Securing Next Generation Education A FORTINET WHITE PAPER
Introduction Education And The Next Generation Over the past 20 years the world of education has changed out of all recognition. We have transitioned from a world of individual and largely isolated institutions firmly bound to traditional methods, procedures and resources to one at the forefront of the collaborative computing/internet/international organisation collide. This situation has arisen and continues to be driven by a number of confluent factors that have uniquely shaped the profession. Firstly, educational methods have evolved rapidly hand-in-hand with the availability of content-rich education focused computing applications. Secondly, the ubiquitous nature of the Internet continues to disproportionately shape the lives of our next generation to the extent that young people s lives are becoming defined by and experienced through the Internet. Finally, and more ominously, the availability of the world s knowledge at our fingertips massively increases the risk of exposure to the worst ills of our global society. To examine how we can effectively harness the opportunities of the interconnected world and liberate competition and collaboration between establishments whilst mitigating the inherent threats, we must thoroughly understand the specific current and future drivers of our educational institutions with respect to IT systems, IT security and the Internet. Combining this with the aspirations and needs of our young adults we can fulfil the promise of next generation education.
Computing And Life In Further / Higher Education Level For students, the phase of further/higher education is defined by extensive use of the Internet for educational, research and social purposes, not necessarily in that order. Whilst providing access to computing and Internet resources, a university or college also has a responsibility for duty of care for all users of its services. However the majority of students expect to connect their own devices to the network for both intra- and Internet access. Every establishment will make their own decisions on network design, but there are clear demarcation lines between students, staff, research and visitors and these need to be built into both the wired and wireless access service. The Educators' Challenge Our Education Differentiation The reliance of educational establishments on non-public sources of funding has driven competition between them to new levels. There are a number of battle lines for competition, but in the drive for better results, many rely on a secure computing and network platform for a greater collaborative capability and to deliver education more effectively through content and data rich applications. It is now the accepted norm that colleges and universities demonstrate in their prospectus how they lever such platforms to the benefit of all stakeholders in the establishment, namely students, staff and prospective employees. Enabling Strategies For Developing The Brand Intense competition at home has driven the search for lucrative overseas students whilst developing the establishment brand to a wider business and international research audience. Partner or extension faculties are typically located in rapidly developing economies such as South East Asia or the Middle East. Key to the success of such strategies is rapid yet secure wide area networking linking such sites together to share resources. Forward thinking establishments will reach out to their local communities and businesses to utilise their assets for brand enhancing or indeed profitable events such as continuing education, summits and presentations. Highly flexible networking and security infrastructure are pre-requisite capabilities are essential to support these initiatives. Demonstrable Duty-Of-Care And Acceptable Use Policies Despite the fact that the majority of users of establishment networking and Internet access are over the age of consent, there remains a key requirement to provide a demonstrable duty-of-care. The core pillar of this responsibility is an enforceable acceptable use policy that is distributed widely to staff, students and visitors alike. The policy defines e-safety and must strike the balance between accessibility and protection for each faculty, function and user category. It must detail the controls that are put into place whether they are preventative, detective or corrective. Heterogeneous Systems / Networks / Applications Education networks are very rarely built from scratch and have typically evolved in fits and starts as project budgets have become available based on top down driven initiatives. Furthermore, establishments often require connectivity to regional or national networks such as Janet in the UK that demand appropriate firewalling and segmentation. Incorporating local, regional, national and international wired and wireless resources into a homogeneous network without undue complexity and cost can present a significant challenge.
