Professional Documents
Culture Documents
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper
Table of Contents
Virtual Segmentation 5
6
Endpoints
DMZ 8
Administration Zone 10
V. Summary 12
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 2
I. SECURITY CONCERNS FOR K-12 INSTITUTIONS
The Palo Alto Networks Next-
Keeping students and their data safe is becoming more of a
Generation Security Platform natively
challenge in modern learning environments. Online safety, while
integrates network, cloud and end-
an important aspect, is only one element of network security.
point security into a common architec-
Schools are becoming more networked all the time. New mul-
ture, offering IT teams comprehensive
timedia content, e-learning tools that complement traditional
visibility and control. This platform ap-
learning, and staff and students who BYOD all require protection
proach ensures your organization can
from modern cyberthreats, which strains security services to their
detect and prevent attacks, streamline
breaking points. The increasing use of SaaS applications, while
day-to-day operations, boost secu-
increasing efficiency and productivity, has also introduced new
rity efficacy, and prevent threats at
threat vectors. For IT staff, this means continually monitoring the
each stage of the attack lifecycle.
networks and their resources for cyberthreats. Navigating and
https://www.paloaltonetworks.com/
monitoring this changing minefield is a difficult and time-consum-
products/designing-for-prevention/
ing task for security teams, some of whom are attempting to repel
security-platform.
dozens to thousands of attacks per day.
Optional security subscriptions seam-
Reams of student and staff online data combined with limited
lessly integrate on the platform to add:
IT resources has resulted in K-12 institutions becoming an
protection from known and unknown
increasingly successful target for ransomware1. Hackers infiltrate
threats; classification and filtering of
networks, disrupt operations by encrypting data, and extract a
URLs; and the ability to build logical
ransom in exchange for decryption keys.
policies based on the security posture
An effective security strategy that incorporates key security of a user’s device. https://www.
principles can address this type of exposure and damage, while paloaltonet-works.com/products/
improving the visibility and control of IT and security teams. This platforms/subscriptions.html.
paper discusses how the Palo Alto Networks® Next-Generation
Palo Alto Networks cloud-based
Security Platform enables schools to implement these principles
or on-premises malware analysis
to detect and prevent threats to networks, devices, and infor-
environment, WildFire, provides
mation, on premises and in the cloud, while monitoring policy
dynamic analysis of suspicious content
effectiveness and reducing complexity and unnecessary overhead.
in a virtual environment to discover
The end goal: efficiently manage a high-performance learning
unknown threats, then automatically
environment while protecting students, staff, and their data, and
creates and enforces content-based
ensure ongoing compliance with policies and regulations.
malware protections. It also detects
malicious links in email, proactively
II. REFERENCE BLUEPRINT GOALS AND SECURITY PRINCIPLES
blocking access to malicious websites.
This Security Reference Blueprint for K-12 Education IT describes
a security framework using the preventative capabilities of the
Palo Alto Networks Next-Generation Security Platform. Using this blueprint enables education security and IT
professionals to protect students and their data while maintaining a high-performance, high-availability and safe
learning environment. To do so, this blueprint can help K-12 institutions:
• Meet academic needs for internet connectivity while keeping students safe.
1. http://money.cnn.com/2016/04/04/technology/ransomware-cybercrime/
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 3
There are several types of cyberthreats that impact K-12 networks: opportunistic malware with no specific targeted
victim; exploits of vulnerable applications; and, increasingly, targeted attacks. Using some key security principles,
K-12 institutions can prevent these threats, minimize network interruption or downtime, and protect against
unauthorized access and leakage of sensitive data. These core security principles include:
• Application and user visibility and monitoring to reduce the threat footprint, enforce usage policies, and
assist with capacity planning and appropriate access controls.
• Virtual segmentation to prevent movement of malware through the network and strengthen security posture.
• Coordinated protection across endpoints, in data centers, in remote locations and at major internet
gateways and cloud locations.
• Timely reporting to enable IT, cybersecurity and intelligence professionals to coordinate actions.
• Immediate and automatic sharing and distribution of threat intelligence between systems.
Subsequent sections address each of these principles in detail.
• Identify frequently used applications so you can more-easily highlight unknown or potentially risky appli-
cations. You can monitor traffic across your Next-Generation Security Platform to learn and understand
current traffic patterns.
• Start implementing application-based rules for a few non-critical applications with smaller user bases in
order to demonstrate success. For example, a K-12 institution may choose to limit staff payroll access to
only the human resources group.
• Develop a strategy to roll out application-based rules in line with the institution’s objectives and applica-
tion and user awareness gained. For example, the next move may be to target vulnerable applications, for
example by limiting access to billing and invoicing applications to only the finance department user group.
