Strengthening the first line of defense: here's how administrators can combat threats to their networks.There's a good reason school networks are so hard to protect. They are remarkably diverse. A typical K-12-network could easily include laptops, desktops, a lab, Apple and Intel platforms, wireless and wired components, and on-site and remote access. Throw in a large number of users and an unavoidably high turnover rate, and it becomes hard to see how these networks are ever safe. Securing these complex campus and district networks can seem daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin . But just as technology creates opportunities for mischief, so too does it deliver new tools to prevent Here's advice on how to keep your network safe. First, update existing filtering methods, virus software and patches. This can't be stressed enough. Fortres Grand, N2H2, Norton, Power On Software, SurfControl, Symantec and other vendors continually enhance their products and technologies to handle new threats. Indeed, subscription-based services are increasingly popular partly because they eliminate update concerns. Second, stay informed. Subscribe to Verb 1. subscribe to - receive or obtain regularly; "We take the Times every day" subscribe, take buy, purchase - obtain by purchase; acquire by means of a financial transaction; "The family purchased a new car"; "The conglomerate acquired a new company"; security e-newsletters, especially those from hardware and software vendors used by the district. Apply patches and updates quickly. To automate patching tasks, large districts might look at Shavlik Technologies' HFNetChkPro package, which has an impressive ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). . Third, explore newly developed solutions. For instance, packet-filtering and signature-based blocking both scan data-packet protocols on the fly to block unauthorized P2P See peer-to-peer and point-to-point. activity and more regardless of source. Telemate.net's NetSpective WebFilter network appliance (1) A specialized device for use on a network. For example, Web servers, cache servers and file servers can be implemented as general-purpose computers with the appropriate software or as network appliances, which are computers dedicated to a single function and cannot do anything uses signature-based blocking. Palisade Systems' ScreenDoor software will block access by protocol, port or server address. Wide reach also characterizes Vericept's VIEW Filter. It monitors all TCP/IP TCP/IP in full Transmission Control Protocol/Internet Protocol Standard Internet communications protocols that allow digital computers to communicate over long distances. traffic--Internet, intranet, email, attachments, chat, IM, P2P and more--for out-of-bounds activity plus it has adaptive URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. blocking. Spector-Sort's Spector Pro software similarly tracks e-mails, chat, IM and even keystrokes via "stealth recording," sending an alert when suspicious activities or banned topics are detected. Security Solutions Get Sneaky Clearly, to protect networks from both smart programs and the clever people behind them, the newest breed of security solutions employ some deviousness as well. Decoy DECOY. A pond used for the breeding and maintenance of water-fowl. 11 Mod. 74, 130; S. C. 3 Salk. 9; Holt, 14 11 East, 571. servers, for example, simulate active servers with faked data and email traffic to attract any attacker. Once there, all activity is recorded for tracing back to the culprit. These are a class of intrusion detection systems (IDS). Symantec offers a robust Decoy Server. So does Palisade Systems, whose SmokeDetector program can mimic up to 19 server operating systems on one box. Also, IDS and/or filtering are built into some firewalls now, such as those from 3Com or Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation). Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. . Detours are another approach. WebSense has Web-page requests pass through some control point (firewall, proxy server Also called a "proxy," it is a computer system or router that breaks the connection between sender and receiver. Functioning as a relay between client and server, proxy servers are used to help prevent an attacker from invading the private network. or caching device), where it checks them against a customizable set of parameters before sending along. NetSweeper transforms this "detour defense" into a turnkey solution by adding the router/proxy server Being hardware-based, this system's filters mad rules are extremely hard to circumvent. Dedicated network-security appliances, in fact, have emerged as a trend. Decoy servers are one distinct type; others are more hybrid in nature. Most of this hardware dovetails with optional subscription-based services too, resulting in a comprehensive defense. Symantec's Firewall/VPN Series, for instance, fits nicely with their filtering and virus software. VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. , for Virtual Private Network, basically creates a "tunnel" within the Internet for remote secure access to LANs. SonicWALL's Education Editions are tailored just for mixed platform K-12 networks. These security