October 2007 — Security Supplement
Print this article | Email this articleClick here to receive your FREE subscription to T.H.E. Journal
School Security Strategy—Simplified
Network Access Control
Think of network access control (also known as network admission control, or NAC) as the ultimate bouncer. The technology sits at the edge of a network and requires that every device that logs on undergo a thorough investigation to make sure the device complies with the network's security policy. In most cases, the software quarantines non-compliant devices until they comply. For school districts, this can provide an additional level of security that can stop rogue computers from wreaking havoc.
Such is the case at the Williamson Central School District in Williamson, NY. After years of seeing visitors come onto campus and plug right into the network, Network Administrator Kevin O'Dell embarked on an effort this summer to install NAC technology from StillSecure. The product, SafeAccess, requires visitors to download all of the latest anti-virus signatures and Windows updates before allowing them to log on.
"Once they pass inspection, they can do whatever they need to do," O'Dell says of visiting users. "Until that point, we've got them covered, and we don't let them do anything beyond basic internet."
At the Round Rock Independent School District in Round Rock, TX, a similar solution from Mirage Networks saved the district from being crippled by the Sasser worm back in 2004. At the time, the district's anti-virus protection was fairly sophisticated and had blocked the Sasser virus from propagating on in-network computers. And when unknowingly infected visitors tried to log on, the system forced those users to remove the nefarious program before giving them a green light.
Dan Scott, lead systems engineer, looks back on the Sasser experience with a sigh of relief. Considering the district boasts 46 campuses and more than 40,000 students, a single outbreak could have crippled the wide area network (WAN) for weeks. Looking forward, Scott says the Mirage box will enable technologists to continue preventing virus outbreaks, and will cut down on unwanted spyware, keystroke loggers, and other forms of malware, as well.
"Best-case scenario, our visitors are safe before they even get here," he says. "Worst-case scenario, they're not safe, but we make them get safe before they log on."
Identity Management
In the olden days, school districts used printed rosters to manage user identities. Today, the art of identity management is far more complex, with broad-sweeping databases that create a random number for every student, assign each individual user a unique descriptor, and store these identities in a secure location, usually off-site. Because districts are becoming increasingly paperless, identity management has become important to maintain student records. Next, the goal is making sure the data stays private.
Technology gurus at Pascack Valley High School in Hillsdale, NJ, faced this challenge recently when the school deployed the UTM Model CR 1000i from Cyberoam to manage an identity-based security system that allows students to roam around campus and stay connected to the internet. District Network Administrator Willie Pico says that in addition to creating a unique identity for each user, the tool also enables technologists to track traffic by specific user names.
"It provides instant visibility into any student's activity and allows us to make proactive policy changes as needed," says Pico. "Student security policy settings apply wherever they are on campus, providing assurance that no abuse of resources will be permitted."
