By: Tony DePrato | Follow me on Twitter @tdeprato
Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.
Physical access can be managed without a great deal of expense. The goals to reach for are:
- We allow only the devices we have confirmed and labeled
- We can control the number of concurrent devices a user is using on the network
- We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
- We can remove a user from network access, and restrict their devices, with minimal effort
- We have processes and procedures to register devices; users can switch devices through these processes
- Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person
These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.
Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.
Guest Access can be problematic for schools. However, if your school is in a country that requires you to perform due diligence for network/internet access, then the Guest Access should be provided in a limited fashion, and only when necessary. Please review the laws governing access; especially where children under 13 are present.
If you are not sure what the laws are in your country, start here.
Topology refers to the way in which constituent parts are interrelated or arranged.
These are the topology goals that should be met before additional security is added:
- Students, Teachers/Staff, and Parents/Guests are never on the same network/same IP range (not just SSIDs, unified IP ranges and access across the network should be prohibited)
- Printers and other devices are not on the same IP range as the Wifi; those with access to printers and devices must be provided access
- Data sharing should happen in the cloud; or in a device that has been configured with user authentication
- LAN ports should not be using DHCP, if those ports are physically accessible by teachers, students, parents, or guests
- Equipment on the LAN should be managed; given an IP address; and be easily identifiable
- VLANs need to be created to meet most of the above requirements; VLANs should be planned out on paper and clearly mapped for decision makers to understand
- All Access Points need to be named and numbered to reflect their exact location on campus
Web filtering is often sold to schools as a turnkey holistic solution to manage content that students access. The truth is that web filtering will only, and always, be partially effective with students. Web filtering is highly effective in meeting the following goals:
- Controlling what teachers and staff access
- Controlling what guests access
- Controlling what school owned devices access (devices that stay at school all the time)
- Preventing accidental content being shown/broadcast on school owned devices
- Meeting most due diligence standards concerning laws that govern content access and control
- Showing an overall data set to help guide decisions based-on what people are doing and trying to do online
Web filtering has two main issues. First, HTTPS content can be blocked but not read.
This means when students go to HTTPS websites, the school will not know what they are doing, and/or interacting with on those site. Since 2018, HTTPS is used more often by webusers than the original non-secure HTTP. A few years ago, a person could type http://facebook.com . Today, everyone is forced to https://facebook.com .
Because many schools want to use web filters to study student access data, they will fail to achieve that goal, regardless of the fact the filter claims it can read the data. The filter can read some data, but not all; and currently not most.
Second, students can install and run VPN services fairly easily. When they do this, most filters are circumvented. Keep in mind that good VPN services are not free. Having those difficult conversations with parents at the beginning of the year, and as frequently as possible, is often more valuable than new snazzy technology solutions. If parents enable behavior, it is very difficult for school policies to be successful.
In summary, Physical Access, Guest Access, and Topology goals are usually achievable with current network hardware and software solutions employed by schools with a population of 500 users or more. Achieve these goals first, before investing in web filters or other solutions.
Remember, giving students freedom to work and create will create security loopholes. Depending solely on technology solutions in an environment where education opportunities are abound is a bad strategy to pursue. There is no substitute for engaging students in dialog when they are acting inappropriately.