Security patches appear and change more quickly than many network managers can follow. With young users and hundreds of employees, public schools' IT systems are particularly vulnerable to security problems.
To address these concerns, the DeKalb County, Ga., School System implemented a remote management security application for all computers in the district's 140 schools. Rather than manually patch school PCs and laptops as needed, DeKalb County schools use Securiant's Spider Integrated Security Appliance (SpiderISA).
DeKalb County schools upgraded its wide area network, and in July 2006, the new network replaced a frame relay service to accommodate the changing technology needs of students and school employees.
Although the network upgrade gave students better access to information, it also spurred new risks.
"Schools worry about protecting students from the Internet," said Scott Pinzon, editor in chief of Watchguard's LiveSecurity Service in Seattle. He cited peer-to-peer file sharing as a major security concern and a threat to bandwidth. Kids love peer-to-peer software, he said, and up to 50 percent of the software they download have Trojans or spyware attached.
"Drive-by downloads [inadvertent downloads] contain malicious code, attacking vulnerabilities in your Web browser," Pinzon continued. "These [peer-to-peer] sites end up being the red light district of the Internet. Many of the high-school kids tend to visit those sites without knowing they are installing malware on school computers."
Corey Nachreiner, network security analyst for Watchguard's LiveSecurity Service, agreed. "You're offering the school network to kids so they can search for information," he said, "but on the flip side, especially in the lower grades, you are also dealing with kids who are naive and curious. Those together can make a dangerous pair."
In addition to worrying about a young and vulnerable population, schools have other unique attributes that dictate their IT security needs. Pinzon explained that schools typically make computer purchases as funds become available, leading to a disjointed network of PCs of varying brands and models. "Many times in school environments," he said, "networks grow organically over time as they buy computers in clusters, with mixed environments, and what students need might differ from what the administrator uses."
Prior to summer 2006, DeKalb County schools' technology department manually downloaded and installed patches on every computer, one at a time -- a time-consuming and inefficient approach to network security.
"We implemented SpiderISA to provide better overall security in the network," said Tony Hunter, director of Management Information Systems at DeKalb County schools. The county schools' technology department has four employees for whom keeping all school computers patched and secure was an overwhelming task. In all, the county's schools have 30,000 PCs, including those used at family technology resource centers.
"We needed a way to identify potential intrusions on our network, and also needed to be able to scan devices when they came into our environment, and this device does both," Hunter said, adding that virus software running on each new computer is automatically updated, which is important for the laptops people take home.
"We also had situations when people came in with their own laptop from home, not a school-issued computer," Hunter said, adding that these machines often brought spyware and outside programs with them. "They would plug into the network, and we had no way to ensure security."
Everywhere at Once
SpiderISA is an integrated security tool that protects network infrastructures, and DeKalb schools deployed 158 of the appliances from Securiant. The school system uses this tool to address widespread security issues, such as worms, Trojans and inappropriate Internet use, and programs downloaded by employees and introduced from outside computers.
SpiderISA reports unauthorized use, spyware intrusion and other security issues to a centralized security office. The appliance gathers basic security data information -- when a