Tag Archives: Access

Access Denied: Controlling What Students Can Access

By: Tony DePrato | Follow me on Twitter @tdeprato

Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.

Physical Access

Physical access can be managed without a great deal of expense. The goals to reach for are:

  • We allow only the devices we have confirmed and labeled
  • We can control the number of concurrent devices a user is using on the network
  • We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
  • We can remove a user from network access, and restrict their devices, with minimal effort
  • We have processes and procedures to register devices; users can switch devices through these processes
  • Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person

These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.

Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.

Guest Access

Guest Access can be problematic for schools.  However, if your school is in a country that requires you to perform due diligence for network/internet access, then the Guest Access should be provided in a limited fashion, and only when necessary. Please review the laws governing access; especially where children under 13 are present.

If you are not sure what the laws are in your country, start here.

Topology

Topology refers to the way in which constituent parts are interrelated or arranged.

These are the topology goals that should be met before additional security is added:

  • Students, Teachers/Staff, and Parents/Guests are never on the same network/same IP range (not just SSIDs, unified IP ranges and access across the network should be prohibited)
  • Printers and other devices are not on the same IP range as the Wifi; those with access to printers and devices must be provided access
  • Data sharing should happen in the cloud; or in a device that has been configured with user authentication
  • LAN ports should not be using DHCP, if those ports are physically accessible by teachers, students, parents, or guests
  • Equipment on the LAN should be managed; given an IP address; and be easily identifiable
  • VLANs need to be created to meet most of the above requirements; VLANs should be planned out on paper and clearly mapped for decision makers to understand
  • All Access Points need to be named and numbered to reflect their exact location on campus

Web Filtering

Web filtering is often sold to schools as a turnkey holistic solution to manage content that students access. The truth is that web filtering will only, and always, be partially effective with students. Web filtering is highly effective in meeting the following goals:

  • Controlling what teachers and staff access
  • Controlling what guests access
  • Controlling what school owned devices access (devices that stay at school all the time)
  • Preventing accidental content being shown/broadcast on school owned devices
  • Meeting most due diligence standards concerning laws that govern content access and control
  • Showing an overall data set to help guide decisions based-on what people are doing and trying to do online

Web filtering has two main issues. First, HTTPS content can be blocked but not read.
This means when students go to HTTPS websites, the school will not know what they are doing, and/or interacting with on those site. Since 2018, HTTPS is used more often by webusers than the original non-secure HTTP. A few years ago, a person could type http://facebook.com . Today, everyone is forced to https://facebook.com .

Because many schools want to use web filters to study student access data, they will fail to achieve that goal, regardless of the fact the filter claims it can read the data. The filter can read some data, but not all; and currently not most.

Second, students can install and run VPN services fairly easily. When they do this, most filters are circumvented. Keep in mind that good VPN services are not free. Having those difficult conversations with parents at the beginning of the year, and as frequently as possible, is often more valuable than new snazzy technology solutions. If parents enable behavior, it is very difficult for school policies to be successful.

In summary, Physical Access, Guest Access, and Topology goals are usually achievable with current network hardware and software solutions employed by schools with a population of 500 users or more. Achieve these goals first, before investing in web filters or other solutions.

Remember, giving students freedom to work and create will create security loopholes. Depending  solely on technology solutions in an environment where education opportunities are abound is a bad strategy to pursue. There is no substitute for engaging students in dialog when they are acting inappropriately.

Keeping Your Campus Safe: Who Can Do What

By: Tony DePrato | Follow me on Twitter @tdeprato

When a school network is designed, various levels of access have to be created to manage content access. The easiest way to approach this is to place students, teachers, staff, and others into groups. The group is then managed. If an individual becomes untrusted, they become a non-group member, and thus cannot access anything.

Groups have an ID, this is something people never see. To get into the group, people have a personal ID, this is something people use everyday. They never consider all the places their ID (username and password) travels.

In the physical space, group IDs and access indicators are also needed. These need to be designed so they can be visually recognized by members of the community. In addition, buildings and facilities need to be designed to accommodate certain groups, but not allow others.

Group IDs in the Visual Space

I have already spoken about uniforms, but many schools do not use uniforms. Dress code is definitely a manner to identify a group students, but beyond that, there are many other ways to know who is who and what they should be doing.

IDs

Student IDs are often the same for all student, and many are the same template as staff IDs.

IDs for different groups should vary visually. This allows anyone to quickly look at the color, and make a decision about access to facilities, food options, etc. Having to stop and read, requires engagement. Engagement either requires a sense of authority, or it can make a person feel as if conflict might ensue. Colors remove the direct engagement aspect of managing people in physical spaces from those who might only want to report a problem.

For example:

K-5 Students

6-12 Students

K-5 Teachers

No Go Zones

Libraries, Cafeterias, and other large areas should have spaces that are “student only” and “parent/guest only”. These spaces should separate students by age group when possible.

People who are managing these spaces need to manage problems over a larger landscape. They should be able to politely direct anyone to their proper area, without conflict. These areas can be labeled, and color coded. Colors could match IDs (or guest passes) to help everyone navigate.

For example, students in the middle school might have red ID cards. Middle school bulletin boards, information screens, etc., could all have a red border. Anyone noticing a student with a blue ID, would immediately realize that student is in the wrong building. Trying to sort students by size is something teachers try to do, but that practice is not very accurate when students are close in age.

Driving and Parking

Access to campus often starts with transportation. Although schools usually have buses and public transportation options planned, personal vehicles are often loosely managed, or not managed.

Schools tend to believe that issuing parking stickers to people, and then assigning them a parking lot/space, is enough. However, schools need to consider why people need to drive, and if it should be a right or a very limited privilege.

I have worked at one school that had no parking at all. It was in a city, and space was at a premium. If people needed to drive and park, they had to use public parking options. This meant that it was nearly impossible to have unscheduled visitors. Anyone coming to the school would make an appointment to ensure their paid parking was used efficiently.

As people evaluate campus safety, they need to consider that anyone looking to create a negative situation would need a staging area. There would need to be access close enough to the school to allow someone to prepare. Vehicles make excellent staging areas. The closer vehicles are to buildings and entrances, the greater the risk.

In addition, schools are full of children running around and not always paying attention. Vehicles allowed to move within spaces where children are walking can be very dangerous. Ideally, these types of vehicles should only be allowed if escorted or properly directed.

If I really wanted to make campus access secure, I would run shuttles from designated areas. In an ideal world, those areas would be owned by the school, but at least 5 minutes from the campus by shuttle.

A small parking area could be created for certain groups of people, but all visitors and guests would be scheduled and shuttled into the campus.

Students would never be allowed to drive to campus. They would need to park and shuttle; or park and bike/walk to school.

School’s should be friendly communities, but communities are often not in the public domain. Access management is important, and it does not have to be overly complicated or expensive.

Group privilege is a privilege. It can be earned. It can be lost. It must be managed.