Security versus Flexibility within Education Networks
By Allied Telesis
Universities and schools offer a unique set of challenges to network designers. As well as all of the usual requirements of modern network users such as high bandwidth, resiliency and scalability, they take the “security versus flexibility” dilemma to an extreme.
Students and staff typically move between many locations during the course of a day. Restricting physical access to network connection points is restrictive in such a mobile environment, hence the network needs to be mobile. For many years, the focus on network security at campuses such as schools and universities was on defending against external threats like hackers. However the reality is that with the growth in mobile computing and proliferation of Ethernet-capable devices, LAN-based attacks now outnumber external threats as the main security issues. Students, staff and even members of the public come and go from university buildings, and it is impossible to monitor all of these people all the time. Staff need private access to certain network resources, perhaps in the form of certain server drives containing confidential or appraisal-related data. Students pose a constant threat to network security as they have the ability, time and often the inclination to probe for every weakness in the network’s security set-up.
Protecting the network whilst incorporating flexibility
Teachers or administrators connecting to the network in classrooms need to be able to access curriculum material, and check and maintain records. Students need access to a specific sub-set of the same material.
One way to achieve this is to set up separate VLANs for “admin” and “curriculum”.
Separate call out box: A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices.
These are hosts with a common set of requirements that communicate as if they were attached to the broadcast domain, regardless of their physical location. The admin VLAN can be protected by a inspection firewall to prevent students accessing private records such as exam papers. This access must be authenticated with usernames and passwords so that pupils cannot access the admin areas. This implies the need for an application that demarcates secure and public sections of the LAN, while providing some users with access to parts of the secure area.