Congested Networks and Rogue Network Activities Galore
Quite naturally, due to budgetary restrictions schools favor a BYOD approach involving tablets, notebooks, netbooks, and smartphones. The use of these devices on the school network needs to be regulated and this now poses an additional challenge for educational organizations. Often the incumbent security and network equipment is not up to the task and schools find it hard to maintain adequate security standards as prescribed by federal privacy standards.
In addition to security concerns, the uncontrolled use of personal communication devices has far-reaching ramifications on the quality of the school network. Unlimited use of streaming media will quickly exhaust available bandwidth and thus significantly degrade the quality of service required for students undergoing an online exam according to the new standard.
Barracuda next-generation firewalls are fully application and user aware and, thus, can specifically allow or disallow access to certain applications by users. But that is not exactly addressing the quality of service topics that come with CCSS. At Barracuda, we go one step further and use all this application and user information to assign specific bandwidth limits and traffic priorities as set out in the firewall policy. This also entails an optional uplink selection towards the Internet or between campuses.
Introducing intelligent next-generation security solution implements another crucial layer of protection to a network campus. It enables IT teams to identify both the application used and the user upon entering the school network, as well as malicious outbound activity from infected personal equipment. Barracuda NextGen Firewall F-Series can filter traffic for malicious patterns. With Barracuda’s Advanced Threat Detection, it is possible to avoid breakouts of zero-day threats, advanced malware, etc., including automatic quarantine settings for user downloads.
This enables you to enforce overall hygienic standards on the school network where access to certain applications is either forbidden, or severely limited by bandwidth caps unless the students need these applications or protocols during an online exam. Then, based on student identity, a temporary exemption can be permitted.
By adding an additional low cost Internet uplink to the current uplink in conjunction with integrated link load balancing features, schools can easily protect themselves against the dreaded provider outage - also referred to as unplanned maintenance window - during an exam. Application selectiveness would guarantee that certain apps only use a particular uplink for as long as it is available. If a failure occurs, an automatically adjusted policy would be enforced that keeps the important traffic functioning.
Why Barracuda NextGen Firewall F-Series? Some Practical Examples
Another important scenario for protecting availability of a school’s IT resources is the ability to safeguard against DoS/DDoS attacks. Placing such attacks is not rocket science; tools can be found all over the Internet. So, comprehensive Intrusion Prevention and Intrusion Detection techniques are mandatory to ensure continuous service availability.
BYOD setups (Bring Your Own Device) require comprehensive traffic control capabilities. For example, when Apple released the new iPhone/iPad firmware, students downloading the firmware upgrade via the school’s network during school hours (to optimize their social time and to save on their data plan) will definitely have an impact on the bandwidth available for educational tasks.
Therefore, the Barracuda NextGen Firewall F-Series combines next-generation features and capabilities, like Intrusion Prevention and antivirus mechanisms, with full user awareness and application control. This combined information is then used to define the quality of service in a most granular way. This ensures that the school’s bandwidth is protected from inadequate use.
Additionally, Barracuda Safe Browser and Barracuda Safe Search is included with the Barracuda Web Filter, adding another layer of content security to a school’s network.
Both products, Barracuda NextGen Firewall F-Series and Barracuda Web Filter provide extensive reporting capabilities to give schools the perfect tool to ensure network safety.
Barracuda Product Portfolio Assets in Detail
Wired and Wireless Network Capabilities:Barracuda’s NextGen Firewall F product portfolio offers several appliances that come with builtin WiFi capabilities. This ensures that administrators can manage the WiFi networks via the same administration interface they use for the Barracuda NextGen Firewall F’s in their networks. No other tools required!
Robust Network Security:Tested by NSS Labs, Barracuda NextGen Firewall F-Series provides industry-leading network security. With tightly integrated Intrusion Prevention mechanisms, sophisticated antivirus options, and Advanced Threat Detection (including full operation system simulation), the Barracuda NG Firewall drives next-generation firewalling to a new level.
Advanced Threat Detection:Barracuda’s Advanced Threat Detection (ATD) uses next-generation sandbox technology powered by full-system emulation to catch not only persistent threats and zero-day exploits, but also advanced malware designed to evade detection. Files are forwarded to a cloud-based sandbox environment, where they are executed and analyzed to identify suspicious and malicious behavior.
Barracuda ensures flexible and simple deployment with your existing network infrastructure—no additional hardware is required since resource intensive sandboxing is offloaded to the cloud. The cloud database is continuously updated by all F-Series units with enabled ATD and, thereby, speed up the processing of already known files.
