Securing Next Generation Education A FORTINET WHITE PAPER

Transcription

1 Securing Next Generation Education A FORTINET WHITE PAPER

2 Introduction Over the past 20 years the education sector has gone through major transformation. It has evolved from a world of individual and largely isolated institutions bound to traditional methods, procedures and resources to one at the forefront of computing, Internet and international collaboration. This change process is driven by a number of factors that have uniquely shaped the delivery and consumption of modern education. Firstly, educational methods have evolved with the availability of applications providing content-rich focused education. Secondly, the ubiquitous and democratic nature of the Internet shapes so many aspects of life for our next generation that young people s lives, and education, are increasingly being defined by and experienced through the Internet. To examine how we can effectively harness the opportunities of the interconnected world and enable competition and collaboration between establishments while mitigating the ever changing threat landscape, we must understand the environment and drivers of our educational institutions with respect to IT systems, IT security and the Internet. This should provide us the foundations for fulfilling the promise of next-generation education.

3 IT Challenges in Further / Higher Education For students, the phase of higher education is defined by the extensive use of the Internet for educational, research and social purposes. While providing access to computing and Web resources, an educational institute also has a responsibility for duty of care for all users of its network, applications and services. However the majority of students expect to connect their own devices to the network for accessing both the intranet and Internet. Every establishment will make its own decision on network design, but there should be clear demarcation lines between the access levels given to students, staff, research and visitors and these should apply for both the wired and wireless access service. Increasingly taking advantage of technology and IT related platforms, education institutes have become better equipped to meet a growing set of challenges in the 21st century higher education market but challenges still remain. Differentiation The reliance of educational establishments on private sources of funding is driving competition between them to new levels. There are a number of fronts for competition, but in the drive for better results, many rely on a secure computing and network platform for a greater collaborative capability and to deliver education more effectively through content and data-rich applications. It is now the accepted norm that higher education institutions demonstrate how they leverage such platforms to the benefit of all stakeholders in the establishment, namely students, staff and employees. Brand Development Intense competition has driven the search for lucrative overseas students while developing the establishment brand to a wider business and international research audience. Partner or extension faculties are typically located in rapidly developing economies such as South East Asia or the Middle East. Key to the success of such strategies is rapid yet secure connectivity linking such sites together to share resources. Forward thinking establishments will reach out to their local communities and businesses to utilize their assets for brand enhancing or profitable events such as continuing education, summits and conferences. A highly flexible networking and security infrastructure is essential to support these initiatives. Duty-Of-Care One of educational institutes key requirements is to provide a demonstrable duty-of-care. The core pillar of this responsibility is an enforceable and manageable use policy that is widely distributed to staff, students and visitors alike. The policy defines e-safety and must strike the balance between accessibility and protection for each faculty, function and user category. It must detail the controls that are put into place whether they are preventative, detective or corrective. Homogeneous Network Education networks are very rarely built from scratch and have typically evolved in phases as needs and budgets presented themselves. Furthermore, establishments, which often require connectivity to regional or national academic networks, demand appropriate firewalling and segmentation. Incorporating local, regional, national and international wired and wireless resources into a homogeneous network without getting too complex and costly can present a significant challenge.

4 Campus Topologies and High Density Access Campuses faculties and departments are located in disparate buildings, some of which may be temporary. Deploying wired networks may be cost prohibitive or impractical in many situations. An attractive alternative is to provide wireless connectivity for rapid and cost effective extension of an existing network across an entire campus. In addition to extending network access in locations such as lecture theatres and student residence halls, there is also the need for high-density deployment capabilities to address a high probability of channel interference, channel frequency and access point overload in addition to external interference sources. Appropriate deployment and configuration are crucial in avoiding these factors and ensuring an appropriate level of service. Identification, Profiling and Segmentation Different user categories (i.e. students, staff, visitors) must have different levels of access to internal and Internet-based resources to enable education excellence. The most common, flexible and cost-effective way to achieve this is through user identification upon users authenticate onto a network. Having security policies that are based on identity and the type of device used allows an establishment to define and implement solid boundaries. This requires robust identity management capabilities that offer single and two-factor authentication with fine-grained authorization to network-based resources. Wireless Guest Provisioning In today s modern education establishment, visitors (i.e. parents, adult education students etc) may benefit from access to the Internet. Ideally, this is proposed free of charge and branded with the establishment s own landing/login page. Consequently, an infrastructure is required to provide this level of differentiated service comprising of wireless access points, wireless guest management, welcome/login pages in addition to fine-grained, segmented security management. Dynamic Security Provisioning Design of IT and IT security systems cannot assume a static environment for the network topology and the security threat landscape. From a physical perspective, departments may be relocated and temporary buildings erected to provide for extraordinary events. College and research projects and external conferences may demand provisioning and reconfiguration of the security profiles attributed to part of the network. The ability to react rapidly and securely to these requirements can make the difference between success and failure. Secure Having an establishment mail domain is now commonplace for all levels of education. The key challenge however is to provide cost-effective messaging while also ensuring that usage policies are being followed with respect to content, privacy and backup. Cloud-based or on-demand services have proven to be limited and unable to adapt to the rapidly evolving protection and archiving requirements. Budget Public and private higher education budgets are under constant pressure. Delivery and support of technical systems are usually given a lower budget priority in favor of direct, visible costs such as staff, capital assets and buildings. It is thus important to recognize how IT and IT security enable better education while seeking to deploy technology platforms that reduce complexity of deployment, management and overall costs.

