Typical educational institution computer networks, from K-12, to college and universities, are much like enterprise networks. Devices ranging from mobile phones to tablets, desktop computers, and servers for school districts and colleges can number at least 500 to 1000 and need network security as well as proper access controls, similar to enterprise networks. Both enterprise and school networks also need the following IT resources:
- Routing and Firewalls
- Traffic Shaping and Bandwidth Quotas
- Virtual Private Network (VPN)
- Captive Portal
- IPS-based protection
- Realtime protection against emerging threats
- Active Directory Integration
- Web/URL filtering
- High Availability
Schools however have additional internet security needs and legal liabilities that include the Children’s Internet Protection Act (CIPA), enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA requires that Internet safety policies are in place that include technology protection measures that must block or filter Internet access to pictures including: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors).
And although the technology requirements are similar between enterprises and schools, the budgets are not. With OPNsense and Sensei, however, school districts and colleges now have a solution that can meet all of these requirements yet still have the protection of a Next Generation Firewall at under $1 per device.
Solution: OPNsense + Sensei
OPNsense is an open-source, easy-to-use HardenedBSD-based firewall and routing platform that includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. The operating system is based on HardenedBSD, which is a security-hardened version of FreeBSD. FreeBSD is the operating system that you’ll find lying under the hood for companies such as Netflix and Yahoo!
The Firewall implementation for FreeBSD is pf and ipfw packet filters, both are considered two of the most mature packet filtering systems. OPNsense also provides its users with a powerful packet shaping and bandwidth management system called ALTQ, which is again courtesy of the strong underlying operating system.
OPNSense has an IDS/IPS capability fused into the product. The underlying technology is Suricata, which is what you’ll see if you unbox many commercial products that are on the market today. They even offer free and paid versions of the Emerging Threats ruleset.
With OPNsense, you’re also not limited to one solution for VPN access. You have several options like IPSec, OpenVPN, and the newly introduced Wireguard without user limits.
Installing, configuring, and using OPNsense is a no-brainer thanks to its intuitive interface. You will never need to access the “black console” to do maintenance or operation. Everything can be done over the beautifully designed web interface.
Finally, OPNsense is a live project that ships two major updates as well as a dozen minor updates every year. Because of its security-centric approach, critical security vulnerabilities also get patched within a very short time.
What about a Next-Generation Firewall (NGFW)?
OPNsense also has a very flexible plugin architecture that makes it easy for developers to add new functionality to the firewall. Leveraging OPNsense’s architecture, Sunny Valley Networks has developed Sensei, an easy-to-install plug-in that empowers OPNsense with Next-Generation Firewall features.
Sunny Valley Networks’ Sensei Free Edition is made available at no cost to OPNsense users. The Premium Subscription offers more advanced features and can be purchased through the Sensei web user interface.
Because the Premium Subscription is not priced as a complete firewall, the OPNsense + Sensei combination is the best solution on the market in terms of price and value.
The technology behind Sensei is a very powerful packet analysis engine that can also provide protection against encrypted cyber-attacks.
Key Sensei features include:
- Commercial grade web/content filtering and ad blocking for 140+ million sites
- Auto-filtering against emerging malware, virus, and phishing attacks
- User/Group based security with Microsoft Active Directory or LDAP integration.
- User access control with Captive Portal
- Application-based filtering
- Best-in-class network reporting and analytics
- Policy-based filtering
- Encrypted attacks protection
While firewall technology requirements for educational institutions are similar to enterprises, school budgets are not. With OPNsense and Sensei, school districts and colleges now have a solution that can not only meet all of an educational institution’s requirements but also have the protection of a Next-Generation Firewall all at under $1 per device.