The administrator has full policy control over how PDF documents, Microsoft Office files, EXEs/ MSIs/DLLs, Android APKs, compressed files, and archives are emulated and delivered to the client. Based on identified malware activity, infected users can be automatically quarantined, preventing the malware from spreading within the network.
Customizable, on-demand analysis reports for any emulated file provide full insight and details on malicious activities, file behavior, system-registry entries, evasion and obfuscation techniques. This also enables network activities such as establishing encrypted connections to Botnet Command and Control Centers for increased security posture to evade scaled Botnet attacks.
Application Control, User Awareness, and Bandwidth Management:Barracuda NextGen Firewall F-Series provides powerful and extremely reliable detection and classification of thousands of applications and sub-applications by combining Deep Packet Inspection (DPI) and behavioral traffic analysis – no matter if the protocols are using advanced obfuscation, port-hopping techniques, or encryption. It allows the creation of dynamic application policies and facilitates establishing and enforcing acceptable access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:
- Block unwanted applications for certain users or groups
- Control and throttle acceptable traffic
- Preserve bandwidth and speed-up business-critical applications to ensure business continuity
- Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube postings, or MSN file transfers)
- Intercept SSL-encrypted application traffic
Barracuda NextGen Firewall F-Series features advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value in addition to security by significantly improving network quality and availability, as well as reducing direct line cost due to bandwidth saved.
For rich reporting and drill-down capabilities, the F-Series comes with real-time and historical application visibility that shows application traffic on the corporate network. This provides a basis for deciding which connections should be given bandwidth prioritization, crucial for QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.
Limited network resources make bandwidth prioritization a necessity. The Barracuda NextGen Firewall F’s provide strong Quality of Service (QoS) capabilities that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications. The F-Series provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.
Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to. Barracuda NextGen Firewall F-Series are fully useridentity aware by linking a user to one or several IP addresses. Any role assignments that result from identity and device posture checks communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). Barracuda NextGen Firewall F’s support authentication of users and enforcement of user-aware firewall rules, web filter settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, x.509 certificates , as well as Wi-Fi Access Point authentication.
BYOD:The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss. The Barracuda NG Firewall provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.
Visibility and Reporting:The Barracuda Report Creator is a free tool that allows administrators to collect and consolidate traffic and application usage statistics from multiple Barracuda NextGen Firewall F units and to create easy-to-read reports in pdf format. Report tasks can be scheduled at various times during the day or week, and distributed automatically via email. Predefined out-of-the-box reports such as Top Applications, Top Blocked URL Categories and Websites, Top Users by Bandwidth, as well as activity reports for specific users, the reporting engine provides customizable granular reports on user activity, activities during last day/week/month, etc. For auditing reasons IP addresses can be anonymized.
IPS/IDS Capabilities:Barracuda’s Intrusion Detection and Prevention System (IDS/IPS) strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases, preventing network attacks such as:
- SQL injections and arbitrary code executions
- Access control attempts and privilege escalations
- Cross-Site Scripting and buffer overflows
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Directory traversal and probing and scanning attempts
- Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware
By providing advanced attack and threat protection features such as stream segmentation and packet anomaly protection, TCP split handshake protection, IP and RPC defragmentation, FTP evasion protection, as well as URL and HTML decoding, Barracuda NextGen Firewall F devices areable to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems
As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that Barracuda NextGen Firewall F deployments are constantly up-to-date. If the firewall unit is centrally managed, the pattern updates are conveniently distributed by the Barracuda NextGen Control Center.
Scalability and Low TCOScalability: Managing the security issues in a widely distributed enterprise network can be painful and extremely time consuming. Managing a system may take only 15 minutes per day. But having 20 firewall systems in place at various campus locations results in five hours per day – just to manage the existing system. With the Barracuda NextGen Control Center, managing multiple Barracuda NG Firewalls takes the same amount of time as managing one.
- Create pre-configured templates for easy-rollout
- Have all information about the enterprise security deployment available in real time
- Create reports of either one or all Barracuda NextGen Firewall F’s.
Lifecycle Management & Total Cost of Ownership: The scalable Barracuda NextGen Firewall F-Series offers sustainable investment protection. Energize Updates automatically provide the latest firmware and threat definitions to keep the appliance up to date. With a maintained Instant Replacement subscription, organizations receive a new appliance with the latest specs, every four years.