5 Connect & Secure For Further / Higher Education Security Fundamentals Higher education institutes are open, outwards-facing, dynamic enterprises. Today, the core activities of research and education are being re-shaped by technology, the Internet and mobility: remote learning, Massive Open Online Course (MOOC) platforms and worldwide research collaboration are only a few examples of how IT technology is empowering higher education. This extraordinary openness, while a key to the success of higher education, must not compromise the security, integrity and availability of the IT infrastructure, its platforms and services. Connect & Secure is Fortinet s Unified Access solution combining state of the art network security with ubiquitous connectivity. Within a university or college campus, be it a single site campus, national or multinational multi sites configuration, Connect & Secure acts as a dynamic security membrane, a selective permeable barrier, allowing wired and wireless connectivity with selective and secured access to the network, applications, and IT resources. Fortinet s Connect & Secure architecture is built upon six key pillars: Network Security; Wired Access; Wireless Access; Identification and Authentication; Device and User based Policy; and Management. It allows higher education institutions to resolve some of the major network challenges and pain points: CONNECTIVITY is provided for both traditional wired Ethernet and wireless users by a single access layer, fully integrating both access methods directly into the security fabric of the network. Regardless of the access method, users are handled equally, eliminating any discrepancies in the authentication and identification process. SECURITY is fully integrated into the very fabric of the network, so that network security authentication, user and device based identification and policies are applied equally to all parts of the network - in the different classes, lecture theatres, libraries and campuses. PERFORMANCE is guaranteed by a high performance, hardware-based solution that can scale to meet both connectivity and security requirements for the short and long term. COST EFFICIENCY AND REDUCTION are achieved through the support, within a single high performance security appliance, of multiple security and networking functions, high Ethernet port density and integrated wireless access eliminating redundant security devices, routers and switches. MANAGEABILITY is provided through single pane of glass management capabilities for centralized element configuration and control, user and device based policies definition and application, common authentication, event logging and report generating.

6 WHITE PAPER: SECURING NEXT GENERATION EDUCATION Connect & Secure Components Fortinet s Connect & Secure provides the foundations upon which higher education institutes can deliver a connected, on-demand learning and research environment, ensuring that students and staff can maintain their focus on learning, teaching and research. FortiGate FortiGuard FortiGate is the heart of the Connect and Secure solution, consolidating multiple network security and networking functions into a single, high performance cost-effective platform. FortiGuard is Fortinet s in-house threat detection and protection service so that the network will keep up with the constant changes in the threat landscape that it will encounter throughout its lifetime. FortiOS FortiOS is the intelligence powering each FortiGate, allowing it to be individually tailored to meet the institutes specific security and networking requirements. FortiAuthenticator Authentication and access control are also key components of the overall solution and crucial in allowing intelligent policy to be applied to users and devices. The FortiGate is capable of providing user authentication locally or working cooperatively with central authentication systems such as RADIUS, Active Directory or FortiAuthenticator. With FortiAuthenticator as part of the security infrastructure, these authentication methods can be strengthened even further with Single Sign-On (SSO), 802.1x Port Access Control, Two Factor Authentication (2FA) and certificate management. Once a user or device has been identified and authenticated, policies can then be applied to control access to network resources and applications.

7 FortiSwitch FortiManager FortiSwitch can provide additional ports if more Ethernet connectivity than the one already supplied by the FortiGate is required. Through an integrated switch controller, the FortiSwitch is easily managed through the FortiGate. Both the FortiGate and the FortiSwitch support Power over Ethernet (PoE), simplifying deployment of network attached devices such as wireless access points. FortiManager provides a single pane of glass management capability for the entire network. Although Connect and Secure is a comprehensive solution it does consist of several different elements. The ability to centrally configure and manage the different elements is crucial as is defining and implementing consistent policy for users and devices. FortiAP FortiAnalyzer FortiGate includes a wireless controller to easily integrate wireless users into the security fabric of the network. FortiAPs are external WLAN access points that are managed and secured via the integrated controller, providing wireless coverage for large, dense locations such as lecture theatres and even outdoor environments. Smaller locations also have the option of deploying FortiWiFi, which integrates a wireless access point directly into the FortiGate. FortiAnalyzer complements FortiManager by providing centralizing reporting, event logging and analysis, allowing you to turn individual alarms and events into a comprehensive view of the state of the network.

