Security versus Flexibility within Education Networks
By Allied Telesis
Universities and schools offer a unique set of challenges to network designers. As well as all of the usual requirements of modern network users such as high bandwidth, resiliency and scalability, they take the “security versus flexibility” dilemma to an extreme.
Students and staff typically move between many locations during the course of a day. Restricting physical access to network connection points is restrictive in such a mobile environment, hence the network needs to be mobile. For many years, the focus on network security at campuses such as schools and universities was on defending against external threats like hackers. However the reality is that with the growth in mobile computing and proliferation of Ethernet-capable devices, LAN-based attacks now outnumber external threats as the main security issues. Students, staff and even members of the public come and go from university buildings, and it is impossible to monitor all of these people all the time. Staff need private access to certain network resources, perhaps in the form of certain server drives containing confidential or appraisal-related data. Students pose a constant threat to network security as they have the ability, time and often the inclination to probe for every weakness in the network’s security set-up.
Protecting the network whilst incorporating flexibility
Teachers or administrators connecting to the network in classrooms need to be able to access curriculum material, and check and maintain records. Students need access to a specific sub-set of the same material.
One way to achieve this is to set up separate VLANs for “admin” and “curriculum”.
Separate call out box: A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices.
These are hosts with a common set of requirements that communicate as if they were attached to the broadcast domain, regardless of their physical location. The admin VLAN can be protected by a inspection firewall to prevent students accessing private records such as exam papers. This access must be authenticated with usernames and passwords so that pupils cannot access the admin areas. This implies the need for an application that demarcates secure and public sections of the LAN, while providing some users with access to parts of the secure area.
The diagram above lists an ideal network configuration for a school that allows for optimum security. In the network, the switch is connected to two VLANs, curriculum and admin, as well as to an authentication server. The authentication server allows all ports to access either curriculum or admin VLAN, depending on the credentials of the user. The switch also acts as a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses in the appropriate range for the admin and curriculum VLANs. This makes it easier for teaching staff to connect to either segment.
Allied Telesis has successfully implemented this network configuration to secure and maintain flexibility in a highly reproducible school network.
Physically the solution consists of Layer 2 switches on the edge with gigabit fibre uplinks back to a Layer 3 modular switch in the core. But the real value in the network lies in the features that are implemented on these switches. In particular, the 802.1x authentication process provides the key requirements of simultaneous flexibility and security.
802.1x authentication and dynamic VLAN assignment prevent unauthorized access to the network while still giving users flexible, mobile and appropriate access to network resources, regardless of where they physically connect to the network. 802.1x authentication ensures that users cannot even send packets into the network until they have provided valid authentication credentials. VLAN assignment puts authenticated users into an appropriate VLAN, based on their authentication credentials. Therefore users experience the same network environment no matter where they connect.
Another key part of the solution is hardware filtering, ensuring no leakage of traffic between certain IP subnets and achieve this with no degradation of data throughput.
Conclusion
In recent years, schools and universities have become increasingly reliant on networks. Incorporating a high bandwidth, resiliency and scalability as well as security and high flexibility into the network is vital for functionality. Securing a network within a school or university is much different to securing a network within a business, as students move from computer to computer with devices such as USB drives. As long as the correct precautions are taken and the network is intelligently designed, it should remain secure from internal or external threats.
Latest posts by eSchool News (see all)
- Use of Technology in the Classroom to Enhance Teaching and Learning - September 26, 2024
- How Does Technology in the Classroom Help Teachers? - September 26, 2024
- How Useful is Technology for Teaching and Learning? - September 26, 2024