As schools increasingly weave computers and the internet into their daily curricula, they become vulnerable to a host of security risks. Any connection from a district’s computer network can also function as an entry point to hackers, some of whom would love to sneak into the network and create chaos by wiping out important records. Also, as students learn more about how systems work, they are in a position to change or destroy data from within.

Consequently, school information technology (IT) administrators must put checks in place to make sure their systems are used properly. A wide and growing range of security products are available to help you ensure that outsiders can’t access—and insiders can’t destroy—important information.

Putting these checks in place requires time, money, and manpower—items that are in short supply in many school districts—so network administrators must perform a complex balancing act between the need for adequate security versus the desire to stay within budget.

Any discussion of security should start with the premise that no system is ever totally fortified. Installing security products merely raises the bar and makes it more difficult for hackers to access information. Districts with few security products installed are more vulnerable than those that have made significant investments. Firewalls, filtering systems, virus protection software, and system lockdown packages all can help ensure that computers and networks are used properly.

Firewalls

The widespread use of networking and the internet has made computer security a crucial issue. Previously, schools were able to rely on the security features in desktop and server operating systems because outsiders had few access points into their networks. But that’s no longer the case. Every time a school opens up a new remote connection (through internet access, teleconferencing, etc.), it becomes a potential entry point for hackers.

Firewalls are usually a first line of defense for such break-ins, as they establish a defensive perimeter around a network. The devices sit on network entry and exit points, monitor traffic, and make sure that only authorized users come and go.

Firewalls come in two basic architectures: application proxy or stateful packet inspection. Application proxy systems terminate a client’s request at the firewall and then set up a second connection on the client’s behalf. Stateful packet inspection firewalls dynamically open up access to authorized traffic, keep track of each connection, and shut down access when transmissions are completed.

Common wisdom once said that application proxies were more secure and stateful packet filters were better performers. Increasingly, suppliers are delivering products that combine the two features, so those distinctions are blurring.

Like other organizations, many school districts have installed firewalls. “A few years ago, only 20 percent of organizations with internet access had put in a firewall,” said Ray Suarez, product manager at Axent Technologies Inc. of Rockville, Md. “Now, it’s up to 80 percent.”

When the Templeton Unified School District in Templeton, Calif., deployed a wide area network (WAN) and started to dabble with internet connections in the mid-1990s, it decided to purchase a firewall. “We felt that we needed a tool to keep outsiders out of our systems,” said Scott Knuckles, the district’s coordinator of educational technology.

The school district, which has 2,500 students who work with 500 computers (a fairly even split between Apple Macintoshes and PCs), examined a number of products and selected Axent’s Raptor firewall because it seemed like the simplest device to install. Since purchasing the product, the district, which operates 150 classrooms in seven sites, has not had any successful attacks from outsiders.

Internet access also raises issues about where students go as they travel out of the classroom. Many firewalls now include filtering capabilities that prevent pupils from accessing inappropriate sites, such as hate sites and pornographic web pages. In 1997, the Templeton Unified School District added a filtering capability to its firewall, which blocks students from 60,000 sites.

Site filtering was one of the items the Olympia Public School District in Olympia, Wash., considered when it looked for a firewall in early 1997. The district, which has 9,000 students at 19 sites and 2,000 Macintoshes that work with PC servers running Microsoft’s Windows NT operating system, selected a product from Secure Computing Corp. of San Jose, Calif.

“We used to have to spend a lot of time monitoring where the students were going; now the firewall takes care of most of that for us,” said Ron Morsett, technology coordinator for the district.

While firewalls secure the outside of a network, they are of no use once an outsider has gained entry. They can’t protect against problems stemming from the use of unauthorized access of dial-up lines or see attacks launched from inside the perimeter they’re set up to protect.

Virus protection

Rather than overtly destroy data, intruders can take a more subtle approach and introduce computer viruses, program code that replicates itself on execution and may create undesirable effects. Virtually every virus tries to do the same thing: spread to other programs and data files. When a user boots up from an infected disk, opens an infected file, or runs an infected program, a virus’s code is copied into a PC’s memory. From there, the code attempts to attach itself to other files.

With the growth of networking, viruses have plenty of places to go. A computer can be infected when a user accesses the internet, swaps software with friends, exchanges files via eMail, or is connected to a network. Since almost every user now fits into one of these categories, the International Computer Security Association (ICSA) of Carlisle, Pa., found that the number of attacks is rising: from 62.5 per 1,000 machines in 1997 to 86.5 per 1,000 machines in 1998, a 48 percent increase.

Viruses have become more sophisticated as well. Macro viruses lodge themselves within documents or macro templates used by applications; Microsoft Word is a popular target, with more than 1,000 viruses designed for it. The Melissa virus, which garnered a lot of headlines in March, represents this type of virus.

What makes this new breed of viruses particularly dangerous is its ability to examine a user’s electronic mail address book, take addresses, and then generate and send electronic mail messages with the virus to those persons. Within hours, the Melissa virus had infected thousands of machines.

