|
Protecting Connected Schools: K-12 Security
Today, a number of services are being delivered over the web by campuses everywhere. These range from student registrations, course delivery online, taking payments and ever-expanding set of new services. It is therefore critical that access by students, faculty, staff, partners and others is maintained at all times.
Campus IT departments have taken many steps by adding security features to the service infrastructure, such as measures to prevent identity theft and fraud so that online access is a safe and secure experience. However, as more users depend on a reliable online access, there are steps to take against new types of online threats.
One of the critical areas of vulnerability that needs to be addressed is to implement adequate safeguards for protecting the online system from being shut down with Denial of Service attacks. These types of attacks by Botnets and other sophisticated attacks bombard the site with bogus requests and overwhelm the network. They can stop all genuine activity for several hours or even many days thus depriving customer access to banking. Moving from gambling sites and holding them for ransom, the criminal activity has now spread to other types of organizations, which have an online presence and it is their significant source of interaction.
Internet Service Providers who provide you connectivity face a difficult problem. They have to take steps to protect against such attacks. Quite often they are either unwilling or lack the expertise to implement such a solution. Many times their first option is to cut off the service to the attacked network. The online operations have now two emergencies to tackle and be back in business. There are a number of horror stories faced by connected schools, many that go unreported. Fortunately, there are affordable solutions that be implemented without disruption to normal operations.
Introduction to Denial of Service Attacks
Denial of service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are common techniques to bring down e-commerce with a malicious intent.
The attackers employ either a few machines spoofing as large number of machines or a large number of hacked machines with a robot software called bot simultaneously connecting to a website.
The number of simultaneous connections are so many that the e-commerce servers cannot handle the load and are knocked down.
How come the attack could not be stopped by firewalls and the Internet Service Providers?
Denial of service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are very difficult to stop using firewalls because the content is legitimate and the intent is malicious.
Most ISPs for K-12 schools do not have the tools and techniques required to stop the onslaught. They can simply take down the network - which furthers the purpose of the attackers.
What is the Solution?
The solution is in containing the attack and compartmentalizing the site, having a DDoS mitigation system which stops attacks by understanding that the behavior of the new visitors is different from the past normal visitors. The solution is in planning for the high performance required in the network security appliance that can handle such onslaught and still stop such attacks so that the business can continue.
5 Essential Components of Connected Schools Network Security
Containment
|
 |
| Prevent proliferation of attacks |
Compartmentalization
|
| Prevent unauthorized access to systems. Avoid collateral damage when you are under attack. |
Continuity
|
| Ensure seamless operation even under DDoS attack or equipment failure |
Recovery
|
| Enable rapid recovery from external attack or malicious insider activity |
Performance
|
| Network performance should not be reduced by security measures |
| |
|
| IntruGuard products help you contain the the attacks within 2 seconds. They let you segment your network logically into business functions or networks so that an attack on one network does not impact the other parts. With a hardware DDoS mitigation appliance from IntruGuard, your business continues - automatically. All attacks are instantaneously identified and blocked for a short duration (of less than 15 seconds) and re-evaluated. That helps in reducing false positives. The devices are tested for high performance - under the worst attacks, the performance remains wire-speed. Read a third party analysis here. |
5 Key Questions About Connected Schools Network Security
- Has your website been affected by a worm, DDoS attack, Botnet attack, or other security breach?
- Have the attacks cost you business or productivity? What is the value of downtime of a few hours?
- Do you have an incident response policy in place?
- Does your company have a 24x7x365 Security Operations Center?
- Is security important enough to distinguish you from your competition?
5 Steps to Connected Schools Network Security
- Step 1: Insecure Website
- Step 2: Key Building Block of a secure website - Add DDoS Attack Mitigation
- Step 3: Secure Website - Add Firewall
- Step 4: More Secure Website - Add Content Based Intrusion System
- Step 5: Pretty Secure Website - Add Web Application Security
5 Compliance Mandates for DDoS Attack Mitigation
| Regulation |
Mandates |
| FFIEC |
• Availability security objectives |
| Gramm-Leach Bliley |
• Protect Security and Confidentiality of Customer’s Non-Public Personal Information
• Protect Against Anticipated Threats and Hazards to Information Security
• Establish Disaster Recovery and Business Continuity Program |
| Sarbanes Oxley |
• Secure Information Infrastructure
• Safeguard Information Assets |
| USA Patriot Act |
• Implement Risk Based Systems and Monitoring |
| Basel II |
• Monitoring of Risks
• Business Continuity Plans
• Implementation of Risk Mitigation |
Comprehensive Connected Schools Network Protection
| Feature |
DDoS Mitigation |
Firewall |
Content Based Security
(IPS)
|
Web Application Security
(Application Firewall)
|
Floods
(SYN, TCP, UDP, ICMP, Fragment, Port, etc.) |
Yes |
No |
No |
No |
| Botnet Attacks |
Yes |
No |
No |
No |
| Source Tracking, Source Limiting |
Yes |
No |
No |
No |
| Continuous Behavior Learning and Adaptive Control |
Yes |
No |
No |
No |
| Header and State Anomalies |
Yes |
No |
No |
No |
| Port Scans, Network Scans, Dark Address Scans |
Yes |
No |
No |
No |
| ACLs |
Yes |
Yes |
No |
No |
| NAT |
No |
Yes |
No |
No |
| Stateful Inspection |
No |
Yes |
Yes |
No |
| Stateful Signatures |
No |
No |
Yes |
No |
| Traffic Signatures |
No |
No |
Yes |
No |
| Cross Site Scripting, Parameter Manipulation, Command Injection |
No |
No |
No |
Yes |
| Information Leakage |
No |
No |
No |
Yes |
Architecture of a Secure Connected Schools Network
|
Customer Experiences
Read what our customers and world-renowned analysts have to say about us.
Read Juniper Networks Solution Brief here.
Want to know more
Sign up for our webinars.
|
