An Ounce of Prevention: Technologists Use Network Access Control to Protect System Resources, Students

An Ounce of Prevention: Technologists Use Network Access Control to Protect System Resources, Students

Posted 12-08

By Matt Bolch
Whether for an entire district, a single campus, or one classroom, allowing authorized access to a computer network can be fraught with challenges. The login process should be fairly seamless to approved users, giving them speedy access to approved Web sites, databases, and other sources of information.It also should be tough on unauthorized users, shutting them out quickly and effectively before any havoc can be wreaked on the network. But guests and other temporary users often need access, which presents its own challenges.

School CIO talked with three IT administrators to learn how each is dealing with the issue of network access control (NAC).

Who:Justin Dover, network administrator

Where: Harpeth Hall School, Nashville, TN The private, all-girl 5-12 school has 642 students

Background: Dover has been with Harpeth Hall for seven years after working as a network/systems engineer for a medical company.

The story: Students in the upper grades (7-12) are required to buy a specific laptop tablet that students own but Harpeth Hall controls while used on campus. Teachers in grades 5 and 6 have access to three laptop carts with 20 tablets each.

“We don’t use a specific NAC solution, but we control critical aspects of the process,” says Dover. Student- and faculty-owned laptops are known to the Cisco wireless network and receive authorization in the background to access the network. Guests, such as visiting lecturers and students from “brother” school Montgomery Bell Academy, are diverted to a separate, virtual LAN to prevent unauthorized intrusions.

Harpeth Hall uses 8e6 for Internet filtering and Web usage monitoring to determine rights and permission for Websites. Students are blocked from peer-to-peer sites, Facebook and MySpace accounts, and adult content while surfing at school. “We can log every bit of activity: the sites visited, the number of times, and the pictures looked at,” Dover says. “It’s not a cheap system, but it works very, very well.”

Although 8e6 updates filtering every few days, Dover uses Allot NetEnforcer as a backup solution. The software allows him to set bandwidth limits for students and teachers. If a student is able to access iTunes, for example, the extremely slow bandwidth speed would make downloading music impractical. If bandwidth reaches its upper limit, a priority is placed on faculty and administrator use over student use, he says.

Off campus, students can use their laptops as they see fit, with few restrictions. If the school’s use policy is violated, parents are fined $20. “Our (off campus) rules are for operational efficiency, rather than content filtering,” Dover says. “Our girls know that computers have great power, but with that power comes responsibility. This policy has worked well for us, and we can’t imagine a scenario where we’d lock the system down.”

Who:Stephen Danielson, manager of information technology services

Where: Rainy River District School Board, Fort Frances, Ontario, Canada The district encompasses more than 11,500 square miles, with 15 schools that serve 3,500 students.

Background: Danielson has been with the district for nine year, previously serving in a senior technology position at another district. He’s been in the IT field for 25 years.

The story: Because the district is so spread out, the district built its own private network. But the cost prohibits one network for administrators and teachers and a second one for student use. The district has 1,200 computers in a three-to-one ratio in secondary schools and a five-to-one ratio in elementary grades.

After beginning implementation of another solution, only to discover the company was shutting its doors, Danielson turned to InfoExpress Dynamic NAC. “We evaluated several other vendors before making the selection,” Danielson says. “This was the best solution to fit our needs, and we definitely checked the company out after getting burned before.”

Network Tech William Sixsmith explains that district computers are on an approved grey list and get immediate access. To ensure that computer configurations are not changed and to make updates easier, the district also uses Faronics Deep Freeze.

Rainy River is conducting final testing on a policy to allow faculty and students to bring their own laptops to school. The process involves a signed agreement that the school principal must approve and further approval from Danielson before an outside computer is placed on the approved list.

InfoExpress Dynamic NAC will be used to ensure outside computers are up to date on anti-virus and system updates before allowing access. The district is adopting a strict one-strike rule against anyone who violates district policy.

Who:Dennis DeBroeck, computer technology instructor

Where: Walla Walla High School, Walla Walla, WA

Background: DeBroeck has been with the district for 16 years and teaches computer technology, media technology, and animation classes. He formerly was the school technology coordinator and maintains his own Web servers, management servers, and computers in his classroom to avoid conflicts with the school system.

The story: DeBroeck’s hands-on classes require a tremendous amount of preparation to ensure each class receives the correct materials to accomplish classroom assignments. Since purchasing ScriptLogic’s Desktop Authority, DeBroeck estimates he’s saved hundreds of manhours spent customizing class offerings and bringing efficiency to the planning process.

DeBroeck sets unique policies for each class, specifying such variables as printer and driver access, default Web browser, and other search engines. Each student has a log in, and the user has to acknowledge the district’s use policy before receiving access. When the student logs in, he sees the assignment for the day.

The teacher also uses Desktop Authority’s USB and Port Security option, which features the ability to set policies to allow documents to be saved from the desktop but not from the storage device to the desktop. Spyware protection ensures that portable devices don’t introduce viruses into the system.

“I can make changes quickly and on the fly to manage the classroom more efficiently,” DeBroeck says. “As far as a complete solution, this is it.”