To combat the problem, school network administrators can install anti-virus software, which detects and removes unwelcome code. Traditionally, the software has been placed on client systems, but server-based products are gaining popularity because they can ease administrative chores.

That was the reason the LaPorte School District in LaPorte, Texas, which supports about 7,000 students and administrators in 15 elementary schools, two junior high schools, and one high school, decided to take a look at its virus protection software at the end of last year. The district was making a big push to improve its computer infrastructure, increasing the number of PCs to 5,000—almost one for every student—and installing higher speed network connections.

With more information expected to flow over the network, the IT department anticipated an increase in problems such as viruses. The district had relied on virus protection software from Network Associates Inc. of Santa Clara, Calif. “The software worked well, but it was difficult for us to administer since it had a client-side focus,” explained Tony Sodaro, a network support specialist at the school district.

The district talked with a handful of suppliers and selected products from Sophos Inc. of Woburn, Mass. “While a number of vendors had products that ran on various operating systems, they functioned in different manners that would have increased our training requirements,” noted Sodaro. “The Sophos package operated in a consistent manner no matter what system it ran on.”

The district installed the Sophos software on Windows NT last spring and planned to port it to the other platforms during the year.

The Merced County Office of Education in California also wanted easy administrative chores with its virus protection system. The office provides IT services to 20 school districts with 85 campuses and 40,000 students and helps with items such as cleaning up files when they’re infected with viruses.

With more and more students downloading information and bringing diskettes in from home, the number of times the group was dealing with viruses was increasing. “We were getting two to three calls a month to rebuild systems that had been attacked by viruses,” said Scott Sexsmith, manager for information systems at Merced County. “A rebuild is a labor-intensive task that could take two to three hours.”

So in early 1998, the county issued a request for proposals to half a dozen virus protection suppliers. “We went with Network Associates because of the breadth of its product line,” said Sexsmith. “It could protect our servers, PCs, Macintoshes, electronic mail system, and web servers.”

Another plus was that the software could be downloaded to user desktops, so none of the administrators, teachers, or students had to tinker with it. The price was also attractive: Network Associates offered the county a maintenance contract that came out to $1 per desktop per year.

By that summer, the Merced County Office of Education had decided to purchase the tool. Since the organization has a staff of only nine people and relies on local administrators to maintain systems supporting 40,000 users, “We wanted to be sure a lot of training was included with the system,” Sexsmith said. From the fall to the end of the year, Network Associates held classes for school network administrators.

Sexsmith estimated that the software is running on about 70 percent of all county systems. Since the virus protection software was installed, there has not been a single instance of an infection.

The Templeton Unified School District reported similar success from its virus protection package. The district uses F Prot from Data Fellows Inc. of San Jose, Calif., and also has a series of Novell NetWare Loadable Modules that monitor server activity. In 1995, the district had 204 incidents related to viruses; that number had dropped to four in 1998.

Yet installing virus protection software represents only a first step in keeping systems clean; hackers constantly tweak existing viruses or develop new ones. The ICSA estimates that 1,000 new viruses emerge each month, and older anti-virus packages often will not detected new strains. “We recommend that organizations update their virus protection packages every couple of weeks,” said Roger Thompson, director of anti-virus research at ICSA.

The Merced County Office of Education downloads virus system enhancements electronically once a month and if a new strain arises, the district can get the fix instantly. The county then delivers the updates to servers at various school districts; administrators there are responsible for making sure their systems are updated.

If any are a bit lax, their systems may still be protected. Viruses tend to exhibit consistent characteristics, and suppliers have designed their products recognize them. So when a new strain of a virus appears on a PC, the software may alert the user about the problem.

Vendors stand ready to help schools combat new virus strains. If a district thinks it may be under attack from a new virus, it can report the incident to a vendor’s anti-virus research center. These departments will usually determine within 24 hours whether or not a new virus has appeared and often can develop a vaccine in a few days; Melissa vaccines were being downloaded the day after the virus appeared.

School administrators can take other steps to lower the likelihood that viruses will knock their computers offline. Disable program features that automatically open eMail attachments or launch downloaded program files, and take advantage of Word 97’s ability to disable all macros that open templates. Also, you should back up all Word template files to an unused directory and change the file extensions. If you don’t frequently create new macros for documents, you can also turn on the read-only file attribute for each template file.

Security from within

While firewalls and virus protection software protect schools against external attacks, the greatest security threat usually comes from within. “Most organizations concentrate on repelling threats from outsiders, but studies have shown that 80 percent of security problems come from insiders,” said Robert Steele, a program marketing manager at Novell’s San Jose office.

School administrators might have a better understanding of these problems than other organizations, since they know students are naturally curious and will try to go places where they shouldn’t. Sometimes, the problems stem from malicious actions; in other cases, they come from human error. There are products to help you prevent either occurrence.

A few years ago, the Olympia Public School District decided to set up its systems so students couldn’t change computer settings. “We thought our systems were not as foolproof as we would like them to be; children are natural explorers, and they could find the security holes,” said Morsett. “We wanted to make sure students could not do too much damage to our systems.”