• Iteratively lock down applications according to the approved strategy, and enforce consistent security
policy rules for users and groups with similar access and application requirements.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 4
• Look for other dynamics within your environment, such as:
◦◦ Port scanners and/or vulnerability scanners
◦◦ Third-party networks that are not approved
• Build groups for traffic to always block:
◦◦ IP ranges including geo-location – does your data center need to talk to China?
• Identify, monitor and analyze all encrypted traffic, especially from external websites (SSL/TLS). While
many applications and websites use encryption for privacy, malware authors are increasingly delivering
encrypted malware payloads. All encrypted network traffic should be examined for the presence of
malware or inappropriate usage (see Figure 1).
By implementing granular application identification, not just port-based filtering, administrators gain greater
visibility and the opportunity to reduce their risks significantly.
Figure 1: Palo Alto Networks Next-Generation Security Platform Application Control Center shows the top
applications in use on your network, activity by user, threats, and other activity that is helpful in gaining
visibility and developing security policies.
Virtual Segmentation
In some of the latest attacks against K-12 industry2, attackers broadcast emails with infected email attachments,
then unsuspecting recipients open them and infect internal networks. Any such attack can impact network
integrity, student and staff data, and regulatory compliance within your institution.
The Zero Trust approach, first coined by Forrester® 3, makes it very difficult for such an adversary to succeed.
This same approach makes it difficult for everyday malware to move across the network. Zero Trust boundaries4
verify all users, devices and applications traversing your network, effectively compartmentalizing user groups,
devices and/or data types, such as social security numbers or student grades. Scanning data that moves in and
out of the zone not only prevents the spread of threats, it can also prevent data from being exfiltrated.
There are three major benefits to segmenting your systems into virtual network zones:
• Limit the scope of vulnerability by separating vulnerable devices, such as old servers that cannot be
patched from others, or those containing sensitive data such as student health records.
• Limit data exfiltration by limiting the amount of data that is compromised in a breach.
• Limit the scope of compliance since only the devices, workstations, and servers in a particular zone are
subject to compliance audits.
2. http://researchcenter.paloaltonetworks.com/2016/11/ransomware-common-attack-methods/
3. www.forrester.com
4. Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they
are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect traffic for threats.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 5
Two separate, but complementary, virtual segmentation strategies control traffic in different ways:
• North-south segmentation controls traffic entering a network or a private, public or hybrid cloud.
• East-west segmentation controls traffic entering and exiting a virtual machine (VM).
Zero Trust boundaries, zones, or virtual network segments enable you to apply controls at every entry and exit
point of the zone, preventing malware from moving between zones and lateral movement of advanced attacks.
Virtual segmentation zones can include:
• Applications and databases containing private or regulated information (for example payroll records,
personal information of students, and payment information).
• School Wi-Fi internet access.
• Access to third parties, such as affiliated institutions.
• Smart machines and sensors, such as building and facilities management systems.
By applying this Zero Trust approach, educational institutions can protect critical servers and sensitive informa-
tion from unauthorized users or data exfiltration, reducing the exposure of vulnerable systems and preventing
the movement of malware throughout the network.
Endpoints
K-12 education has a plethora of devices accessing the network – some managed by the school or district and
many that aren’t. An effective endpoint security strategy takes into account all endpoints, including virtual and
physical desktops, laptops5, virtual and physical servers – regardless of patch, signature or software-update
levels, or ownership. IT teams have a duty of care to prevent ransomware and other malware from affecting not
only school-owned devices, but also students’ devices.
For managed and owned computers and servers, IT should enforce the Zero Trust model, particularly on
laptops or those with unpatched or unpatchable systems that are no longer supported by their vendors, such as
Microsoft® Windows® XP.
5. Laptops can be especially at risk if users access a vulnerable public network, such as a Wi-Fi hot spot at a coffee shop. If a returning
user then connects an infected laptop with your school network, the risk of infecting other systems undetected increases significantly.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 6
The main threats affecting managed endpoints include executable malware and exploits that target specific
application vulnerabilities. To protect against them:
1. Employ lightweight agents that continually monitor for exploit techniques and malicious executables.
All managed devices should be protected from exploits and malicious executables. Ideally, only devices
that have these protections should be able to access institution applications and data.
2. Apply policy-based restrictions to prevent the spread of threats. IT teams can easily set up policies
restricting specific scenarios, such as only running applications that have been signed or other policy
enforcement options. For example, you may want to prevent files in Outlook.tmp directories or on a USB
drive from executing directly.
To protect communications, mobile devices such as laptops, smartphones, and tablets should always connect to
the institution network via a VPN.
