoming and outgoing data packets before allowing them to pass. Better still, in districts that have a separate LAN for each school, appliances securely seal off each network from the others, providing every school with in-depth defense while simultaneously containing attacks and malicious code.

Juniper NetScreen 50 supports 64,000 concurrent user sessions.

4. Are they easy to install?

On the surface, integrated appliances are like clock radios—plug them in, set basic parameters, and you're good to go. In reality, however, maximizing the technology's efficiency requires a little more effort. For starters, network administrators must configure each of the appliances, keeping in mind that in some cases double protections aren't bad. If, for instance, a LAN employs Cisco routers that come with their own security, some administrators may scale back the number of security protocols they apply at the appliance level. In another scenario, if a LAN or portions of a LAN are already protected by a firewall, administrators must decide whether to turn off the firewall functions on the perimeter appliance or let them run as a form of checks and balances. The bottom line: If you're going to do any sort of fine-tuning with your integrated appliance, make sure you pick an appliance that comes with a software-based, easy-to-use configuration tool.

5. What about maintenance?

After you conquer configuration and initial setup, integrated security appliances require constant maintenance. Appliances, particularly those with firewall and intrusion prevention technologies, must receive a steady stream of data from vendors and researchers about the latest threats so they can protect against them. In many cases, this data is nothing more than a series of lists instructing the appliance what kinds of traffic to block from a LAN. In some cases, however, the data includes specific information about security threats. Most vendors charge an additional monthly maintenance fee of between $50 and $500 for these updates, which are sent from company headquarters and applied by network administrators on their own time. Districts with larger budgets might consider hiring a managed security solution provider, an outsourced service that includes installation, regular updates, and troubleshooting.

6. What if there's a virus outbreak? Will my district be protected?

Many vendors—particularly those who sell UTM appliances—charge monthly maintenance fees to keep antivirus and antispyware signatures up to date. Generally, these update files are available once or twice a week. Network administrators can install them by hand or program the appliances to retrieve and install the files automatically. Still, even a top-of-the-line integrated appliance with all of the latest signatures isn't a license for end users to be complacent. Particularly in a district where the majority of users access the network remotely, it's important to make sure that users update the antivirus software on their desktops or laptops regularly, and that all computers are running the latest and greatest versions of their operating systems for maximum protection.

7. Are there downsides to having multiple security protections in one box?

The upside to integrated appliances is indisputable—compared to point solutions that target singular security problems, integrated boxes are cheaper and easier to use. Still, security appliances have their disadvantages. For one, the firewall and VPN technology incorporated into some of these devices isn't nearly as sophisticated as the protections customers can buy separately. What's more, with UTM devices in particular, antispam and antivirus updates sometimes lack the thoroughness that point solutions do. If your district has had problems in the past with spam, viruses, or worms, it may make sense to purchase an integrated appliance and reinforce it with point solutions. After all, you can never be too careful.

8. There are so many security devices out there. How do I tell them apart?

Not all integrated appliances are created equal. If you're spending the money on an integrated appliance, you should choose a device that includes nothing less than the triple threat protection of firewall, VPN, and intrusion prevention. Vendors that specialize in boxes meeting these requirements include Cisco, Juniper Networks, SonicWall, and WatchGuard. For additional protections like antivirus, antispam, and antispyware, UTM appliances are the best investments. The IDC study that created this category praised appliances from vendors such as Fortinet, Symantec, and ServGate, to name a few. For more answers to your security questions, check out Cyber Security for the Digital District (www.securedistrict.org).

Matt Villano is a California-based freelance writer who specializes in educational technology.

Pick His Brain

One educator advocates an all-in-one approach to security.

Todd Hickling, manager of information resources for Fauquier County Public Schools in Warrenton, Va., relies on integrated appliances to protect his network.

"We have more than 4,000 computers in our district, and going around to each one and loading it with the latest security software can be a daunting task," he says. "Our best bet was a gateway at the top of the network to do the bulk of the work for us. If you can buy an all-in-one box to secure your network, if that box does a great job for a decent price, I'm all for the simplicity of it. In our school system, we squeeze every dime out of every computer, router, switch, vehicle, or whatever. I like multitasking whenever possible. Naturally, then, an integrated appliance was the way to go."

Buyer's Checklist

Face the music: Security is something in which you must invest.

  • Before you purchase any security technologies, understand your system's vulnerabilities (see "How To Perform a Security Audit").
  • Remember that point security solutions are expensive; integrated security appliances generally cost less and do more.
  • Place integrated appliances at the LAN perimeter for optimal protection.
  • Be aware that installing integrated appliances is harder than it seems; buying a device that's easy to install could save you thousands of dollars in consulting fees.
  • Be sure to factor in extra costs for maintenance and monthly upgrades of security signatures
  • Look for an appliance that offers-at a minimum-firewall, virtual private network, and intrusion prevention capabilities.