The district selected OnGuard from Power On Software Inc. of Sherrodsville, Ohio. The system enabled the district to keep the students out of different system folders, limit their work with control panels, and prevent them from accessing various fields. Since installing the product, the district has been able to avoid problems that stem from students installing new software on machines, inadvertently trashing important files, and changing configurations.

Despite an IT administrator’s best efforts, no organization with an open network connection can be 100 percent secure. New security holes constantly pop up as the technology evolves and students find about them quickly.

“Today, students are so computer literate that by the time they’re in the sixth grade, they know how to operate a system,” noted the LaPorte School District’s Sodaro. “They learn faster; they are on the net at home as well as in school. Keeping them from hacking into a system can be a challenge—one that keeps us on our toes.”

Plugging potential security holes also takes time, money, and manpower—precious commodities for many IT administrators. With technology constantly changing, IT personnel find themselves working overtime to ensure that students and administrators have up-to-date hardware, software, and networking capabilities. Squeezing more money and manpower out of their budgets to cover security issues can be difficult.

The Templeton Unified School District paid $20,000 for its firewall, a significant investment for a small district. “It can be hard to justify an investment that doesn’t have any tangible benefits, but instead is designed to prevent certain activities from occurring,” admitted Knuckles.

In some cases, such proposals are turned down. After the Littleton tragedy this year, the Bellevue School District in Bellevue, Wash., which has 15,000 students at 30 sites, looked at ways to provide a safer environment for its students.

The district, which already had hired policemen to be on site at the high schools during the school day, was interested in a system from Eyecast.com Inc. of Sterling, Va., that combines multimedia technology and the internet to monitor buildings. The company uses the internet to take over a school’s video surveillance system, so school officials don’t have to worry about monitoring, maintaining, and storing the tapes.

“The system could have acted as a deterrent during non-school hours when vandalism often occurs,” said Tim Sullivan, security coordinator for the district. However, the school committee voted down the idea of deploying the system because it cost too much.

Even when a district approves a security product purchase, it must find personnel to install and maintain it. Many districts operate with small staffs: The Templeton Unified School District, for example, has one full-time and one part-time administrator, supplemented by 15 student technicians who handled 700 help desk calls last year. Finding employees who can install and monitor security products can become a problem.

The LaPorte School District had to do a lot of custom work with its virus protection software, since users work with a number of different operating environments: Apple Macintoshes, Novell’s NetWare, Microsoft’s Windows NT, and Santa Cruz Operations’ SCO Unix. The NT deployment alone required six weeks.

Suppliers are aware of the problem and have been trying to make their devices easier to install. In the past, if a district wanted to install a firewall it had to purchase the software, sometimes the underlying operating system, and also a computer on which to run it all. Now, the devices are packaged as turnkey systems that only need to be plugged into a network.

Such improvements are coming a bit late for the Evergreen School District in Vancouver, Wash. The district, which has 28 sites and 22,000 students, represents one the state’s fastest growing areas and has been adding 900 new students each year. Earlier this year, administrators discovered that a student had broken into the district’s network and was changing grades. The issue came to light because he was selling the service to other students and a classmate turned him in.

The hole was in a modem pool that had been in use since the early 1990s. Because the system didn’t have a client/server design and the passwords and user IDs were not encrypted, the student was able to gain access to confidential information as it flowed over the network.

“We had planned to install a firewall to ensure that only authorized personnel were accessing sensitive information but had been sidetracked by other projects,” admitted Gail Pfingsten, the district’s manager of computer and information resources.

Evergreen has begun to install the firewall and has launched an internal audit to examine its current systems and identify any weak links. The process should be completed this summer, and the district then will decide what additional steps to take during the next year.

Evergreen is taking the unusual step of publicizing its break-in. “Most districts try to manage security by obscurity; they think if they don’t talk about it, the problem will go away,” said Pfingsten. “We are sure we’re not the first district with a break-in and are publicizing it to help other districts become more aware of the risks involved.”

In addition to embarrassment, there are other reasons to keep security breaches private: The district became a target for hackers. “When the break-in hit the press, we were getting 500 hits against our systems every 90 seconds,” Pfingsten said.

While most view security breaches as wrong, there is a subculture that views it as a challenge. The Evergreen student fit in that category. “The only thing he seemed to be concerned about was whether or not his name would be included in a hacker journal,” noted Pfingsten.

To help deter such actions, districts must set up strict enforcement policies. Many require that students and their parents sign computer contracts that spell out the consequences of inappropriate actions. In the Olympia School District, students are suspended for three days if they access inappropriate sites on the internet. In the Templeton Unified School District, a student who stole a teacher’s password and destroyed data was expelled.

But not all schools districts are as vigilant. “A lot of school administrators don’t view security and monitoring computer usage as part of their job functions, so they have few security checks in place,” said Templeton’s Knuckles. “I don’t think that is the wise outlook. I’ve seen schools that have had their electronic mail system compromised and their directory servers destroyed; rebuilding those systems requires a great deal of time and effort. In my opinion, as soon as a district puts in a WAN, it needs to have the tools to ensure that those services are used properly.”