The Walnut Valley Unified School District in Southern California serves approximately 16,000 students and staff at 15 schools—nine elementary, three middle, and three high schools. In classrooms and computer labs across the School District, students can access the Internet. The School District’s network consists of T1 lines for internal traffic and DS3 lines to handle outbound communication to the internet. Eighty-five to 95 percent of the traffic on these lines is purely web-related.
Fiscal and moral obligation to protect students
“Students are becoming more technologically savvy every day,” says Nancy Hogg, assistant superintendent of Walnut Valley USD. “In order to satisfy both our moral and fiscal obligations, we need to stay one step ahead of them.”
By ‘fiscal obligations’, Hogg refers to the ability of the School District to take advantage of the Federal Communications Commission (FCC) E-Rate funds that assist schools and libraries in obtaining affordable telecommunications and Internet access. To be eligible for these funds, schools must comply with the Children’s Internet Protection Act (CIPA), which requires implementing “technology protection measures” to prevent access to offensive content.
To protect its students from exposure to undesirable websites and malware that could harm its systems, Walnut Valley USD had already implemented a firewall and web filtering appliance. The web filtering appliance crashed often, however, and when it did, it didn’t fail securely; students could access any site they wished. Even when the appliance was running, students could circumvent the system by using SSL traffic (HTTPS) and tools like anonymizers to access otherwise blocked web sites.
Choosing a Web gateway not just for today but for the future
Consequently, Walnut Valley USD began searching for a more effective web-filtering solution. With Internet traffic expected to continue growing—as both network bandwidth and the number of student laptops increase—the School District knew it needed a scalable, long-term web filtering solution. “Because we never know if or when we will have enough in our budget for future IT purchases, we try to buy products that will meet our needs for at least three to five years,” says Hogg.
Ease of management is also important for the School District’s IT purchases because it has very limited IT personnel resources. A systems engineer and a network contractor who report to Hogg have sole responsibility for IT security.
Walnut Valley USD chose McAfee Web Gateway (formerly Webwasher) from the McAfee Network Security Business Unit (formerly Secure Computing) because it met all of the School District’s requirements, including the ability to address SSL traffic. “The McAfee web filtering appliance can scale to meet our needs, is easy to use and manage, and has superior filtering and reporting functionality,” says Hogg.
“Today no HTTP or HTTPS traffic leaves the District without going through McAfee Web Gateway,” says Doty. “That means our students can no longer access blocked sites by anonymous proxy surfing, and we have an extra layer of protection against the spread of viruses and malware.”
Today no HTTP or HTTPS traffic leaves the District without going through McAfee Web Gateway. That means our students can no longer access blocked sites by anonymous proxy surfing, and we have an extra layer of protection against the spread of viruses and malware.Adam Doty
Systems Administrator, Walnut Valley Unified School District
Web usage policies easy to implement
Before “turning on” Web Gateway, Walnut Valley USD systems administrator Adam Doty used Microsoft SMS tools to monitor trouble spots—for instance, computer labs where students were known to have successfully evaded the old web filtering system. This information helped him establish and refine policies regarding what websites and types of activity to block.
“Once we determined the policies, implementing them was easy,” says Doty. For instance, he set up Web Gateway to block students and staff from accessing social networking sites, such as Facebook and MySpace, and bandwidth hogs like YouTube.
By integrating McAfee Web Gateway with Microsoft Active Directory, Walnut Valley USD can also set web usage policy based on users’ roles. Students, teachers, teaching assistants, principals, counselors, and other staff members can all have different web filtering policies applied to them whenever and wherever they log on to the School District’s network.
Exceptions easy to grant too
When policy exceptions are called for—when a teacher needs to show a YouTube video, for example, or a counselor needs to monitor social networking sites for cyber bullying—Doty can easily grant such exceptions based on IP address or user profile.“If a staff member needs to access a normally blocked site either on an extended basis or simply for a day or a week, I can make a profile for this person based on their Active Directory credentials,” says Doty. “We didn’t have that capability before.”
For ad hoc requests to unblock sites for just an hour or two—for example, for a couple class periods—Doty has created several Active Directory groups that exclude commonly requested websites from the general Web Gateway filtering policies. “I basically drag and drop the staff member into the right Active Directory Group and, when the allotted time slot is over, return them to their normal default status,” explains Doty.
Tracing user activity and trends
The granular reporting capabilities of Web Gateway also make it easy to document inappropriate web activity, identify web usage trends, and tailor filtering settings to enforce policies. Since students and staff all have their own individual login IDs, the Web Gateway- Active Directory integration makes it easy to track who is accessing what sites and when.
”If a principal comes to us and says he thinks certain students are trying to access blocked sites or that a student successfully viewed a blocked site, I can run a report to trace what those students did and how they did it,” says Doty. “Then we can use that information to prevent such offenses from occurring in the future.”
Reputation and category-based filtering
“The face of network security is ever-changing,” says Doty. “Witness the rise of botnets. Our defense needs to be dynamic. That’s why we rely heavily on the McAfee appliance’s reputation— and category-based filtering.”
McAfee Web Gateway leverages continually updated TrustedSource™ reputation scores to evaluate websites and has more than 90 preconfigured categories that, when selected, automatically apply web usage policies to all the websites that fall within each category. Doty also uses the appliance’s ability to filter flesh tones to determine additional sites to block.
“McAfee Web Gateway is easy to use, it’s intuitive, it takes little time, it works the way it’s supposed to,” says Doty. “It just works.”
E-Rate funds don’t specifically require blocking SSL traffic but Walnut Valley USD knows that it’s just a matter of time. “The bottom line is that we need to do what’s best for the kids and McAfee Web Gateway helps us do that,” says Hogg. “Taking the ‘prudent man’ approach can’t hurt from a liability perspective either.”