appliances include a firewall, VPN capability plus a free year of their content-filtering service that was just enhanced to Version 2.0. Add-ons include virus protection and a management module. Plug-n-Play Security A new and elegant solution to remote-access security is the IVE IVE Instant Virtual Extranet IVE Institute of Vocational Education IVE Instituto del Verbo Encarnado (Spanish: Institute of the Incarnate Word) IVE Immersive Virtual Environments IVE Intendencia de Verificación Especial , Instant Virtual Extranet. Introduced to K-12 schools this spring, security vendor Neoteris describes the network appliance as an "extranet in a box." The IVE sits between an internal LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. and all outside users, intercepting all requests. After authenticating them, the IVE then spawns a second, separate and encrypted session with the LAN to pass along only copies (proxies) of the request and return results. Remote users never actually connect to the LAN, only to the IVE. The IVE employs the same Web-based encryption--SSL--as banks and online shops do for transactions. This supplies secure access to e-mail, internal LAN resources, Web resources and more from any remote computer. Plus, for secure messaging, standard Windows programs like Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see . Microsoft Outlook or Outlook (full name Microsoft Office Outlook mad Lotus Notes Messaging and groupware software from IBM Lotus that was introduced in 1989 for OS/2 and later expanded to Windows, Mac, Unix, NetWare, AS/400 and S/390. Notes provides e-mail, document sharing, workflow, group discussions and calendaring and scheduling. work fine, eliminating costly VPN client software and all of its hassles. Uniquely, the IVE controls LAN access at the application layer, enabling highly granular control. One can restrict incoming access to a single server or certain files and applications, for example, or limit outgoing requests to specific domains. Finally, it's a real plug-and-play appliance. No DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the changes; no additional security configuration; no patches to Microsoft IIS Microsoft IIS - Internet Information Server servers. Just plug the 1VE into the network for an instant school extranet portal. "It took me 10 minutes to set up and zero maintenance since," confirms Julio Velasquez, director of information technology for Somerset Area School District in Pennsylvania. Needing to provide secure remote access to the district's Windows network A local area network (LAN) made up of Windows clients and servers. Starting with Windows for Workgroups 3.1 in 1992, all versions of Windows have built-in networking. See Windows and NetBEUI network. for hundreds of teachers, staff and administrators--with a minimum of administrative headaches--the former CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. turned to Neoteris' IVE. It was a good decision. "Teachers manage their own computers with it in place," he explains. "They can change their own passwords and more, and the IVE just handles it." After a successful pilot with district faculty and staff, Velasquez says he'll open the IVE up as a secure portal for students and parents, too. "The beauty is it creates secure access for any remote computer, so it's perfect for our situation with constant student and parent turnover." Neoteris was not the "cheapest solution" at the outset, continues Velasquez, "but when you figure in the personnel costs, man-hours and more it saves, the ROI became pretty compelling." Resources AdSubtract ad-blocking software www.intermute.com Bugnosis free bug-spotting software www.bugnosis.org Carnegie Mellon CERT Center threat updates www.cert.org Cisco Systems www.ciscosystems.com Federal Trade Commission Advisory closing open relay on servers www.ftc.gov/openrelay Fortres Grand www.fortres.com GuideScope pop-up and ad-blocking www.guidescope.com Filtering Info www.filteringinfo.org MAPS Transport Security Initiative securing e-mail servers www.mail-abuse.org/tsi N2H2 www.n2h2.com National Infrastructure Protection Center threat updates & new tools www.nipc.gov Neoteris www.neoteris.com NetSweeper www.net-sweeper.com Palisade Systems www.palisadesystems.com Power On Software www.poweronsoftware.com Shavlik Technologies www.shavlik.com SonicWALL www.sonicwall.com SpectorSoft www.spectorsoft.com SurfControl www.surfcontrol.com Symantec www.symantec.com Telemate.net www.telemate.net Vericept www.vericept.com WebSense www.websense.com RELATED ARTICLE: Help for human habits. The best network security is easily compromised by everyday human habits. Professionals are after data these days, and they have both online and off-line tricks. School staff, parents and students must understand how their personal safety and privacy is at risk if they are careless with passwords and other access codes. After awareness, comes process. Lock computers when not in use by using password-protected screen savers. Publicize that network usage is being monitored to prevent temptation. Have punitive measures spelled out for breach of acceptable use policies. Terian Tyre is a contributing editor. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion