St Aidan’s and St Margaret’s are Anglican Girls Schools (the Schools) located near the heart of Brisbane, Australia with 1,800 students across two campuses.
In recent years, the changes to regulations regarding data breaches in Australia has highlighted the importance of keeping data protected. The education industry has especially has recognised this need and has moved towards the use of new next-generation enterprise-grade firewalls at schools and colleges.
The need for this change has been accelerated since educational organisations are now considered in the top five targets by hackers. This is because schools and colleges store sensitive data, including student’s medical records, parents’ and staff members’ financial and personal data. As an example, a data breach that occurred in June 2019 at a college in Western Australia. It’s not only external threats schools have to worry about either. As students become more tech-savvy and as video explanations on how to bypass a firewall become more abundant on YouTube, schools find themselves having to deal with internal threats as well. This, combined with the fact that many schools have limited technical staff, creates a ‘breach’ recipe for disaster.
The large fines and reputational risk that schools face as a result of a data breach in Australia has led multiple schools to replace traditional, non-enterprise grade firewalls with more capable next-generation, enterprise-grade firewalls in order to meet the highest level of data protection requirements. The Governance and Risk Committees of many schools are now requiring enterprise-grade firewalls in their schools.
With so many firewalls available on the market, what should schools look for in a firewall?
- Firstly, the firewall should be a globally recognised next-generation enterprise-grade firewall. This means the firewall manufacturer has a large support and development team that allows it to quickly address any issues as they arise (and before they arise). The manufacturer should supply to a large and diverse range of Industries as this ensures visibility of the latest threats.
- The next-generation enterprise-grade firewall should be feature-rich and must be capable of SSL decryption, signature-based application control, user identification, web filtering and threat intelligence. Without these features, the school will have limited visibility of applications being used, will find it very difficult to assess how students are spending their time on the internet, no control over web content students can access and no ability to stop zero-day attacks.
- Enterprise-grade firewalls are consistently scrutinised for industry best-practice. Schools should review reports compiled by industry analysts, such as Gartner, who constantly assess and compare firewall providers and their capabilities. Gartner, for example, is known for their ‘Magic Quadrant‘ (figure 1 below). For a firewall provider’s firewall to appear on Gartner’s Magic Quadrant, their firewall must be subjected to Gartner’s rigorous testing and assessment.
- Schools who are not sure how their current solution compares can have it reviewed by an independent provider or cybersecurity auditor. Good providers will perform a security assessment by placing a next-generation firewall alongside the current solution to compare the two. Penetration testing with vendor-agnostic software in order to pinpoint the weaknesses.
Schools’ duty of care to their students extends beyond their physical wellbeing to their digital protection. Schools invest in good quality locks, security alarms and cameras for their physical facilities. In a similar way, they also need to make sure they take that one important step further and ensure they secure their staff, students and students’ parent data.
Our next blog in this series will discuss “Now you have your next-generation enterprise-grade firewall, why you need to look beyond their layer 7 design to ensure the cyber wellbeing of your students.
With the consumerisation of IT and the omnipresent nature of data, schools are looking for ways to achieve digital transformation and provide better value to their students, staff and parents. Most schools rely on a multitude of systems to function on a day-to-day basis. These systems include management systems, timetabling systems, learning management systems, web filtering systems, student/parent portals and many more. The problem is that these systems were not designed for interoperability and data interchange and in effect, are siloed. Moreover, the vendors of these systems have little appetite for the major redesigns that are required to achieve out of the box interoperability. Even if they do have the appetite, they cannot possibly provide native integration with all other systems in existence. This means schools are forced to synchronise data across systems manually or attempt to develop patchwork fixes.
The difficulty of schools attempting to develop ways to glue systems together themselves is that it is both inefficient and expensive. An in-house developer would be required to create scripts and SQL queries to keep systems in sync, but such developers are scarce and costly. Furthermore, developers may switch jobs and they are often the only ones at the school who are able to troubleshoot problems and fix bugs. Off the shelf enterprise service bus (ESB) software is available – essentially an ESB provides the middleware to connect apps without rewriting them – however, these can be costly and only provide the building blocks whilst lacking the “glue” to serve as an end to end solution. The glue needs to be developed by in-house developers.
Saasyan Reciprocity is different in that it can help ease the burden of data interchange between apps. This turnkey solution enables various, otherwise siloed apps to share data, as the software is designed to overcome technological and coding language barriers. It can serve as a unified source of truth for the systems of record it aggregates. Using Reciprocity connectors, schools can synchronise data between multiple apps and can consume the aggregated data through a central, modern and easy to use RESTful API.
Saasyan complements the school’s resources and acts as an extension of the school’s team in dealing with the integration complexities and the ongoing evolution of the platform.
Saasyan Reciprocity is a fully integrated, fully supported end to end SaaS solution that can be run from anywhere and can tap into any data source. You can use Reciprocity on-premise, in the cloud, or both. What’s more, it’s designed to support all apps, SaaS, on-premise, modern or legacy, through lightweight connectors. Easy to configure thanks to the intuitive admin UI, no programming expertise is needed to operate Reciprocity.
Moreover, its open nature allows more tech-savvy schools to repurpose their existing IP or efforts and develop their own connectors. They can leverage the core and a combination of the connectors they have developed in house and connectors provided by Saasyan to achieve a range of business objectives.
There are a range of different uses for Saasyan Reciprocity in schools:
- Syncing contacts from SIS (Student Information System) to email delivery platforms such as Mailchimp or SwiftDigital. This eliminates the need for manual exports and imports from the SIS into the email delivery platform.
- Creating AD (Active Directory) users and populate AD groups based on records in the SIS. This has been traditionally automated using PowerShell scripts which may lack error handling capabilities.
- Auto creating courses in the LMS (Learning Management System) based on courses in the SIS (Student Information System).
- Syncing timetables and assignments to teachers’ and students’ Office 365 calendars in a similar fashion to Saasyan Tempus https://www.saasyan.com.au/products/tempus/.
- Enabling push notifications to collaboration platforms such as MS Teams and Slack. These platforms have feature reach APIs which Reciprocity makes very easy to leverage.
- Driving/configuring/enabling IoT (Internet of Things) devices.
- Reciprocity can also serve as a data lake. It makes it easy for the school to gather data from various systems of record and make it available centrally so that it can be leveraged by a parents’ portal, a school-provided mobile app and many more solutions that are part of the digital transformation journey many schools have embarked on.
Have you thought about how you can integrate your school timetable and all of the different calendars and scheduling systems that you have at your school? Many schools today, have taken various measures to deliver better value to their users. Want to know how? Read on to find out.
Pushing students’ timetables to personal calendars
One of these approaches has been to push the timetable to the personal calendars of students through Office 365 or Google Calendar. This essentially ensures that the students have easy access to the timetable data anytime anywhere. Even last minute changes will be reflected the students and therefore they have no need to login to other systems to view their updated timetable.
Pushing teachers’ timetables to personal calendars
Teachers’ timetables can also be pushed through to their personal calendars through Office 365/ Google Calendar. This will give teachers quick and easy access to their timetables and will to need to login to other systems to access the latest timetable details. This will also make scheduling meetings with teachers really convenient as the teacher’s calendars will be the single source for their free and busy times of each day.
Easy bookings based on the timetables
You will also be able to book rooms and halls based on the school timetables. The room resource calendars will be up to date and will be regarded as the single source for the free and already occupied slots for the halls and rooms. This will prevent overlapping bookings and miscommunication. To make it easier, room resource calendars can be used to display the room booking information on wall mounted display panels so that students and teachers can easily see when they will be occupied.
Access for parents
Parts of the timetable can be made available to parents through the school extranet or the parents’ portal. This will enable the school to enhance the extranet or the parent portal by adding instant and real-time updates on the timing of classes and any extracurricular events.
Integration with other systems
Timetables can also be made available to other systems. One example of this would be Saasyan Assure which uses timetable data to precisely map the web activity of students to the period and the class during which it occurred.
The above examples show how valuable timetable data is and how schools can benefit from making it more integrated and more readily accessible. It also demonstrates how this approach to timetable info can increase the efficiency and cut down on time-consuming manual administrative tasks. Schools will no longer need to dedicate time to compile and send emails to notify students, staff or parents about last minute changes.
Are you using an Enterprise Service Bus to connect disparate systems?
Increased adoption of technology at schools has led to the proliferation of siloed apps. Problem is – these apps do not integrate well. Schools house several apps: a school management system, a timetabling system, a learning management system, a web filtering system, a student/parent portal etc. The list keeps growing.
Can schools benefit from a solution that makes it easy to glue systems together? This got me thinking of the concept of an enterprise service bus (ESB) for schools.
ESB is a communication system between software apps in a service-oriented architecture. It allows an organisation to connect disparate systems together. It performs the functions of protocol transformation, message modification, routing, logging etc. Essentially, ESB provides the middleware to connect their apps without rewriting them.
The idea of a central bus on which everything passes gives the opportunity for additional layers of abstraction. Using industry standards to “plug” other applications, clients, and such into this bus makes it so that connecting new services, data sources, and/or clients with disparate needs is relatively easy.
Stay tuned, there’s more to come.
Network administrators working for schools are usually more concerned about tech-savvy students trying to gain open access to the Internet by bypassing their firewalls or web filters than outsiders trying to hack into the school’s network and systems.
These tech-savvy students employ a variety of methods to achieve this. Some of the more common ones are listed below:
- They establish an SSL tunnel through the school’s firewall using readily available and free VPN clients such as OpenVPN and DotVPN.
- They publish a terminal server running at home over TCP port 80, log on to the terminal server from school and access any site through the terminal server. Non- application-aware firewalls are unable to tell the difference between this kind of traffic and Web traffic as both of them to use TCP port 80.
- They use smartphones as a wireless access point to gain full access to the Internet via their 3G/4G/5G connection.
This is precisely why we at Saasyan, recommend the use of best of breed firewalls such as those provided by Fortinet and Palo Alto.
Our software, Assure, allows ICT and non-technical staff in schools to be notified when a student is using a VPN on the school network – and who it is, even if the student is using their personal device. Visit our Assure page, or contact us if you would like to know how your school can use Assure to protect against the internal threat of VPN software.
Is your child on the Dark Web?
Drugs, weapons and hacking. These are all illegal activities which students could be participating in, without a trace. In the past, school children might have cheated on tests by secretly passing each other the answers. Today, students are secretly using hidden websites to change their grades. The services available extend far beyond this. Students can use the darknet to attack or hack their school servers. The information and tools to achieve this are widespread, meaning it’s not difficult for one school kid to cause massive damage.
The tip of the iceberg
Most of us understand the Internet to be what we access through search engines, like Google. But there is a much bigger part of the World Wide Web that traditional search engines cannot access. It’s invisible. It’s known as the Deep Web and accounts for as much as 95% of the information that’s online. We can compare the Deep Web to an Iceberg. The tip of the iceberg above the water is everything you can access. Facebook, YouTube, or your favourite restaurant’s website are all here. The vast majority of the ice, however, is under the water – away from prying eyes. Here you will find company intranets, government records or university networks. But there is a much more sinister part of it also.
Known as the Dark Web, this is a part of the Web that can only be accessed with specific software, configurations or authorisation. It exists on darknets, which are overlay networks that use the Internet but, unlike traditional websites, need particular tools to see them. If you search for something on Google, for example, the results are generated from the “Surface Web”. To access darknet sites, you would need software such as Tor. Short for “The Onion Routing”, the Tor browser has been specifically designed to access the Dark Web. Other common software that is used is called I2P or “Invisible Internet Project”. Tor-accessible sites are widely used among darknet users and can be identified by the domain “.onion”. While Tor focuses on providing anonymous access to the Internet, I2P specialises in allowing anonymous hosting of websites.
These hidden aspects of the Dark Web are what make it so attractive to users, especially criminals. Users of the darknet can hide their identities and locations. The darknet’s layered encryption system means that law enforcement cannot track them. By routing a user’s data through many intermediate servers, the darknet keeps them anonymous and out of reach. To monitor or decrypt any information sent over the darknet, you would need a subsequent node in the scheme – leading to the exit node. It’s a complicated system. The complexity makes it nearly impossible to decrypt any information by duplicating a node path. The advanced level of encryption also means websites cannot pinpoint the location or the IP address of its users, nor the users of the host. The result? People on the darknet can talk, blog, transact and share files entirely anonymously.
US military researchers in the mid-1990s created the Dark Web. Its primary purpose was to allow intelligence officials to exchange information anonymously. However, after being made available to the public, it quickly becomes a sinister playground for criminals who use it for illegal activity. It has become a dimension on the Web where child pornography, illegal drug trades, identity theft and a black market for guns and human organs thrive.
Watch this video to learn more about the Dark Web.
How does this relate to students?
Just like before, today’s students want to find ways around the system. The only difference is they’re putting their safety at risk by using the Dark Web. Because of Tor’s “virtual tunnels” provided by its encryption tools, students can stay anonymous. They can also keep their location secret, as well as hide all the websites they visit and their posts or messages. It’s these highly encrypted and anonymous aspects of the darknet and Tor that appeals to school children. The appeal could even be as simple as wanting to bypass school internet filters so that they can access blocked websites. They could also want to hide their web traffic from others, such as their school or parents. But it often goes much further than that.
Students use software such as Tor to buy “smart drugs” in a bid to boost their academic performance. The problem is even fuelling growth in online companies marketing their pills to students as a means of “enhancing their brains”. This would be to give them the edge in their end of year exams. According to research presented at the Victorian Alcohol and Drug Association Conference in 2017, Australia is one of the top countries in the darknet drugs trade. Students are also increasingly turning to modafinil, a prescription pill usually given to treat narcolepsy. It is part of the family of drugs called “nootropics”, which includes Ritalin and Adderall, and are believed to improve concentration. But there are much more dangerous drugs available. Australian dealers account for more than a quarter of the world’s darknet methamphetamine trade.
For some frustrated students, a perfect solution to unleash vengeance on a school is with a DDoS attack. Also known as a Distributed Denial of Service attack, its purpose is to shut down a school’s website or network. It sounds like something only an expert hacker can do. The reality is that a student doesn’t have to be a pro hacker to harm a school network. There are hackers for hire easily found on the Dark Web. Websites such as Vim’s DDoS Service on the Dark Web offers to attack a school network for a fee. Students can also access the Dark Web to hire a hacker to change their grades or attendance records. All they have to do is pay bitcoins to websites like PirateCrackers, and they’ll hack the school website for them, alter their academic scores, increase their attendance etc.
Despite giving children access to illegal drugs and activities, the Dark Web also exposes children to numerous threats. Cyberbullies, hackers, fraudsters, child predators, and criminals take advantage of the Dark Web’s ability to hide their identity. We cannot be confident who we are talking to on the Dark Web. And, since criminal activity can’t be traced, children might see unbelievably heinous material that could potentially scar them for life. A report by UNICEF found that children on the Dark Web are in danger of becoming victims to sexual exploitation, cyberbullying and being used as currency.
What can you do?
After seeing a glimpse of the dark, hidden world of the Deep Web – you’re probably sure that you want to limit your children or those in your care accessing it.
Here’s what you can do:
- Find out if they’re using the Tor browser. If they have a computer, you can search for the word ‘Tor’. If the software is present on their computer, the search results should point it out. If you find the Tor browser, delete it from their computer and ask them what they were doing with it.
- Check their internet browsing history; look for unusually long URL’s. Websites on the Dark Web often have long website addresses. If you don’t recognise a URL, Google it. You could also ask someone such as a friend/expert to help you identify suspicious URLs. Search forums are also helpful.
- Look through all mail and parcels delivered to your house. Insist that children open any packages addressed to them in your presence. Often, kids who buy/sell drugs or other illicit items through Tor, rent a PO Box. Ask your local post office if your child has a PO Box with them.
- Regularly check your children’s internet activity. Use a firewall application to detect Tor usage. Educate students about the dangers of the Dark Web and explain that there are no safe ways to use it.
- Start an open discussion about Dark Web dangers with your children. Ask what they already know about it and if they have friends who use the Dark Web. It doesn’t matter what age your children are. You should always keep an eye on their online activity and who they are contacting.
The Dark Web is a dangerous hub of illegal activity. It is also the perfect environment for cyberbullies to thrive or criminals to take advantage of children. It is dangerous for anyone, especially children. That’s why, if you suspect that your child might be accessing the Dark Web, you need to take action. This includes limiting their access to it. The Deep Web is becoming more popular, especially with the youth. This may drive more children to look up ways to explore it. It’s essential that we set boundaries. Technology is not scary in itself, but we should respect the fact that it can be disastrous in the wrong hands.
Palo Alto’s PAN-OS API allows you to manage firewalls. Systems Administrators use it to access and manage firewalls through a third-party service, application, or script.
At Saasyan, we have been developing solutions that integrate deeply with the Palo Alto Networks PAN-OS API. We have a proven track record with the technology and we think it is a ‘gem’ and a joy to work with.
The solutions I refer to above comprise our cyber-welfare assurance platform for Palo Alto firewalls – Saasyan Assure, our User-ID broker for Palo Alto firewalls – Saasyan Advance, our software-defined HA/DR solution for Palo Alto networks firewalls – Saasyan Paximus.
Internally, we at Saasyan have come to consider the PAN-OS API to be the gold standard on how APIs should be designed and structured for core IT infrastructure devices. In this blog post I would like to share why this is the case.
The PAN-OS and Panorama XML API allow you to manage firewalls and Panorama through a programmatic XML-based API. It is a unified API that allows API based interaction with both Palo Alto Networks Next Gen Firewalls and Panorama (Palo Alto Networks’ Network Security Management Platform). This makes it easier for us to support both platforms (pan ngf and panorama) with our software without having to create and maintain separate modules for panorama.
Single Pass Architecture
The Single-Pass Architecture is the overall design approach for Palo Alto Networks Next Generation Firewalls. The architecture enables full, contextual classification of traffic, followed by a rich set of enforcement and threat prevention options. The architecture classifies and controls traffic in a “single pass” through the firewall using a variety of stream-based technology components. This is also reflected in the PAN OS API as all the API calls we make are targeted at one unified engine.
The Palo Alto Networks single-pass architecture stands in contrast to many competitive offers which are typically based on traditional port-based firewall technology. In competitive approaches, next-generation features are often added in a sequence of separate engines which means there are a web proxy engine and an API which is separate and distinct from a stateful inspection firewall engine and an API , etc. In the case of Palo Alto Networks Next Generation Firewalls it is truly one engine and one API. This makes API based integration a joy.
Full Access to Functionality and Ease of Use
The PAN-OS XML API allows you to access almost all of the functionality normally provided through the firewall web interface and CLI. Moreover, because PAN-OS XML API functionality mirrors that of both the web interface and the CLI, it’s straightforward to translate what one has to do manually to achieve a specific outcome through the web interface or the CLI to a piece of code that produces the same outcome in a programmatic manner. To explore all various functions of the API, you can use the API browser through the firewall web interface. You can also enable debug mode through the CLI to see the API equivalent of CLI commands.
Often, in school circles you hear IT leaders talk about the complexity of getting applications to speak with one another. Especially if these applications come from different technology vendors. It is open technologies such as Palo Alto’s PAN-OS XML API that allows organisations such as Saasyan to build cyber-welfare assurance platforms such as Saasyan Assure, User-ID brokers such as Saasyan Advance and software-defined HA/DR solutions such as Saasyan Paximus.
We encourage other technology vendors and IT professionals alike to leverage the PAN-OS XML API to integrate, automate, build applications and make what was previously considered next to impossible a reality.
The Fortinet FortiGate Next-Gen Firewall
I have had the pleasure of working with Fortinet’s FortiGate Next-Gen Firewall for a while now. Working with several security architects over the past few years, I have witnessed them face a major complexity hurdle, managing point products, with no integration and lack of visibility.
Research shows that by 2019 80% of enterprise traffic will be encrypted, and 50% of attacks targeting enterprise will be hidden, in encrypted traffic.
FortiGate utilises purpose-built security processors and threat intelligence security services to deliver top-rated protection and high performance including encrypted traffic. FortiGate reduces complexity with automated visibility into applications, users and network and provides security ratings to adopt security best practices.
I have long regarded FortiGate as a leading firewall offering. Although there are several reasons I hold FortiGate in high regard, one of my favourite features on the FortiGate platform is Application Control.
FortiGate’s Application control technologies detect, monitor and act against network traffic based on the application that generated the traffic. It also uses protocol decoders with signatures that analyse network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols.
This deep level of inspection normally leads to reduced throughput. However, unlike a traditional security gateway, which relies heavily on CPUs for packet inspection, FortiGate’s hardware architecture allows FortiOS to automatically utilise appropriate hardware components to achieve optimal performance. This prevents the CPU from becoming a bottleneck.
In support of application control, the Content Processor (CP), which is a specialized ASIC chip that handles demanding cryptographic computation for SSL inspection and intensive signature matching, is used to offload these processes from the CPU. This enables FortiGate to minimize performance degradation when administrators opt for greater visibility, security and control.
At the time of writing, FortiGuard Application Control supports more than 4,100 applications, of which 310 falls within the “collaboration” category and 150 falls within the “social media” category. The social media applications include popular social media sites such as Facebook, Twitter, Snapchat, Pinterest and Instagram just to name a few.
For more up to date lists and figures, please visit:
So why is Application Control my favourite feature?
Let me validate why this is my favourite feature. In addition to providing network administrators with the ability to granularly control what users can access – going down to what function they can use within a particular application (such as login to Facebook is allowed but Facebook chat is disallowed), it can also expose the contents of chat messages and other valuable pieces of information. This allows Saasyan Assure to unlock the value of data and help schools better fulfil their pastoral care duties.
Saasyan Assure analyzes the data and notifies pastoral care staff and educators when students attempt to access inappropriate websites and videos, use potentially dangerous search keywords, or are involved in negative social media activity. Artificial Intelligence built into Assure helps teachers by automatically categorising abusive content.
Furthermore, enabling Application Deep Inspection on social media applications is extremely simple with FortiGate. It starts with creating an application sensor that monitors the social media category or a handful of social media apps and setting the list action to Monitor. The Monitor action instructs Fortigate to not block but monitor and log the behaviour and payload of these applications. Once this is in place, you can assign this sensor to the security policy which allows the network users to access the Internet. Please note that to inspect all traffic, SSL/SSH inspection must be enabled.
Best of Breed Pastoral Care with FortiGate and Assure
Having accomplished the above, Fortigate exposes the chat messages sent over social media platforms through its logging mechanism which feeds into Saasyan Assure. Assure in turn adds the required metadata, normalizes it, passes all these chat messages through its alerts module which detects profanity, cyber-bullying, self-harm, etc, notifies the relevant people about such activity, stores all this info in a cloud-based data warehouse, retains it for 12 months and makes it available for easy reporting and analysis.
Often, in school administration circles you hear IT leaders talk about having to make a choice between an enterprise-grade firewall and a best of breed pastoral care system because it is widely believed that you cannot have both without doubling up the investment. Fact is when you leverage an enterprise-grade firewall such as Fortinet’s FortiGate and a best of breed pastoral care system such as Saasyan Assure, you are not making a compromise, you are betting on a winning combination, without necessarily overextending on your budgetary allocation.