Congested Networks and Rogue Network Activities Galore
Quite naturally, due to budgetary restrictions schools favor a BYOD approach involving tablets, notebooks, netbooks, and smartphones. The use of these devices on the school network needs to be regulated and this now poses an additional challenge for educational organizations. Often the incumbent security and network equipment is not up to the task and schools find it hard to maintain adequate security standards as prescribed by federal privacy standards.
In addition to security concerns, the uncontrolled use of personal communication devices has far-reaching ramifications on the quality of the school network. Unlimited use of streaming media will quickly exhaust available bandwidth and thus significantly degrade the quality of service required for students undergoing an online exam according to the new standard.
Barracuda CloudGen firewalls are fully application and user aware and, thus, can specifically allow or disallow access to certain applications by users. But that is not exactly addressing the quality of service topics that come with CCSS. At Barracuda, we go one step further and use all this application and user information to assign specific bandwidth limits and traffic priorities as set out in the firewall policy. This also entails an optional uplink selection towards the Internet or between campuses.
Introducing intelligent next-generation security solution implements another crucial layer of protection to a network campus. It enables IT teams to identify both the application used and the user upon entering the school network, as well as malicious outbound activity from infected personal equipment. Barracuda CloudGen Firewall F-Series can filter traffic for malicious patterns. With Barracuda’s Advanced Threat Detection, it is possible to avoid breakouts of zero-day threats, advanced malware, etc., including automatic quarantine settings for user downloads.
This enables you to enforce overall hygienic standards on the school network where access to certain applications is either forbidden, or severely limited by bandwidth caps unless the students need these applications or protocols during an online exam. Then, based on student identity, a temporary exemption can be permitted.
By adding an additional low cost Internet uplink to the current uplink in conjunction with integrated link load balancing features, schools can easily protect themselves against the dreaded provider outage - also referred to as unplanned maintenance window - during an exam. Application selectiveness would guarantee that certain apps only use a particular uplink for as long as it is available. If a failure occurs, an automatically adjusted policy would be enforced that keeps the important traffic functioning.
Why Barracuda CloudGen Firewall?
Some Practical ExamplesDuring exams, it is mandatory to provide maximum available bandwidth to students participating in the exam and it may be necessary to reduce the available bandwidth available to other students. Also, perhaps circumstances make it necessary at times to enable access to certain websites for doing research during a school project.
Another important scenario for protecting availability of a school’s IT resources is the ability to safeguard against DoS/DDoS attacks. Placing such attacks is not rocket science; tools can be found all over the Internet. So, comprehensive Intrusion Prevention and Intrusion Detection techniques are mandatory to ensure continuous service availability.
BYOD setups (Bring Your Own Device) require comprehensive traffic control capabilities. For example, when Apple released the new iPhone/iPad firmware, students downloading the firmware upgrade via the school’s network during school hours (to optimize their social time and to save on their data plan) will definitely have an impact on the bandwidth available for educational tasks.
Therefore, the Barracuda CloudGen Firewall combines next-generation features and capabilities, like Intrusion Prevention and antivirus mechanisms, with full user awareness and application control. This combined information is then used to define the quality of service in a most granular way. This ensures that the school’s bandwidth is protected from inadequate use.
Additionally, Barracuda Safe Browser and Barracuda Safe Search is included with the Barracuda Web Filter, adding another layer of content security to a school’s network.
Both products, Barracuda CloudGen Firewall and Barracuda Web Filter provide extensive reporting capabilities to give schools the perfect tool to ensure network safety.
Barracuda Product Portfolio Assets in Detail
Wired and Wireless Network Capabilities:Barracuda’s CloudGen Firewall F-Series product portfolio off ers several appliances that come with built-in WiFi capabilities. This ensures that administrators can manage the WiFi networks via the same administration interface they use for the Barracuda CloudGen Firewall F-Series devices in their networks. No other tools are required.
Robust Network Security:Tested by NSS Labs, Barracuda CloudGen Firewall provides industry-leading network security. With tightly integrated Intrusion Prevention mechanisms, sophisticated antivirus options, and Advanced Threat Protection (including full operation system simulation), the Barracuda CloudGen Firewall drives next-generation firewalling to a new level.
Advanced Threat Detection:Barracuda’s Advanced Threat Protection (ATP) uses next-generation sandbox technology powered by full-system emulation to catch not only persistent threats and zero-day exploits, but also advanced malware designed to evade detection. Files are forwarded to a cloud-based sandbox environment, where they are executed and analyzed to identify suspicious and malicious behavior.
Barracuda ensures flexible and simple deployment with your existing network infrastructure—no additional hardware is required since resource intensive sandboxing is offloaded to the cloud. The cloud database is continuously updated by all F-Series units with enabled ATD and, thereby, speed up the processing of already known files.
The administrator has full policy control over how PDF documents, Microsoft Office files, EXEs/ MSIs/DLLs, Android APKs, compressed files, and archives are emulated and delivered to the client. Based on identified malware activity, infected users can be automatically quarantined, preventing the malware from spreading within the network.
Customizable, on-demand analysis reports for any emulated file provide full insight and details on malicious activities, file behavior, system-registry entries, evasion and obfuscation techniques. This also enables network activities such as establishing encrypted connections to Botnet Command and Control Centers for increased security posture to evade scaled Botnet attacks.
