How to secure a school network

Protecting a school’s network has never been more difficult. Not only is the number of security threats increasing – arriving via anything from unsecured Wi-Fi hotspots to teachers’ USB sticks – but schools have fewer resources with which to defend themselves.

With the recent closure of Becta and educational budgets being squeezed across the board, the challenge of properly securing school networks is immense.

Schools are more exposed to malware and spam because children tend to be much less guarded in their online usage

Without Becta providing guidelines and best practice advice, the fear is that some schools could let security policies and strategies slip. Securing any corporate network is challenging, but throw in hundreds of children who are not only free from the legal consequences of their actions but too young to comprehend properly the risks they may take, and things get really interesting. Pupils need protection from inappropriate material just as much as the school network needs protection against data leakage.

Schools are more exposed to malware and spam because children tend to be much less guarded in their online usage, yet they’re required to protect these vulnerable users from their own actions as well as the actions of others. A safe learning environment extends far beyond keeping the gate locked, after all.

So just what is the best way to secure a school network? We’ve been asking school network managers and security experts exactly that to help you make the right choices.

One size fits all?

It’s a myth that there’s no such thing as a one-size-fits-all school security strategy. Sure, a class of five-year-olds will be exposed to different risks to a class of teenagers, and different age groups need to be educated about security in different ways. Years 1 to 6 may well be more at risk from external threats, for example, while Year 7 onwards also need the inward-facing protection from their own curiosity and rebelliousness.

But an old-school approach (if you’ll excuse the pun) of a permissions system is actually flexible enough to cover all bases, allowing each group within that directory to have a separate and relevant security policy.

So now we’ve dealt with that common misperception, what about the specifics that every ICT network manager should consider as part of a school network protection plan?

Antivirus protection

Sajid Hussain is the education network manager at Trafford Council in Manchester, and he advises that if a school has a central server, its antivirus software should also be deployed centrally. “Many of the AV vendors offer the education sector software at low prices in comparison to the corporate sector,” said Hussain. “It’s also important to have AV on the end points and the gateway, as well as servers.”

Talking of which, don’t forget that within a school environment there’s a huge risk of someone, student or teacher, bringing something in from an unknown source and distributing it using internal email systems. As Ollie Hart, head of public sector security with Sophos, told us: “Hosted email scanners won’t secure internal mail being transferred so it’s important that you’re able to protect your network from both external and internal exposure.”

Client installations need not be budget-breakers, though, and most of the big vendors offer very attractive volume licences for the education sector. Just make sure that technical support is factored into the equation.

Automated patch management

There are a couple of rather important “do not forget” points to add. First, you’ll need a firewall, whether that comes courtesy of the local authority or something that you buy in as a gateway device for schools not under local authority control. The second is keeping your antivirus, firewall, operating system and applications up to date.

“School ICT should look at automating the patching process as much as possible,” said Larry Stein from Dell KACE. This “not only saves time, but means that the patch can be applied the same way across all machines”.

It doesn’t have to be a complex or expensive solution, and your network access controls can be configured to check patch levels for pretty much every asset before it accesses the network. “If you couple this to a system that controls the ability to run software such as an application control system, this reduces the possibility of a user loading an old version of Firefox, for example, which you may not be monitoring from a patch perspective,” said Hart.

Strictly controlling what applications can be installed, including such things as third-party plugins, will prevent a huge security headache in the long term

Strictly controlling what applications can be installed, including such things as third-party plugins, will prevent a huge security headache in the long term, even if it might add to the ICT staff workload in the short term. The same approach should apply to the use of devices such as USB sticks, external drives, iPods, tablets and phones.

Locking down wireless networks

Some schools still operate totally open and unsecured Wi-Fi networks, arguing that ease of use trumps security in this case. But does that argument actually hold water? Andrew Mulholland, marketing manager at wireless router vendor D-Link, warns that the assumed ease of use of an unsecured network is mostly an illusion, and certainly doesn’t counteract the huge risks of allowing anybody access to school data.

