Firewall saves on Internet access: security solution filters content, protects the network and...

The Pikes Peak Board of Cooperative Educational Services

(Pikes Peak BOCES) in Colorado Springs, Colo., a not-for profit cooperative, enables about 22 school districts to pool-monies and share a variety of resources, such as connecting seven rural school districts to the Internet via a third-party, high-speed network. Network access for these school districts' 25 servers and 2,000 desktops, used by 5,000 students, consists of both a 7-megabit DSL line and a T-1 (with public IP) to the Internet.

Network security is one of the valuable services Pikes Peak BOCES pro vides these school districts, according to Robert Cox, technology consultant for the cooperative. That service, however, was being compromised by the existing firewall setup at the cooperative.

Since its network actually consists of several different autonomous networks, from nine different locations, the firewall controls the exposure the different networks have to each other. It keeps each school's network from attacking each other and from attacking the Pikes Peak BOCES' network, as well as keeping out Internet intruders.

With the number of computers accessing the Internet, Cox needed the firewall to perform such functions as Web content filtering and proxy caching to reduce bandwidth. The existing firewall could only block about 75% of the Web site classifications the school districts did not want students to access.

Cox first considered using a dedicated hardware-based firewall rather than running software on a server. "Some products proved too expensive for us," he says. "Others couldn't handle a network our size."

Finally, Cox focused on a Linux-based product that could turn an inexpensive server into an all-purpose security device. Astaro Security Linux, from Astaro Corp., of Burlington, Mass., handles the firewall, Web content filtering, e-mail blocking, virus protection and bandwidth management. He installed the product on a $1,500, off-the-shelf Pentium 3 server with 512 megabytes of RAM.

The security appliance acts as a firewall to control the way all of the different platform Web servers, which Pikes Peak BOCES manages, are exposed to the Internet. For example, Cox and his team can watch the solution's logs work in real time and see various attempts to attack or exploit any software vulnerabilities. "This capability prevents attackers from trying to take advantage of Web server software we don't want exposed to the Internet," Cox says.

Technology licensed by Cobion of Kassel, Germany, provides the content-filtering capability bundled into the Astaro product. The filter blocks spam and can block access to Web sites containing objectionable content. The filter draws upon a URL database of some 15 million entries that are based on 2.1 billion previously analyzed Web pages. A global data center with 1,000 servers continuously updates the database with 100,000 new entries daily.

Each software security appliance automatically runs the users surfing requests against these content filters through a URL cache. New sites not yet classified are automatically scheduled for indexing and are added to the database within 24 hours.

With help from Astaro's technical support team, Cox adjusted the URL filtering categories so that each school district could have its own content-filtering profile. "The product was catching more than what some school districts wanted," Cox says. "Some of the schools with martial arts classes, for example, wanted to allow weapons-related sites and use supervision of students as the ultimate filter." The product does provide a "white list" inclusion capability so that select Web sites within a blocked category can be allowed through.

The solution also enables Pikes Peak BOCES to filter and to block e-mail carrying attachments infected with file types known to carry viruses, such as executables and Visual Basic scripts. The antivirus technology allows for scanning of infected content in email, as well. During the outbreak of the Klez virus, Cox says, "We blocked about 400 infected e-mail messages a day. The $3,500 yearly license fee for the software paid for itself based on this event alone."

Conserving and allocating bandwidth has enabled the cooperative to lower its network costs and pass the savings onto the school districts. For example, the software's quality-of-service feature prevents certain school districts from monopolizing the available bandwidth. "This is how we controlled file-sharing programs such as Napster," Cox says. "We make them too slow to use." This feature alone saved some school districts more than $1,200 a month on Internet access.

If the appliance server hardware fails, Cox says he can install the software on a similar server within 20 minutes. Since the Asaro software contains its own IP address, it functions as a self-contained entity capable of automatically making its own updates, such as patches and new virus signatures. Cox has set up the software to e-mail him a backup configuration file every night. "This way, I always have a backup CD of the latest version of the software ready if I need to re-install it," he says.

RELATED ARTICLE: Astaro Security Linux.

Astaro Security Linux is an integrated software solution that provides an all-in-one firewall, including packet inspection, content filtering (virus and surf protection), application proxies and IPSec-based VPN. Customers load the software on an Intel-based PC to create IPSec VPN appliances that can talk site-to-site with each other or to remote PCs with an Astaro VPN client installed. The software includes a Linux operating system that has been modified to secure it from attacks. The product starts at $1,495 for 100 IPs or nodes.

For more information from Astaro: www.rsleads.com/307cn-251

Ferrarini is a free-lance writer from Boston.