Keeping Your Network Secure
In the wake of Heartbleed, the bug in the
widely used Open SSL used to encrypt and
secure thousands of well-known Web sites,
all of us have potentially had many of our
passwords compromised. So whether we
have school IT security staff or not, there are
steps districts of all sizes can take to keep their
networks safer. Tech & Learning’s Christine
Weiser spoke with Drew Lane, currently serving
as director of technology for Derby Public
Schools and soon to be serving as executive
manager for the Shawnee Mission School
District, KS, and Steve Young, Chief Technology
Officer for Judson ISD in Texas, to ask for their
tips. Here are highlights from the conversations.
Set up a separate guest wireless
network and do not allow these
devices on your main network.
Most schools can set up a guest network
that allows users to access only the Internet, but
not any internal resources. There are also some
products, such as Aruba’s ClearPass, that allow
network managers to perform authentications
and configurations that can provide temporary
credentials for users to allow access to approved
additional resources using the guest network.
Do not allow users to install software
on district computers, but consider
Most districts choose not to authorize users
to install complex or potentially hazardous
software on their devices. However, in an app-based
world, districts may want to offer some
customization on this limitation. For example,
JAMF offers the ability to control what Mac
users can and cannot install on their devices.
Chromebooks offers Google Apps domain
administrators the ability to configure access to
authorized Web apps with those devices. The
Windows world is a little trickier, but products
like Kaseya can help network managers provide
remote script execution. Another option is to
use a product like Citrix, which allows users
to stream authorized apps from a data center
without overtaxing bandwidth or requiring
Consider a network access control
solution to secure wired network ports.
Network access control on wired ports is a
good idea. However, if you take this control to
the next level for your wireless network, you
need an IT team that has the skill set to manage
this control. Our district implements layers
of control. When devices are plugged into our
wired ports, those devices, depending on their
trust level, have access only to the Internet.
Products like Brocade and Aruba’s ClearPass
offer the ability to authenticate authorized
devices to access additional school resources
safely. Cisco also offers similar NAC devices.
Consider internal firewalls for
high-value servers with critical data
or at least find a way to restrict network
access to these servers.
Installing internal firewalls is a good idea,
and again the district has to decide what data
must live securely behind a firewall and who
will have access to those critical data. There
are products, such as PaloAlto firewall, that
allow districts some flexibility by allowing the
network administrator to monitor traffic and
shape data as well as determine what can be
accessed by authorized users. For example, if
you are a campus with multiple buildings on the
same WAN, a firewall from PaloAlto allows the
administrator to customize the access and shape
traffic for each building.
Keep servers and security appliances
up to date and patched.
This is another important security step, but
also comes with a “gotcha”: before patching that
firmware, ask, why was it released? What does
it address? Our district has had instances when
we installed a patch that then introduced a bug
that came with a whole different set of problems.
When possible, implement all updates and
patches on test hardware before rolling out to the
Endpoint antivirus and malware
security is still critical, but don’t count
on these tools as your only line of defense.
Today’s malware and viruses have switched
from destruction theft. These intruders are
now less interested in destroying data and more
interested in harvesting data to use to their
advantage. For example, a ransomware virus
encrypts your data and you can only retrieve
that data by paying for a code. This is where an
incremental backup of data can be crucial. If a
district or user has incremental backups over
time, there’s a better chance that unencrypted
data can be retrieved from a recent backup. But
prior to recovering that data, the client device
should be completely sanitized to prevent the
recovered data from simply being re-infected. If
data security personnel are available, it’s also a
good idea to conduct an investigation to see if the
source of the ransomware can be determined.
Install firewalls, spam filters, and
Many of these solutions are converging into
next-generation combined products, but most
of these can offer a range of services, including
scanning for bad Web sites, phishing links, viruses,
malware and more. The only caution: you need
to be careful with products that put all of your
security eggs into one basket. When you start
looking to one appliance to do multiple tasks or
services, you will need a backup plan if something
goes wrong. What happens if that device dies?
Ideally, a district will have hardware redundancy
in place, but few can afford a complete backup
system. As an enterprise, you need to decide
what services your district can and cannot live
without. Next, you should focus your backup plan
on those systems deemed most important. This
will save redundancy costs and keep those vital
network components running, even if it is at a
smaller capacity. For example, we focus on our
DNS service. If our main service goes down, we
know that a virtual server can’t process the DNS
as quickly, but it can still process some.
Restrict ICMP traffic at the firewall
to limit hackers’ ability to scan your
ICMP traffic is a must-have for network
troubleshooting. However, this is also an
area of high vulnerability if not managed by a
knowledgeable IT expert. ICMP can quickly
turn what should be good traffic into a weapon
without expert management.
People are the key to overall safety.
Yes, there are many tools out there to
keep your network safe. But the best investment
a school district can make is in the people who
know how these tools work. As a manager who
is responsible for my district’s network safety,
I don’t know how to keep us 100% safe, but I
know the importance of having staff who DO
know how to keep the network safe. If you can’t
hire full-time staff, negotiate with third-party
vendors to outsource those skills. Also, when
you can afford to do it, have a disinterested third
party do “penetration testing” on your network
and assess your weaknesses. Reliable vendors
like CDWG can help your district find reputable
consultants to help with this.
In summary, when you are building a
network for today’s environment, you want to
first consider your wireless network as your
primary network. Build your capacity there for
coverage, density, and bandwidth. Your wired
network becomes the “workhorse” responsible
for carrying all the traffic generated by your
wireless network’s to/from data closets and
ingress/egress points from your enterprise.
While still important, wireless networks now
make wired networks a secondary point of
connectivity for endpoint devices. Follow these
steps, and sleep a bit better at night.