Application Control, User Awareness, and Bandwidth Management:Barracuda CloudGen Firewall provides powerful and extremely reliable detection and classification of thousands of applications and sub-applications by combining Deep Packet Inspection (DPI) and behavioral traffic analysis – no matter if the protocols are using advanced obfuscation, port-hopping techniques, or encryption. It allows the creation of dynamic application policies and facilitates establishing and enforcing acceptable access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:
- unerwünschte Anwendungen für bestimmte Benutzer oder Gruppen blockieren
- akzeptablen Datenverkehr kontrollieren und drosseln
- Bandbreite und Verfügbarkeit geschäftskritischer Anwendungen sicherstellen und damit zur Gewährleistung der Business Continuity beitragen
- Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube postings, or MSN file transfers)
- SSL-verschlüsselten Datenverkehr abfangen
Die Barracuda CloudGen Firewall verfügt über erweiterte anwendungsbasierte Routing- und Quality of Service(QoS)-Funktionen. Diese bieten neben der Sicherheit einen zusätzlichen Mehrwert für das Unternehmen, indem sie die Qualität und Verfügbarkeit des Netzwerks deutlich verbessern und die direkten Verbindungskosten dank der eingesparten Bandbreite reduzieren.
For rich reporting and drill-down capabilities, the F-Series comes with real-time and historical application visibility that shows application traffic on the corporate network. This provides a basis for deciding which connections should be given bandwidth prioritization, crucial for QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.
Limited network resources make bandwidth prioritization a necessity. The Barracuda CloudGen Firewall provides strong Quality of Service (QoS) capabilities that lets the administrator apply quality aspects and service guarantees to selected traffi c fl ows within the WAN. QoS is often used to prioritize the network traffi c of applications that are critical and must not be aff ected by the network traffi c of other applications. The F-Series provides a large set of QoS techniques, such as traffi c shaping, traffi c prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffi c. To select traffi c for diff erent priority classes, the available real-time traffi c analysis can be used to identify whether network traffi c was sent by business-critical applications or by potentially unwanted applications.
Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to. Barracuda CloudGen Firewalls are fully useridentity aware by linking a user to one or several IP addresses. Any role assignments that result from identity and device posture checks communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). Barracuda CloudGen Firewalls support authentication of users and enforcement of user-aware firewall rules, web filter settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, x.509 certificates , as well as Wi-Fi Access Point authentication.
BYOD:The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss. The Barracuda NG Firewall provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.
Visibility and Reporting:The Barracuda Report Creator is a free tool that allows administrators to collect and consolidate traffic and application usage statistics from multiple Barracuda CloudGen Firewall units and to create easy-to-read reports in pdf format. Report tasks can be scheduled at various times during the day or week, and distributed automatically via email. Predefined out-of-the-box reports such as Top Applications, Top Blocked URL Categories and Websites, Top Users by Bandwidth, as well as activity reports for specific users, the reporting engine provides customizable granular reports on user activity, activities during last day/week/month, etc. For auditing reasons IP addresses can be anonymized.
IPS/IDS Capabilities:Barracuda’s Intrusion Detection and Prevention System (IDS/IPS) strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases, preventing network attacks such as:
- SQL-Injektionen und beliebige Codeausführungen
- Zugriffskontrollversuche und Privilegienerweiterungen
- Cross-Site Scripting und Buffer-Overflows
- Denial of Service(DoS)- und Distributed Denial of Service(DDoS)-Angriffe
- Directory-Traversal-, Probing- und Scan-Versuche
- Backdoor-Angriffe, Trojaner, Rootkits, Viren, Würmer und Spyware
By providing advanced attack and threat protection features such as stream segmentation and packet anomaly protection, TCP split handshake protection, IP and RPC defragmentation, FTP evasion protection, as well as URL and HTML decoding, Barracuda CloudGen Firewall devices areable to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems
As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that Barracuda CloudGen Firewall deployments are constantly up-to-date. If the firewall unit is centrally managed, the pattern updates are conveniently distributed by the Barracuda Firewall Control Center.
Scalability and Low TCOScalability: Managing the security issues in a widely distributed enterprise network can be painful and extremely time consuming. Managing a system may take only 15 minutes per day. But having 20 firewall systems in place at various campus locations results in five hours per day – just to manage the existing system. With the Barracuda Firewall Control Center, managing multiple Barracuda CloudGen Firewalls takes the same amount of time as managing one.
- Create pre-configured templates for easy-rollout.
- Have all information about the enterprise security deployment available in real time.
- Create reports of either one or all Barracuda CloudGen Firewall devices.
Lifecycle Management & Total Cost of Ownership: The scalable Barracuda CloudGen Firewall offers sustainable investment protection. Energize Updates automatically provide the latest firmware and threat definitions to keep the appliance up to date. With a maintained Instant Replacement subscription, organizations receive a new appliance with the latest specs, every four years.
About Barracuda CloudGen Firewall
Barracuda’s CloudGen Firewall allows customers to leverage the latest in virtualization, cloud applications and mobile technologies while accommodating for rapid growth. They are more than just security devices, they make the network smarter, ensure access tocritical network resources and improve productivity across the organization
For questions about the Barracuda CloudGen Firewall or for a free 30-day evaluation, visit http://de.barracuda.com or call Barracuda Networks at +1 408-342-5400.
For more information on our other K-12 security and productivity solutions, please visit https://de.barracuda.com/edu.