How far should network security specialists go to lock down a school network? The answer: ten times further than you think—and then some. That is the general consensus out on the front lines: any student that can punch a keyboard should be considered a professionally trained black hat. Kids are creative, and word travels fast.
There are plenty of security hazards that network technicians face in a school setting. Many involve users accessing sites where they might encounter malware, or engaging in activities illegal for student-age children, or wasting bandwidth (and class time) streaming unauthorized videos or visiting social media sites.
Half the battle is identifying and blocking culprit Web sites. The other half is keeping them blocked. Many school techs will attest to the deftness of a teenage (or younger) user looking for a way around a firewall.
With the move toward 1:1 learning and wireless networking in schools, school networks are experiencing a growth spurt. Thankfully the tools for monitoring large, multi-device networks are evolving quickly as well.
UTMs Streamline Network Security Operations
In terms of hardware, the conversation about securing a modern k-12 network usually begins with the unified threat management (UTM) system. Modern UTM appliances roll several network devices into one machine, functioning as a firewall, access point, Web filter, and wireless controller. A UTM is especially handy in a school setting, because it allows IT staff to manage and configure an entire network of machines from one central location—even if that network spans across multiple buildings or an entire school district.
A UTM can be configured to interface with several different virtual local area networks (VLANs). This is extremely handy in a school setting where students, faculty, and network administrators must each have different levels of access to the Internet, school servers, and application management abilities.
Several vendors supply UTM appliances—Check Point, Cisco, Fortinet, Juniper Networks, Dell SonicWALL, Sophos, and WatchGuard are the key players—and each vendor offers models with tiered capabilities and price points. Most new models accommodate wireless networking, which are of growing importance in the classroom setting. There are other things to consider as well.
Throughput levels are a key metric, as schools have begun to bump network bandwidth up to 500 Mbps. This may require a mid- to top-line model UTM appliance. Content/URL filtering is an essential feature in a school environment, and each vendor has its own filtering mechanism built into its models.
Another item to keep in mind is that a UTM’s security suite generally requires annual licensing, and other software features like anti-virus or blacklist updates may require additional renewals.
Common Sense Tips for Securing a School Network
Once the proper hardware is in place, it is up to network technicians to apply their smarts to it. While many of these suggestions might sound like common sense, it may come as a surprise how often such items are overlooked.
Separate out your networks. Give tiered access to students, faculty, and admin. This can be done by setting up separate virtual local VLANs.
Change all default passwords to something more complex. Defaults are a Google search away. Kids will find and exploit them.
Install a password for the basic input/output system (BIOS) in computers that are not thin-client machines. Require the BIOS password for making any changes to a computer or its applications.
Keep physical and wireless networks separate. The BYOD trend is growing more popular in classroom settings, which increases the risk that a user may introduce a malware-infected device to the network. This will protect the other school computers in that event.
Use different passwords for BIOS, Wi-Fi® and physical networks. This is an obvious security measure that is too often overlooked.
Prevent simultaneous or concurrent sessions. Software tools help limit concurrent user logins, enforce login quotas, and capture and track login data in the active directory. UserLock is a robust, though more expensive, enterprise solution that is popular among school network techs. There’s a free Microsoft-certified application called LimitLogin that offers a more barebones approach to this tool.
Be ready to re-image. Plan to restore computers from scratch at the first sign a corruption is detected. Clone a hard drive with all the defaults and applications school machines should have installed. Restore as needed using a backup disc or HDD drive, or re-image multiple machines using networking software like Symantec Ghost or Microsoft Remote Installation Services (RIS).
Network security comes as the result of the right gear for the job, and the right mindset for implementing a network that is at once flexible and secure. Unified Threat Management appliances grant network technicians a good deal of convenience to achieve the necessary level of monitoring for a secure school network, and the tools needed to provide tiered access across an ever-growing, ever changing networking landscape.