School District of Philadelphia: Securing Virtual Servers, Chromebooks, and Student Data

The School District of Philadelphia is the eighth-largest public school district in the United States, with more than 134,000 students and more than 18,000 staff. “Although we’re large, we are an inner-city district,” Keith Busby, executive director for IT Security for the district, explained to me. This has repercussions for the IT department. “For example, the IT department budget is less than .01% of the overall budget—a fraction of the national average,” Busby added. Unfortunately, these budget constraints do not reduce the need for network security, federally-mandated web filtering, and compliance reporting.

I recently talked with Busby about the district’s integrated security architecture and use of Fortinet products ahead of his presentation at VMworld on August 27. The district stretched its dollars by deploying a highly virtualized server environment and by adding more than 50,000 Chromebooks, but these new technologies overwhelmed the legacy firewall. After a live production test that evaluated performance and capabilities of alternative NGFW solutions in their environment, Busby’s team migrated to FortiGate 7040E Next-Generation Firewalls, and are in the process of migrating to FortiGate-VMX for its virtual server network, integrating it with VMWare NSX to enable advanced, layer 4 to layer 7 policy enforcement and protection for distributed, east-west application workloads and storage. Benefits include a upper-six-figure annual savings by retiring a web-proxy solution and over 500 hours saved annually in security administration.

What is your team’s charter?

My team is responsible for firewalls, intrusion prevention, web filtering, application control, and all that falls under those appliances. We also manage the physical access badge system and do digital forensics for internal investigations and when requested by law enforcement. For all that, we have three team members including myself.

I understand you have a highly virtualized server environment.

Today, we have completely transitioned to a virtual environment except for one or two physical servers. Of course, cost was the biggest driver for virtualization, and those savings have been realized. But to manage risk and drive efficiencies, we really needed micro-segmentation with more policy control, security services, and visibility than we got with VMware NSX. While NSX does a really good job of layer 3 controls and routing, to mitigate advanced threats we needed layer 4 to layer 7 inspection and enforcement with a virtual firewall, which we accomplished with the FortiGate VMX.

What caused you to rethink your network security architecture?

We outgrew our previous firewall. It just couldn’t deal with the amount of traffic that we were seeing, specifically for the Google QUIC protocol used by our Chromebooks. The way our previous vendor did session startup protocol resulted in our CPUs being maxed out.

When you started looking at alternative solutions in 2016, what made Fortinet stand out?

Ease of migration and the performance of the hardware itself. The Fortinet team was able to convert all our policies from the legacy solution, put them on their boxes, and get it working without breaking anything. Additionally, for web filtering, I previously had to separate our web proxies from our internet firewalls. But the FortiGate 7040Es perform well enough that I’m doing everything there now. This is a huge success, as doing away with the legacy proxies saved us a lot of money—in the high six figures.  It also simplifies our network considerably which saves time and resources. 

Is doing everything on one box saving administrative time as well?

It does. Previously, I spent a lot of time on the proxies—every time a certificate would get changed or they introduced new performance constraints. And troubleshooting time—there was always something breaking. Having everything on one box saves around 10 hours a week in administration time.

With micro-segmentation in place, have you set up rules that automate some processes that help you be more efficient and proactive with security?

This is one of the reasons why I switched to FortiGate-VMX integrated with NSX. We’re creating object groups so that every time our server team stands up a new web server, they can just drop it in the group and I don’t have to modify policy. Let’s say we have a winter storm coming and everyone is checking our website for updates on school closures. In the past, they would have to deploy more servers. Now, they will be able to do it without needing to wake me or my team up.   The purpose-built NSX integration by Fortinet automatically updates the NSX objects into FortiGate-VMX across the server cluster without needing any manual intervention from me or my team. 

That’s results in greater flexibility and saves you some time as well.

The virtualization group loves it. I will only have to work with them to make sure they are keeping their templates hardened so that any new servers they deploy are secure.

With the windows for intrusion to breach and even from detection to breach getting shorter, how important is a quick response for your team?

I like to think we’re handling some of the most important data there is—the students’ data. So, anything I can do to quickly cut that off from a possible breach is key to my job.

Is the Fortinet solution helping you in demonstrating compliance?

For the Children’s Internet Protection Act (CIPA), we must randomly supply reports to show that we are doing web filtering. With FortiAnalyzer, it is easy for me to schedule reports to be sent to the required people. Our previous solution always had problems with the database, which made pulling reports, a more complicated, manual, and time-consuming process.

Is the combination of the FortiGate 7040E NGFWs and your virtualized environment easy to manage?

One of the benefits of Fortinet is that the OS is the same across the board. For my team, I got them all FortiGate 60E firewalls for their desks and assign them exercises and tasks for training, knowing the same capabilities on the 60E are also available on the 7040E. It was the same way for the virtual environment; we did not need to worry about learning a new way of doing things.

You work with the Air Force Cyber Patriot competition. What is that?

It’s a nationwide competition, sponsored by the U.S. Air Force, where grade school, middle school, and high school students perform different cybersecurity functions and are evaluated on how well they do. I work with one of our inner-city schools. There are 20 or 30 kids who participate each year, one Friday a month. They’re holding their own. Some of the schools we compete against provide every kid with a server to work on. We can’t afford to do so. But we can create different virtual environments for them to practice on.

What appeals to you about this job and and this district?

I’m a product of the School District of Philadelphia. I went to grade school, middle school, and high school here. Despite some of the negative publicity about what goes on in our district, there are some great things taking place as well. I want to help the district show off all the great things that we do. I like to give back.

Find out more at #VMworld:

Session:

VMware NSX Data Center Service Insertion: Advanced Network and Security

Speakers:

Rod Bachelor, Sr. Product Line Manager, VMware

Keith Busby, School District of Philadelphia

Monday, Aug 27, 2:30 p.m. - 3:30 p.m., Breakers J, Level 2

Read more about Fortinet and VMware: Fortinet Fabric Connector - FortiGate VMX and VMware NSX