Campus Topologies and High Density Access Many colleges and universities comprise of multiple faculties and departments located in disparate buildings, some of which may be temporary. Deploying wired networks may be cost prohibitive or simply impractical in many situations. An attractive alternative is to provide wireless connectivity based on the latest international standards to provide rapid and cost-effective extension of existing networks across an entire campus. In contrast to extending access reach, in certain locations such as lecture theatres, residence halls etc, there is the need for high-density deployment capabilities to address a high probability of channel interference, channel frequency and access point overload in addition to external interference sources. All of these factors are contributors to poor levels of wireless service if the networks are not deployed and configured appropriately. User Identification for Profiling and Segmentation Implicit at all phases of education is the requirement that different user categories(i.e. students, staff, visitors) have differing levels of access to internal and Internet based resources. This can be achieved in a number of ways, but the most common is through a user s identity that is determined as they authenticate onto a network. Having security policies that are identity based and/or device based allows an establishment to define and implement solid boundaries. This requires robust identity management capabilities that offer single and increasingly 2-factor authentication with fine-grained authorisation to network based resources. Wireless Guest Provision In today s modern education establishment it is now expected that visitors (i.e. parents, adult education students etc) may benefit from access to the Internet. Ideally, this is proposed free of charge and branded with the establishment s own landing/login page. Consequently, an infrastructure is required to provide this level of differentiated service comprising of wireless access points, wireless guest management, welcome/login pages in addition to fine-grained, segmented security management. Dynamic Security Provision Design of IT and IT security systems cannot assume static network topologies. From a physical perspective, departments may be relocated and temporary buildings erected to cater for extraordinary events. From a logical perspective, requirements such as college projects, research projects, and external conferences may demand a rapid provisioning and re-configuration of the security profiles attributed to part of the network. The ability to react effectively and securely to these requirements can make the difference between success and failure. Secure Email Having an establishment mail domain is now commonplace for all levels of education. The key challenge however is to provide cost effective email messaging whilst also ensuring that usage policies are being followed with respect to email content, privacy and backup. Cloud based or on-demand based services have proven to be quite restrictive and inadaptable to rapidly evolving protection and archiving requirements. Budget Challenges As is the situation in the public and private sector alike, budgets are under severe pressure. Delivery and support of technical systems are usually relegated to be secondary in priority to front line services with direct, visible costs such as staff, capital assets and buildings. It is important then to recognise how IT and IT security enables better education whilst seeking to deploy technology platforms that implicitly reduce complexity of deployment, management and overall cost.
Enabling Next Generation Education With Fortinet Introduction To Fortinet Fortinet is a global provider of IT security solutions to organizations of all sizes. Customers benefit from a large portfolio of best-in-class products that touch the majority of IT disciplines such as wired and wireless network security, web application security, email security and database protection to name just a few. Fortinet s leadership has been recognised by the industry through the awards of numerous industry standard security certifications and third-party testing such as VB100 Virus, VB100 Spam, NSS, Gartner and IDC. Most of Fortinet s products are underpinned by a global threat research and response delivery platform known as FortiGuard that provides real-time updates to signatures and global threat sources that all customers benefit from.
Secure Fundamentals For Further / Higher Education At the core of Fortinet s solution portfolio is Unified Threat Management (UTM) that is delivered in the form of the product FortiGate. FortiGate provides a scalable platform for Firewall, Anti-Virus, Anti-Spam, DLP (Data leakage prevention), IDS/IPS (Intrusion detection/protection) and Wireless control amongst other capabilities. A D C B The diagram above illustrates how components of the Fortinet product may be deployed to fulfil the fundamental challenges the educators face today: A) Service Provider / Authority In many circumstances an educational establishment may not have the skills or resources to retain full control of their security management. In this case they may have recourse to a local public authority or a private sector organization to manage this on their behalf. Fortinet products can be flexibly deployed in either scenario or indeed as a hybrid whereby the establishment retains partial delegated control of certain security management elements. B) University / College Lecture Hall In active and dynamic environments such as lecture theatres students require instant access from their own device. The wireless network in these high density circumstances must cope with large variability in client numbers, load and traffic types. A FortiGate appliance with its incorporated wireless controller combined with FortiAPs for wireless access points meets these types of extreme challenges. When combined with FortiAuthenticator for federated identity the platform becomes a powerful enabler for end-to-end secure Bring-Your-Own-Device (BYOD). C) Duty-of-Care & Governance Protection is paramount. FortiGate devices underpin flexible security policies providing robust and up to date filters to categorized web sites and applications whilst allowing access to whitelisted resources. The same platform through identity based user segmentation will provide different network and Internet access and traffic shaping for roles such as staff, students and visitor. Notification of attempted policy violations to appointed staff completes the governance of acceptable usage policy implementation. D) Campus Coverage Extending the network quickly and cost effectively across large areas and between buildings even in builtup areas is essential for service delivery. Provider based private network options are often cost prohibitive particularly if the links are temporary in nature. Fortinet resolves this challenge through its meshing and wireless network extension features. These are facilitated by both indoor and outdoor dual radio access points. Radio frequency coverage can be focused using Fortinet designed beam forming antennae thus greatly boosting data rates. This combination provides rapidly deployed local area links very cost effectively over hundreds of metres.