Endpoints not owned by your institution should be inherently untrusted. However, through user identification
and virtual segmentation, schools can still identify many of these devices, grant or deny them access to certain
applications, and monitor and prevent threats from spreading. For example, you may want to grant a teacher
using their laptop access to the zone that contains student assessment software. However, through usage
policies, you may want to prevent them from uploading executable files into the zone or using the upload option
of Dropbox to remove data from the zone.
6. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
Palo Alto Networks | Security Reference Blueprint for LK-12 IT | White Paper 7
External
Software as a student &
Service (SaaS) staff access Public Cloud Administration Zone
TR TR
Traps
GP Virtual V GP
Next-Generation SeMrie-
Next-Generation
AP GlobalProtect
Security Appliance s Security Appliance
Aperture
Site-to-Site VPN
V
Internet or Private Network
SeMrie- School Endpoint Zone
s GP
WildFire DMZ GP TR
The next-generation
security platform can GP School-owned endpoints
be deployed as physcial
or virtual devices.
Next-Generation Next-Generation
Security Appliance UF Security Appliance
VPN Gateway URL Filtering BYOD endpoints
Data Center
Network zones
Role-based TR
PA
Private
N
O
RA
Protecting each zone with the Next-Generation Security Platform offers several benefits. Beyond validating
appropriate applications and/or their intended users, the Next-Generation Security Platform scans all traffic
entering and exiting every zone to prevent data leakage and malicious payloads from spreading:
• WildFire™ cloud-based threat analysis service detects and then subsequently blocks zero-day threats by
automatically creating protections and distributing them in as little as five minutes to the Palo Alto Networks
platform and endpoints.
Data center
• Threat Prevention blocks malicious zone V
files with signatures for known threats. SeMrie- Servers
DMZ
The DMZ is the primary internet-facing School
School-owned laptops,
endpoint zone
zone and contains a next-generation se- workstations and mobile
curity appliance. External users can access devices, as well as
BYOD devices
specific resources, such as the school
or district website and possibly library
services or course content for remote
DMZ Zone
learning, from the internet. Staff and
valid third parties working remotely (such DMZ servers
as contractors) can also access internal
systems via a VPN.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 8
School Endpoint Zone
The school endpoint zone is the main zone for the school. Anyone, whether staff, students, known third
parties or guests, can access the school endpoint zone using their own computers or mobile devices (laptops,
tablets and smartphones), or school-owned computers and mobile devices. This network should be consid-
ered inherently insecure. Depending on the size of the school
and the information contained in it, some schools may want to
subdivide this zone into a Wi-Fi zone (primarily for student and Palo Alto Networks Traps advanced
guest devices) and a LAN endpoint zone (which school-owned e
ndpoint protection is designed to iden-
lab computers, staff computers, printers, and smart boards tify exploits as they attempt to execute
connect to.) and block the execution of malicious
code. Traditional antivirus software de-
This should be the only zone students can connect to, so pends on malware signatures, which may
schools can use URL Filtering, application identification, and not always be up-to-date in the case of
user identification capabilities of the platform to enforce zero-day malware or exploits. Rather
internet-usage policies or comply with regulatory requirements. than run as a separate process scanning
To keep students safe from inappropriate material, IT can block for malware, the Traps agent automat-
entire URL categories, and implement granular web content ically injects itself into each process as
filtering rules that can vary based on user group. For example, it is started and monitors all application
some schools may grant different web surfing access to junior activity, looking for patterns of behavior
and senior school students, where senior students have more that are unusual or that have been seen
freedom to access social media sites. Staff using their personal with previously documented exploits.
computers may have more freedom than their students. IT When it identifies such behavior, the
teams can monitor web activity through the Application agent will automatically trigger and
Control Center, view URL Filtering reports, or generate group block the advanced attack that would
activity reports that help inform policy updates. A global URL otherwise evade detection.
Filtering database synchronizes with WildFire and automatical-
ly generates protections every 15 minutes, which means that
URL categories, including malware and phishing, are always up to date.
In addition to establishing effective policies and segmenting the endpoint zone, schools can apply exploit and mal-
ware prevention solutions directly to school-owned endpoints. Protecting school-owned computers and servers
with Palo Alto Networks Traps™ advanced endpoint protection ensures that:
• Any exploits on vulnerable systems, regardless of patch status, are immediately thwarted. Traps automati-
cally prevents attacks by blocking exploit techniques, such as thread injection.
• Any malware is discovered and thwarted. When unknown .exe files are discovered, the Traps agent will
automatically query its local caches, and then if necessary WildFire to assess the file’s standing.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 9
IT teams can protect mobile devices (including laptops, tablets and smartphones) with Palo Alto Networks
lobalProtect™ network security client for endpoints. GlobalProtect sends unidentified files coming to and
G
from the mobile device to the WildFire malware execution environment for static and dynamic analysis of
potential mobile threats. GlobalProtect supports two-factor authentication for even more protection for
mobile devices.