“Schools should take a Unified Threat Management approach to securing their wireless networks,” said Mulholland. “Data on the network should be encrypted so that prying eyes don’t have access. Access control and network-monitoring tools must be used to make sure that the network is not being exploited: for example, by unwanted users ‘piggybacking’ on the school’s wireless network or setting up rogue access points in order to gain entry.”

The encryption and password-protection points are worth reinforcing because they’re good advice for any business, not least one with children and sensitive data residing on the network. “The real world is encrypted and password-protected,” said Eddy Willems of security vendor G-Data. “The sooner pupils learn how to remember a password, keep it secret and how to make a password secure, the sooner they will be prepared for later life.”

Roger Hockaday of Aruba Networks, however, suggests that appearances can be deceptive and that apparently open and unsecured guest networks can be secured behind the scenes. “By choosing a solution with a role-based, stateful firewall built into their Wireless LAN, combined with cloud-based URL and content filtering, they [schools] are able to guarantee security through the separation of every user’s traffic. They can block access to undesirable content, without having to place any additional networking or security equipment on their site, and without having to administer guest access.”

Sajid Hussain, on the other hand, argues that more often than not an unsecured wireless network is just that: unsecured. “The use of standalone wireless routers or access points should also be avoided if possible, as the administration of multiple access points can become difficult,” Hussain said.

“An ideal solution would be the use of a managed wireless network infrastructure involving a wireless controller and access points. The management of the infrastructure is central and saves a huge amount of time and effort.”

Content filtering

A recent Ofsted report claimed that many secondary schools are filtering too aggressively and therefore driving students to use proxy servers to carry out required research. Many security experts claim that basic keyword filtering is used too often in school and is totally ineffective. So how can the right balance between protection and freedom to research be achieved within a school environment?

Eamonn Doyle is CEO at content filtering specialist Bloxx, and warns that simple keyword scoring and URL listing isn’t effective in a school environment any more. He, perhaps unsurprisingly, advises that schools need to look to a filtering solution that dynamically analyses and categorises every web page upon request.

This would seem to be the only way of efficiently dealing with the problem of savvy students setting up anonymous proxy filter avoidance sites, which legacy filtering techniques can take weeks to identify and block.

Whatever filtering solution is installed, application remains the key. It’s up to the ICT staff to be aware that simply turning everything on isn’t an appropriate configuration option to take. “Filtering should be controlled and different access levels given,” said Ollie Hart. “Schools should consider having different access rights for different ages, even for different courses and classes.”

An acceptable use policy is a good opportunity to educate students about IT security in general

That way, if a student has a legitimate requirement to view a page in a site that would normally be classed as inappropriate, the ICT staff can set a one-off exemption. “The main thing is to make sure that children get a good education in a safe environment, not that they are restricted to such an extent that their education is compromised,” said Hart.

A business approach

Although perhaps more associated with the business world, a formal security policy is just as vital within the education sector. Ian Trevena has set out very clear lines on school IT security policy at Hampton School, Middlesex, believing it is a duty of care that has to be treated very seriously indeed. “Our policy is a written document and informs our Acceptable Use Policy (AUP) which has to be signed by both staff and students,” Trevena explained. “It is also displayed on the screen at every logon.”

It can sound a little Draconian to get kids to sign an AUP, and some experts argue that because minors can’t legally be held responsible for breaching the rules it’s pointless. But an AUP is a good opportunity to educate students about IT security in general. By giving safe computing advice within this document, as well as informing students about the controls the school has in place to prevent abuse, it’s possible to educate them rather than just provide yet another long list of stuff they mustn’t do.

An AUP should also include a list of what is and is not considered an acceptable use of school network resources, otherwise it’s pointless. As Nick Cavalancia, vice-president of Windows management with ScriptLogic, points out, “children will rise to the expectation set before them if it is explained to them in language they understand, if it is reasonable and if it is enforced”.

How can you expect students, and staff for that matter, to meet your expectations of IT security if you don’t tell them what they are?