Securing K-12 networks for 1:1 computing


students-using-laptopThe adoption of 1:1 computing programs and online K-12 learning programs are driving an industry-wide move toward accessible network access. In East Grand Rapids Public Schools, and in school districts nationwide, requirements to provide students and teachers with easy access to online tools and the internet are paramount to creating an effective learning environment.

With today’s budget cuts, the only sustainable way to provide 1:1 computing is to allow students to bring their own computers to school. Deploying a network access control (NAC) solution that supports a multi-vendor environment, wireless and wired networks, and multiple computing device types is a necessary best practice for accomplishing this.

We talk a lot about “democratizing student access to technology” around here–letting students choose the computing platforms and learning tools that work best for them. NAC gives students access to networks and learning resources using the devices of their choice, and keeps them off restricted networks while providing the security and malware protection that prevent network outages.

At our school district, which has 2,900 students and close to 500 employees, our challenges include providing access to technology while segmenting network resources so that students do not have access to private information (such as staff and administrative data) all while managing a tight budget. Before NAC, granting individual access and appropriate privileges to printers, applications (such as Moodle educational software, our learning management system of online books and learning tools), and the internet was a constant issue.

The need for this NAC best practice grew in 2003, when a committee of students, staff, administrators, and school board members decided that the use of students’ personal devices on campus was needed, initiating what we call our “Allow Program.” Before our NAC best practice was in place, at that time securing access privileges meant that students had to fill out forms, and meet with IT to evaluate their machines and discuss procedures–for example, there is no file sharing allowed. After this lengthy process, the student’s device was manually configured for access to the district’s wireless network. This took a lot of time and was a deterrent for students, and initially only 17 participants joined to the program. We clearly saw that the time spent to secure access for each student’s machine was a hassle and hindered their participation.

We knew we needed to make this easier, and we had to take the IT team out of the process. I learned that a NAC solution would automate this process, and then spent time researching what would work best for our network. Among the many best practices I discovered is that a NAC solution needs to support open standards–our NAC solution could not dictate the directory services or the brands of infrastructure we use. A policy-based solution would also help with differentiating access, and deploying 802.1X WLAN security.

I initially looked at solutions from Cisco, Juniper Networks, Sophos and Symantec, but none delivered the functionality I needed. I also struggled with vendor lock-in from these solutions, since they didn’t rely on open standards. They also supported a limited number of operating systems and user device types.

I learned about Avenda Systems and its identity-aware access control platform called eTIPS at an Interop event. The Avenda platform could centrally manage policies across all access methods and frameworks, and it included the tools we needed to easily register our students and their devices. It would also work with our entire district’s existing network infrastructure, and identity stores. 802.1X security authentication and authorization mechanisms were also important.

With a NAC solution, we could see improving our security, and eliminating the manual provisioning of guest access. We could see how participation in our Allow Program would increase, because students wouldn’t have to meet with the tech guys anymore.

As a result, we deployed our NAC solution, which allows us to set granular access policies for staff and students, and also guests, by identity, role, assessment of their devices, etc. Provided templates for deploying 802.1X and wireless infrastructure polices were also helpful. The NAC solution supported our mix of network components, which was critical, including Siemens wireless controllers, Enterasys LAN switches, and server platforms running Apple, Novell, Linux, Windows, and OS2 operating systems. We also support a mix of Windows, Linux, and Mac student machines.

By streamlining the intervention with the IT team, the Allow Program took off. Students spread the word that bringing your own laptop to school was the best way to get on the network. Soon, more and more students started showing up with their own personal devices. For us, the NAC solution has saved the entire department more than 100 man hours so far, and the Allow Program has grown to approximately 130 students accessing network services each day. Our students are separated from the core production networks, but still have access to the resources they need. The students and teachers are singing the program’s praise, and our support for it has gone to nearly zero.

Every school district should have a NAC solution to support differentiated access for students, staff, and guests–because it’s unsustainable for a district to try to provide a computer for everyone. Allowing students, speakers, parents, and other community members to bring in their own equipment to utilize the network saves us a lot of money.

More importantly, students can choose the device that best facilitates their own unique style of learning. If a student feels most comfortable using a netbook running Linux–that is the best device for them to use at school. We believe that the best security is transparent to the end user, and doesn’t make us change how we work.

NAC is helping us achieve our goal of providing access, without spending $100,000 or more on student computers and software licenses. The IT group saves 30 minutes of set up time for each user, and we no longer have to manage individual accounts, passwords, and security applications. Today, we are able to bring computers onto our network safely and securely. We know that we can’t have 1:1 computing and allow students to bring computers on campus without having our NAC solution in place.

Looking forward, we can use NAC to determine the health for all devices, including if the device’s firewall is enabled, when antivirus applications were last run, and if patch levels/service packs are current, before letting it on the network. If access is denied, a page can pop up with instructions on getting the machine in order, and onto the network quickly. The goal is to allow students to use their favorite devices as they normally would at home, while providing tiered levels of security and protection for our network when they are here on campus.

Jeff Crawford is manager of networking and security in the East Grand Rapids Public Schools. The East Grand Rapids Public Schools district has an enrollment of 2,900 students and employs around 500 employees. Seven IT employees serve the entire district, which has approximately 1,600 district-owned computers located across multiple campuses and administrative buildings.

Sign up for our K-12 newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Laura Ascione
Latest posts by Laura Ascione (see all)

Want to share a great resource? Let us know at submissions@eschoolmedia.com.

New AI Resource Center
Get the latest updates and insights on AI in education to keep you and your students current.
Get Free Access Today!

"*" indicates required fields

Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Email Newsletters:

By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

eSchool News uses cookies to improve your experience. Visit our Privacy Policy for more information.