Administration Zone
Schools may want to create separate zones that specifically limit which users can access the zone. This
segmentation helps limit the zone of compliance for regulated information, such as personally identifiable
information (PII) or financial information. In this example, finance teams, student records administration, and
HR staff are segmented in their own zone, along with any servers and related applications not in the data
center. Only users in that zone can access applications in that zone. For example, if an HR staffer travels to a
school with their laptop and tries to log in to HR applications from the unsecured school endpoint zone, they
can be denied access.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 10
Software as a Service (SaaS)
Data resident within enterprise-enabled SaaS applications is typically not visible to an organization, but can be
a source of malware and a popular vector for data exfiltration. Palo Alto Networks Aperture™ SaaS security ser-
vice connects directly to the most popular enterprise SaaS applications to provide data classification, sharing/
permission visibility, and threat detection. This yields unparalleled visibility, allowing IT teams to inspect content
for data risk violations and control access to shared data via a contextual policy. For example, schools can block
known and unknown malware that may be coming form files resident in the SaaS application. Aperture can also
quickly quarantine data if a policy violation occurs, such as an attempt to exfiltrate PII.
• Reprograms security functions across the network with those new signatures.
• Makes available artifacts from any new threat for ongoing or later analysis.
You can customize appliance and management appliance views per administrator or department, allowing IT
and security teams to share views of alerts and other activities of interest across your network.
Palo Alto Networks also provides prioritized, actionable security intelligence on attacks that merit immediate atten-
tion. AutoFocus™ contextual threat intelligence service organizes and presents the largest collection of emerging
malware data in the world. It builds on billions of threat artifacts from over 10,000 advanced malware execution
environment subscribers, applies unique large-scale statistical analysis, human intelligence from the Palo Alto
Networks threat intelligence team, and tagged indicators from your organization and a global community of cyberse-
curity experts also using the service. AutoFocus provides full context on attacks, such as who is attacking, how they
are attempting to compromise their network and if any indicators of compromise are already present on the network.
Often, the same industry faces attacks by the same adversary. In K-12 institutions, where there is growing
interest in obtaining data for cybercriminal profit or sabotage, there is more reason to act swiftly. Palo Alto
Networks Threat Intelligence community cloud enables swift sharing of threat signatures so that all parties can
benefit from threats discovered across all organizations within your industry, while AutoFocus enables organiza-
tions within the same industry to understand what others have seen within their industry.
7. The Palo Alto Networks Migration Tool is compatible with Juniper, Cisco, Check Point, Fortinet and McAfee configuration files.
Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 11
In future phases, the deployment team can work with network and security departments to take full advantage
of the Next-Generation Security Platform. The platform can identify unique network users by leveraging user
information from a wide range of identity and directory systems (for example, Active Directory®/LDAP, Microsoft
Exchange, Captive portal, and more) and limiting access to individual applications based on the desired criteria (for
example, Active Directory security groups, or location-based user IP address ranges).
K-12 education institutions are subject to government and industry regulations. For example, in the United States,
schools that want to access federal grants available to offset the cost of internet access or internal connections
must comply with the Children’s Internet Protection Act (CIPA.) Through granular web filtering and security policy
administration, ability to monitor activity by user, application and user logs, and application visibility and control,
the Palo Alto Networks platform helps schools address CIPA and other children’s protection initiatives. Similarly,
education institutions have used the Zero Trust approach and Palo Alto Networks platforms to support compliance
with health regulations (such as the U.S.-based HIPAA Security Rule) and the protection of personal information
(such as PIPEDA, the EU Data Protection Directive, or other country-specific regulations).
For more information on how Palo Alto Networks can help address CIPA compliance, please visit https://media.
paloaltonetworks.com/documents/CIPA_Compliance.pdf.
V. SUMMARY
Implementing effective security controls with a Zero Trust prevention focus helps K-12 institutions protect them-
selves against cyberthreats and safeguard student and staff data. Palo Alto Networks Next-Generation Security
Platform provides K-12 institutions around the world with coordinated, highly effective, and easily administered
threat prevention, protecting sensitive data and ensuring regulatory compliance while maintaining high network
performance.
To learn more, please visit https://www.paloaltonetworks.com/solutions/industries/education/education-lower.
4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a
Santa Clara, CA 95054 registered trademark of Palo Alto Networks. A list of our
Main: +1.408.753.4000 trademarks can be found at http://www.paloaltonetworks.
Sales: +1.866.320.4788 com/company/trademarks.html. All other marks mentioned
Support: +1.866.898.9087 herein may be trademarks of their respective companies.
K-12-security-blueprint-reference-wp-030317
www.paloaltonetworks.com