The Student And Their Device The phenomenon of BYOD is as prevalent in the education environment as it is in industry. Most students are equipped with smart devices of one form or another that they wish to connect to both the Internet and establishment resources. Indeed many today rely on these devices inside the lecture theatre or classroom for frontline education as much as they do in the cafe or common areas for social purposes. Enabling BYOD however brings with it many security challenges that require a BYOD-Ready Secure Network. Fortinet provides numerous BYOD critical features that allow for a securely managed BYOD strategy. A) Integrating Security & Wireless Control In any wireless solution there are 3 core components, radio(s), wireless controller and network security services. With a Fortinet based solution, the wireless controller is integrated into the same FortiGate appliance as the security services. As well as offering a far greater level of security control, this configuration significantly reduces the cost of procurement, deployment and management by removing complexity. Indeed, Fortinet customers also have the option of combining all 3 components into one appliance namely a FortiWiFi, further accentuating the benefits of greater simplicity. B) Device Identification And Security Attribution FortiGate appliances are capable of recognizing mobile device platform types, even without user authentication or complex traffic tracing. This capability gives administrators a clear view on the relative proportions of device types in circulation and can plan accordingly. Furthermore, security profiles can be attributed to specific device types enhancing the level or control needed in BYOD situations. C) Client Reputation In conjunction with device identification, FortiGate appliances can collect statistical information concerning the security posture of every client. This is determined by a number of weighted factors including, web activity, use of games, P2P sites, viruses/malware, IPS, bad connection attempts etc. Judicious use of client reputation accelerates the identification of clients that have either been infected with malware and users that are potentially misusing the service provided for them. D) Scalable Federated User Identity Management Managing the full diversity of user profiles is essential for a BYOD-Ready Secure Network. Users can be presented as purely unknown wireless guests through to high privilege administrators of IT resources connecting from a controlled desktop. Reliable identification of users provides the capability to apply user oriented security as a function of their profile. Correlating scalable industry standards based authentication with existing user/resource directories completes the security integration with other IT moving parts. Administrators and high privilege accounts often require 2-factor authentication to strengthen identity management. The Fortinet Identity Management solution articulates around the FortiAuthenticator which combines standards based authentication with certificate management servicing large and small establishments alike. FortiTokens that seamlessly integrate with FortiAuthenticator are available as hardware or software tokens for time based 2-factor or as a USB key form factor certificate token.
Cost Effective Secure Messaging Having an establishment email domain demonstrates to the stakeholders a high level of ICT/Computing maturity. Some establishments rely on on-line services from their ISP or other service provider for email enablement. However, costs can grow significantly due to both the larger community sizes typical in universities and colleges and the increased requirements for policies providing email content control. Fortinet s FortiMail provides both email messaging and messaging security in a single appliance. The messaging component is a fully functional email server with collaborative features such as calendaring and resource scheduling that can be utilised for room and equipment control too. All email security services are provided as part of the FortiMail license so an establishment can enjoy the security of antispam, antivirus, DLP, mail encryption, archiving and quarantining, all at no extra charge. Cost/benefit analyses show that with user communities greater than 50, deploying a fully functional, serviced secure messaging appliance is more cost effective than a simple online solution. The Final Bell Higher education establishments are looking to expand their IT infrastructures to meet the demand from students, staff and the business community. National education guidelines lean ever more heavily on secure IT, inter-connectivity and the Internet to fulfil education and research objectives. Forwards thinking establishments are pushing their boundaries internationally to develop new markets and attract overseas students and investment. To date the three constraints slowing such adoption are cost, complexity and security. Fortinet is a world leader in IT security solutions for Education that focuses on simplifying security deployment and cost. We have probably already enabled a higher education IT infrastructure in your region of the world for next generation young adults. Let us show you how we can achieve the same for you.
About Fortinet Fortinet is a global provider of high-performance network security solutions that provide our customers with the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies, combined with our FortiGuard security intelligence services, provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape. More than 125,000 customers around the world - including the majority of the Global 1,000 enterprises, service providers and governments - are utilizing Fortinet s broad and deep portfolio to improve their security posture, simplify their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to the perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect the constantly evolving networks in every industry and region around the world. AMERICAS HEADQUARTERS EMEA HEADQUARTERS APAC HEADQUARTERS 1090 Kifer Road Sunnyvale, CA 94086 United States Tel +1.408.235.7700 Fax +1.408.235.7737 www.fortinet.com/sales 120 rue Albert Caquot Sophia Antipolis France 06560 Tel +33.4.8987.0510 Fax +33.4.8987.0501 300 Beach Road 20-01 The Concourse Singapore 199555 Tel +65.6513.3734 Fax +65.6295.0015 www.fortinet.com Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.