Bulletproof Remote Access

Administrators want a secure solution that doesn’t require much ongoing maintenance

Making school or district database and network resources available to IT employees, administrators, and teachers from remote locations can greatly improve productivity, but at what cost?

Despite the vast improvements in security solutions, lingering fears about possible intrusions make this an issue that receives top priority from the IT staff. Technology & Learning spoke with three IT officials about their remote access strategies.

Strong Foundation Provides Cornerstone to Success
To prepare for a one-to-one laptop program for grades five through 12, Putnam Valley Central School redesigned its computer network with multiple layers of security.

The 2,000-student district in Putnam Valley, NY, uses two Cisco ASA 5520 firewalls: one to safeguard networks within the school with administrative access only and the second to police security in the demilitarized zone (DMZ) between the Internet and the private network, explains Michael N. Lee, network administrator and CIO. Lee was a private-sector computer consultant before joining the district nine years ago. “Our network was designed with secure remote administration in mind from the earliest stages of design,” says Lee.

For those who transmit sensitive data, a private WPA-encrypted wireless network is available and secured by the internal/private firewall. To grant remote access to the district's networks, VPN access is provided. Since the firewalls are managing the security of the district's multiple networks, VPN access is provided via the ASAs.

“By utilizing access lists, specific users can be granted different levels of access to the networks via the VPN,” Lee says. “For instance, teachers may be granted access to devices/systems within the DMZ, while select system administrators may remotely administer servers. Very few VPN users need or even have this level of access, while most may only reach as far as the DMZ network.”

Lee advises planning ahead when considering remote access technology or upgrades. He suggests a VPN that supports IPsec over one that just uses PPTP, depending on client requirements. Secure access also can be achieved via software.
“Most remote access software these days supports encryption,” Lee says. “Apple Remote Desktop for access to Mac-based systems, Terminal Server/Remote Desktop Connection to Windows, and the commercial version of VNC all support encryption. For command line-only access, ssh (secure-shell) is a no-brainer.”

Anytime, Anywhere Access Helps Productivity
The IT staff at Dysart Unified School District No. 89 believes that district employees should be able to get work done just about anywhere using district resources.

Several years ago, the district consolidated its IT hardware and software with Cisco, explains Evan Allred, director of information technology for the 23-school, 24,000-student district in Surprise, AZ. The district uses Cisco ASA hardware and VPN Client.

Staff can log into the network several ways, including through a VPN connection, directly to school and office desktops, and via laptops, adds Michelle Benham, district technical services supervisor. IT employees are the only ones who can connect directly to desktop computers through a VPN, but that ability is limited because of energy conservation settings the district uses on its computing resources.

Employees have VPN access through home computers, accessing district resources through a link on the district Web site. “Most teachers have laptops, which have district applications loaded on them with local files,” says Benham. “They can use any Internet connection to create a private tunnel to district resources.”

The only problems IT staffers have encountered with VPN access are related to factors out of district control: the quality of a user’s Internet connection or his skill level.

Administrators can check out cell phone data cards to use with district-provided desktops while traveling in areas that have high-speed cell service. “The tether is pretty tight,” Allred says of cell access to district data.

“There is no reason to have security concerns if you do it correctly,” Allred says. “Anywhere, anytime productivity is one of the cornerstones of a 21st-century skill set. Banks, Fortune 500 companies, and universities already are doing this.”

When All-in-One Doesn’t Work
Private schools often don’t have the luxury of a full-time IT department, relying on contractors or parent volunteers to keep systems up and running.

At Marin Montessori School in Corte Madera, CA, that task falls to parent Zarko Draganic, a software engineer with a telecommunications background. The school, which has just over 200 students in pre-K through eighth grade, turned to NCP Secure Entry to remotely access the network when the school upgraded to the Vista operating system.

The school runs a Dell server with Windows Server 2003 and uses either Cisco VPN Client or NCP Secure Entry to access the network, but Draganic says the NCP product works better for the school’s purposes. “We can’t afford a full Cisco maintenance/support license, and we had problems getting remote access to work on Vista machines,” Draganic says.

Other solutions Marin Montessori School looked at included the built-in Windows IPsec, which Draganic says was difficult to configure and not secure, and TheGreenBow, which wasn’t compatible with some home virtual private networks.

“Then we evaluated NCP, which we could afford, was secure, and had great support included,” Draganic says. “But most importantly it worked perfectly with all clients and gateways and was very simple to configure. It also gave us options for the future, as we start doing things like using mobile/PDA clients, NCP already has support for this."

The school has been using NCP for six months, and Draganic has been impressed with the support he’s received. He believes that it’s important to have a company like NCP that stands behind its software and helps make it work on all platforms.

“With our school, users aren’t technical and expect connections to be completely transparent and ‘just work,’ without having to configure anything themselves,” Draganic says.

-- Matt Bolch