Network security versus flexibility in education

Melvyn Wray: School networks can be secure if well-designed

Educational institutions can be problematic for network designers. On top of all the usual requirements of modern network users such as high bandwidth, resiliency and scalability, students and staff may move between many locations every day.

Restricting physical access to network connection points is undesirable, so the network needs to be mobile.

For years, the focus on network security at campuses was on defending against external threats, such as hackers. Yet with the growth in mobile computing and proliferation of ethernet-capable devices, LAN-based attacks now outnumber external threats as the main security issues.

People come and go from university buildings, and it is impossible to monitor all of these people all of the time.

Staff need private access to certain network resources, perhaps in the form of certain server drives containing confidential or appraisal-related data.

Students pose a constant threat to network security as they have the ability, time and often the inclination to probe for every weakness in the network’s security set-up.

Classroom teachers or administrators connecting to the network need to access curriculum material and maintain records. Students need access to a subset of that same material.

One way to deal with this is to set up separate Virtual LANs (VLANs) for admin and curriculum needs.

A VLAN has the same attributes as a physical LAN, but allows for end stations to be grouped together even if they are not on the same network switch.

Network reconfiguration can be done through software instead of physically relocating devices.

VLANs are hosts with common requirements. They communicate as if attached to the broadcast domain, regardless of their physical location.

The admin VLAN can be protected by a stateful inspection firewall to prevent students accessing private records, such as exam papers.

This access must be authenticated with user names and passwords so pupils cannot access the admin areas. You need an application that demarcates secure and public sections of the LAN, while providing some users with access to parts of the secure area.

In an ideal network configuration for a school, the switch can be connected to two VLANs, curriculum and admin, as well as to an authentication server.

The authentication server allows all ports to access either curriculum or admin VLAN, depending on the credentials of the user.

The switch also acts as a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses in the appropriate range for the admin and curriculum VLANs.

This makes it easier for teaching staff to connect to either segment.

We have implemented this network configuration to secure and maintain flexibility in a highly reproducible school network.

The solution comprises Layer 2 switches on the edge with Gigabit fibre uplinks back to a Layer 3 modular switch in the core.

But the real value for the network lies in the features on these switches. In particular, the 802.1x authentication process provides offers simultaneous flexibility and security.

Using 802.1x authentication and dynamic VLAN assignment prevents unauthorised access to the network while allowing flexible, mobile and appropriate access to network resources, regardless of where they physically connect to the network.

This authentication means users cannot even send packets into the network until they have provided valid authentication credentials.

VLAN assignment puts authenticated users into an appropriate VLAN, based on these authentication credentials. Users experience the same network environment no matter where they connect.

Another key to this solution is hardware filtering, ensuring no leakage of traffic between certain IP subnets and achieving this with no degradation of data throughput.

Schools and universities have become increasingly reliant on networks. Incorporating a high bandwidth, resiliency and scalability as well as security and high flexibility into the network is vital for functionality.

Securing a network within a school or university is quite different to securing a business network, as students typically move from computer to computer with devices such as USB drives.

But as long as the correct precautions are taken and the network is intelligently designed, it should remain secure from internal or external threats.

Melvyn Wray is senior vice president of marketing at Allied Telesis