How to secure a school network

Protecting a school’s network has never been more difficult. Not only is the number of security threats increasing – arriving via anything from unsecured Wi-Fi hotspots to teachers’ USB sticks – but schools have fewer resources with which to defend themselves.

With the recent closure of Becta and educational budgets being squeezed across the board, the challenge of properly securing school networks is immense.

Schools are more exposed to malware and spam because children tend to be much less guarded in their online usage

Without Becta providing guidelines and best practice advice, the fear is that some schools could let security policies and strategies slip. Securing any corporate network is challenging, but throw in hundreds of children who are not only free from the legal consequences of their actions but too young to comprehend properly the risks they may take, and things get really interesting. Pupils need protection from inappropriate material just as much as the school network needs protection against data leakage.

Schools are more exposed to malware and spam because children tend to be much less guarded in their online usage, yet they’re required to protect these vulnerable users from their own actions as well as the actions of others. A safe learning environment extends far beyond keeping the gate locked, after all.

So just what is the best way to secure a school network? We’ve been asking school network managers and security experts exactly that to help you make the right choices.

One size fits all?

It’s a myth that there’s no such thing as a one-size-fits-all school security strategy. Sure, a class of five-year-olds will be exposed to different risks to a class of teenagers, and different age groups need to be educated about security in different ways. Years 1 to 6 may well be more at risk from external threats, for example, while Year 7 onwards also need the inward-facing protection from their own curiosity and rebelliousness.

But an old-school approach (if you’ll excuse the pun) of a permissions system is actually flexible enough to cover all bases, allowing each group within that directory to have a separate and relevant security policy.

So now we’ve dealt with that common misperception, what about the specifics that every ICT network manager should consider as part of a school network protection plan?

Antivirus protection

Sajid Hussain is the education network manager at Trafford Council in Manchester, and he advises that if a school has a central server, its antivirus software should also be deployed centrally. “Many of the AV vendors offer the education sector software at low prices in comparison to the corporate sector,” said Hussain. “It’s also important to have AV on the end points and the gateway, as well as servers.”

Talking of which, don’t forget that within a school environment there’s a huge risk of someone, student or teacher, bringing something in from an unknown source and distributing it using internal email systems. As Ollie Hart, head of public sector security with Sophos, told us: “Hosted email scanners won’t secure internal mail being transferred so it’s important that you’re able to protect your network from both external and internal exposure.”

Client installations need not be budget-breakers, though, and most of the big vendors offer very attractive volume licences for the education sector. Just make sure that technical support is factored into the equation.

Automated patch management

There are a couple of rather important “do not forget” points to add. First, you’ll need a firewall, whether that comes courtesy of the local authority or something that you buy in as a gateway device for schools not under local authority control. The second is keeping your antivirus, firewall, operating system and applications up to date.

“School ICT should look at automating the patching process as much as possible,” said Larry Stein from Dell KACE. This “not only saves time, but means that the patch can be applied the same way across all machines”.