8 Connect & Secure For Further / Higher Education In Action The diagram below illustrates how components of the Fortinet Connect & Secure solution may be deployed to fulfill the fundamental challenges the educators face today: A B C D A) Service Provider / Authority In many circumstances, an educational establishment may not have the skills or resources to retain full control of their network and more importantly its security capabilities. In this case they may decide to outsource these operations to a local public authority or a Managed Security Service Provider (MSSP). Fortinet products can be flexibly deployed in either scenario or as a hybrid whereby the establishment retains partial delegated control of certain elements. B) Campus Coverage Connect & Secure provides cost effective and secured wired and wireless coverage in buildings and across the campus to ensure service delivery. Integrating with FortiGate, FortiSwitch, FortiWiFi and FortiAccess Points, the solution provides high-speed, high-density LAN/WLAN network connectivity and extension. Wired and wireless network are natively integrated into the security fabric, ensuring access and security to IT resources based on policy enforcement. C) Duty-of-Care & Governance Protection is paramount and at the heart of the network. FortiGate, through FortiOS enables flexible and fine-grained security and access policies to provide unparalleled protection to overall IT resources while delivering the required performance to the campus users, such as staff, students and visitor. With FortiGuard threat protection service, dynamic and continuous protection is ensured against the constant changing threat landscape. D) University / College Lecture Hall In active and dynamic environments such as lecture theatres, students and staff require wired and instant wireless access from their own device. The wireless network must cope with large variability in client numbers, load and traffic types. FortiGate, with its incorporated wireless controller and FortiAPs for wireless access points meets these challenging requirements. When combined with FortiAuthenticator for federated identity, secure Bring-Your-Own- Device (BYOD) is enabled.

9 The Student And Their Device Connect & Secure in a rich BYOD environment The phenomenon of BYOD is prevalent in the education environment. Most students are equipped with smart devices of one form or another that they wish to connect to both the Internet and establishment resources. Indeed many today rely on these devices inside the lecture theatre or classroom for frontline education as much as they do in the cafe or common areas for social purposes. Enabling BYOD however brings many security challenges that require a BYOD-Ready Secure Network. Fortinet s Connect & Secure solution provides numerous BYOD critical features that allow for a securely managed BYOD strategy: A) Integrating Security And Wireless Control In any wireless solution there are three core components, radio(s), wireless controller and network security services. With a Fortinet-based solution, the wireless controller is integrated into the same FortiGate appliance as the security services. In addition to offering a far greater level of security control, this configuration significantly reduces the cost of procurement, deployment and management. Indeed, Fortinet customers also have the option of combining all three components into one appliance, FortiWiFi, further accentuating the benefits of greater simplicity. B) Device Identification And Security Attribution Connect & Secure relies on the FortiGate recognizing mobile device platform types, even without user authentication or complex traffic tracing. Security profiles are attributed to specific device types enhancing the level of control needed in BYOD situations. This also gives administrators a clear view on the relative proportions of device types in circulation and can plan accordingly. C) Client Reputation In conjunction with device identification, Connect & Secure allows the collection of statistical information concerning the security posture of every user. This is determined by a number of weighted factors including, Web activity, use of games, P2P sites, viruses/malware, IPS, bad connection attempts etc. Judicious use of client reputation accelerates the identification of clients that have either been infected with malware and users that are potentially misusing the service provided for them. D) Scalable Federated User Identity Management Managing the full diversity of user profiles is essential for a BYOD-Ready Secure Network. Users can be presented as purely unknown wireless guests through to highprivileged administrators of IT resources connecting from a controlled desktop. Connect & Secure provides reliable identification of users in order to apply useroriented security as a function of their profile. Correlating scalable, standards-based authentication with existing user/resource directories completes the security integration provided by Fortinet s Connect & Secure. To that end, for administrators and high-privileged accounts, the Identity Management component of the solution, FortiAuthenticator, combines standard-based authentication with certificate management and Two Factor Authentication (2FA).

10 The Final Bell Higher education establishments are looking to expand their IT infrastructures to meet the demand from students, staff and the scientific and business communities. National education guidelines lean ever more heavily on secure IT, interconnectivity and the Internet to fulfill education and research objectives. Forward-thinking establishments are pushing their boundaries internationally to develop new markets and attract overseas students and investment. Fortinet s Connect & Secure solution delivers a simplified, secured and cost-effective unified access platform so that your establishment can securely expand to reach new academic and business frontiers.

11 About Fortinet Fortinet (NASDAQ: FTNT) protects networks, users and data from continually evolving threats. As a global leader in high-performance network security, we enable businesses and governments to consolidate and integrate stand-alone technologies without suffering performance penalties. Unlike costly, inflexible and low performance alternatives, Fortinet solutions empower customers to embrace new technologies and business opportunities while protecting essential systems and content. AMERICAS HEADQUARTERS 899Kifer Road Sunnyvale, CA United States Tel Fax EMEA HEADQUARTERS 120 rue Albert Caquot Sophia Antipolis France Tel Fax APAC HEADQUARTERS 300 Beach Road The Concourse Singapore Tel Fax Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expresslyidentified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.