Introducing the ISA Server 2000 in Education Deployment Kit
Dr. Thomas W Shinder
Download the entire Kit at:
Download individual zip and doc files at:
Educational institutions are connecting to the Internet in increasing numbers. Many educators believe that students are at an educational disadvantage if their students do not have access to the Internet. It’s clear that the wealth of information accessible for free or at a nominal charge on the Internet makes the student’s research and collaboration process more productive and insightful.
The campus network and firewall administrator faces many challenges when it comes to campus Internet connectivity. One of them is to manage campus Internet bandwidth. While some educational institutions have "fat" pipes to the Internet that may appear to provide almost unlimited bandwidth, most educational institutions have limited budgets and must be able to wisely use the limited bandwidth available to them. Even larger educational institutions with high capacity connections to the Internet can see those connections bog down with just a handful of abusive users or the introduction of a popular Internet Web site.
In addition to bandwidth challenges are issues related to viewing appropriate Web content and the usage of Internet protocols and services that could put the educational institution at risk and potentially allow Internet intruders to access privileged information on the campus network.
Some important issues educational institutions must address include:
- The effects of the Digital Millennium Copyright Act (DMCA). Peer to peer file sharing is a leading cause of copyright infringement and the educational institution may be required to show due diligence in controlling the downloading and distribution of copyrighted materials
- Large capacity Internet links at university and school district networks make them attractive targets for Internet based attackers
- Educational institutions contain significant amounts of private information that must be protected from compromise; this information includes the institution’s financial information, names and addresses of donors, and alumni information
- The Health Insurance Portability and Accountability Act (HIPPA) of 1996 applies to some educational institutions, such as medical schools, teaching hospitals and student health care centers. These networks must be protected from internal and external intruders
- The Electronic Communications Privacy Act (ECPA) prohibits unauthorized access to or disclosure of electronically stored information; a school could be subject to penalty if the campus network is not adequately protected against attack
- The Computer Fraud and Abuse Act (CFAA) might be used to prosecute educational institutions that do not take adequate measure to prevent campus users from hacking into government or financial institutions computers and networks
- The Gramm-Leach Bliley (GLB) Act applies to schools that process student loans and grants as it requires that privacy of financial and student loan information
- Individual State’s privacy laws may ban public disclosure of student’s and faculty’s private affairs; library records may also be protected by State privacy laws (which are superseded by the US Patriot Act, but only for law enforcement purposes). Schools must also protect the privacy of student Social Security Numbers
- The ever present risk of civil lawsuit, where students or faculty may sue for negligent disclosure of confidential electronic information
- The Children’s Internet Protection Act (CIPA) requires that libraries filter offensive Web sites in order to receive Federal funding
- The Federal Education Records Privacy Act (FERPA) provides that educational institutions who receive federal funding can’t release records without consent expect under certain circumstances. Failure to protect electronic records is not specifically addressed, but could possibly be interpret as "releasing" if a campus network compromise takes place
While these laws are specific to the legal environment in the United States, other countries have their own legal requirements requiring that student and faculty information be secured on the campus network.
Educational institutions need to protect their networks using strong defense in depth programs. One component of a good defense in depth program is the network firewall. Network firewalls can control traffic at the Internet edge, the edge of a campus network linked to other campus networks, or at the edge of student and departmental LANs. A good firewall is able to perform the following actions:
- Prevent unauthorized inbound access into the protected network located behind the firewall
- Prevent unauthorized outbound access from the protected network located behind the firewall to any network segment(s) (including the Internet) outside the network firewall
- Log all connections, inbound and outbound, made through the firewall
- Log user and application information for connections made through the firewall
- Allow access to all required protocols, but allow access for only those protocols required or allowed to specified users and groups
In addition to a good network firewall, campus networks can benefit from technologies that help to reduce bandwidth used on the Internet link. Web caching technology can help reduce the amount of bandwidth consumed on the Internet link. Web caching allows content accessed by one network user to be stored on the Web caching server and then when subsequent requests are made for the same content, the content is returned from the Web cache on the campus network Web caching server, instead of using the Internet connection to access the same content on the Internet Web server a second and subsequent times.
ISA Server 2000 provides all the features mentioned above that are part of a good firewall for campus networks. It enables the campus network and firewall administrator fine-tuned inbound and outbound access control for virtually all Internet protocols based on user or group membership. In addition, ISA Server 2000 incorporates a high performance Web caching server, enabling educational institutions to consolidate firewall and Web proxy components into an integrated hardware and software solution.
With the challenges and requirements of today’s campus network in mind, we created the ISA Server 2000 in Education Deployment Kit. In this kit we discuss ISA Server 2000 technologies that will help improve the level of security on campus networks and how to use Web caching technologies to reduce the stress on a potentially overburdened campus network Internet link.
The following section discusses the documents in the ISA Server 2000 in Education Deployment Kit and provides an overview of the information contained in each document.
ISA Server 2000 in Education Chapter Guide
This chapter discusses in detail the technological and access control issues facing today’s campus network firewall administrators and how ISA Server 2000 provides an ideal solution for many of the common problems that are encountered on education institution networks today.
This chapter provides detailed information on the extensive Web caching capabilities included with ISA Server 2000. Detailed step by step procedures are outlined on how to configure the Web caching server, where to place the Web caching server, how to tune the caching configuration, and how to configure efficient routing of Web requests.
This chapter provides information on how to configure campus Web browsers to provide the optimal Web browsing experience for campus Web users. Included in this chapter is detailed information on what each of the Web browser configuration options mean and how you can use these settings to provide the level of access your campus Web users require.
Many educational institutions host their own e-mail services. SMTP servers can be inundated by large amounts of unwanted e-mail. Unwanted e-mail is a major problem for all campus networks that host their own SMTP servers. This chapter provides detailed information on how you can use ISA Server 2000 as a SMTP defense in depth program to reduce the amount of unwanted e-mail entering and leaving the campus network.
ISA Server 2000 Web Proxy and Firewall clients provide the highest level of performance and security when used together with the ISA Server 2000 firewall and Web Proxy server. However, busy campus administrators don’t have the time or resources to visit each campus computer to configure each computer as an effective Firewall and Web Proxy client. This chapter provides detailed information on how to automate the installation and configuration of Web Proxy and Firewall clients on the campus network.
Campus network and firewall administrators need to control what sites and content, as well as what protocols, campus Internet users access. This chapter provides detailed information on how to control outbound access for SecureNAT, Firewall and Web Proxy clients. Per protocol and per site access configurations, as well as custom configurations, are discussed in this chapter.
ISA Server 2000 firewall and Web Proxy servers can be placed on campus networks with an already well-established network infrastructure with a minimum of effort. The chapter discusses how you can place ISA Server 2000 firewall and Web Proxy servers at the edge of student and departmental LANs, as well as at the Internet edge, to provide multilevel protection against internal and external network attacks. Detailed discussions on Web Proxy and Firewall chaining are also included in this chapter.
I hope you are able to benefit from the ISA Server 2000 in Education Deployment Kit and found something in it that you can apply to your own network. If you have any questions on anything discussed in this series of article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=011804 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom