Learning
Twenty-four years ago, I helped set up a firewall. It was a Cisco PIX firewall running Finese and it was housed at the school board office of Hanover County Public Schools. For both the school division and me, it was a first. For the network engineer on staff, it was a welcome challenge to protect our T1 access to the Internet.
Using the word "helped" may be implying that I had more input as a 19-year-old technician than was actually true. I was there. I watched and I loved every minute of it. The firewalls of those days were packet inspectors and traffic officers. They inspected packets, ports, and ip addresses and applied basic rules to allow/deny traffic. That was all they could do, generally. This was actually considered the second or third generation of firewall technology - depending on who you ask.
We have been told for years that the migration and integration of cloud services will make the firewall obsolete. What has actually happened is that networks have gotten 10 times more complicated than we ever thought possible and firewalls are still very much a major source of protection and comfort. In a recent annual survey (State of the Firewall Report 2019), Firemon asked C-level executives about the importance of firewalls. Ninety-five percent of respondents said the firewall was still a critical piece of hardware in their environments, no matter the state of their cloud migrations.
There are many types and configurations of firewalls. You can choose software-based, hardware-based, purpose-built, parent/child, etc. For our discussion, let's assume your network has a single firewall that protects your network from the Internet and vice/versa. For perimeter protection of a school division network, hardware firewalls are king. Most of our school divisions have only one Internet connection and one firewall. Therefore, the choice of functionality is paramount.
Today's firewalls (classified as "next-generation") are part of a unified threat management (UTM) strategy. UTM implies that a single physical device performs the functions of many previously separated devices or applications. Integrated features can include virus scanning, deep packet inspection, ssl decryption, intrusion detection and prevention, content filtering, VPN access, behavior analytics, and malware detection. Newer firewalls can even focus on application-layer inspection and can connect with outside resources for instantaneous response to growing, imminent, and zero-hour threats. I'm not always a fan of including so many functions in one device as it creates a single point of failure and reliance, but smaller school divisions may relish having only one device to install and configure.
Next Generation Firewalls allow organizations to achieve network transparency, reduce vulnerabilities, and conserve network performance. Next Generation Firewalls stop threats and prevent data leakage by providing policy-based visibility and control over applications, users and threats, unlike the traditional port-based method. Application identification, application control, and the best threat prevention are all provided with a Next Generation Firewall.
SecurEdge
We have been (and will continue) talking about building your school division's security posture. We could also call it a security program. It's the combined efforts, the layers, of your defense shields. The layers expand from basic policies and procedures to software and hardware controls to incident response that could involve law enforcement, media, and criminal investigations. If your school division is not using a firewall that can provide more than just an access control list, you are missing out on the opportunity to have actionable intelligence and additional safeguards to protect your network and the basic concept of due care (doing what a reasonable person in your position would be expected to do) is not being followed.
Budget season is fast approaching. Is it time to upgrade your firewall? Is it time to activate new features of your firewall? Is it time to upgrade or train your personnel to support a next generation firewall?
Some of our school divisions are much more advanced than these newsletters may ever address. I understand that, of course. Hanover County replaced that PIX years ago - HA! The majority, however, are still emerging and trying to find the resources and knowledge they need to be successful. Together, we all can build an environment where Virginia's schools are more secure.
|