Oct 12 2006

Security vs. Access

School technology managers must strike a balance between providing students with digital learning tools and securing desktops, servers and wireless networks.

Increased internet access and wireless use in K-12 schools have left districts nationwide with multiple security risks. Whether it’s for desktop systems or a wireless wide area network (WAN), it’s clear that security measures are required. But the big question is figuring out how much security is needed to ensure a safe learning environment.

“We need to strike a balance,” says Rhonda Hobbs, the director of IT for the Winton Woods City Schools in Cincinnati. “We’ve got to be flexible and give our students the environment they need to function, but we also need to lock it as tight as we can.” That approach keeps things running smoothly on the 250 computers used every day by the district’s approximately 1,200 high school students.

Locked-down desktop systems, with mandatory settings that modify registry keys and a hardware interface that prevents tampering, can keep wired systems fairly safe from security threats. A hardware interface allows users to make any changes they want on the desktop. Those changes go into a cache file, and when the system is restarted, all of the default desktop settings are restored, thereby preventing tampering.

Another step involves keeping students’ work separate from any sensitive data by storing their work on a network-attached storage system. This provides a safer environment and allows a school’s storage capacity to grow over time.

When antivirus software is added to that mix, desktop systems can remain fairly secure. However, adding new systems brings new risks. “As we open up additional capabilities [such as remote access], we open up more potential for security issues,” Hobbs points out.

A Moment of Realization

That’s a challenge that also faces Joe Huber, director of IT for Greenwood Community Schools in Greenwood, Ind., who looks after roughly 2,200 systems with five support people.

A few years ago, while working on the Indiana University campus, Huber witnessed the university’s extensive network analysis system and realized that he needed to apply the same approach on a smaller scale at Greenwood. After 31 years at the schools, he was well aware of how the local area network (LAN) had been patched together during the previous 15 years.

“Seeing what the university was doing made me realize that the security threat to our network was going to be huge in a couple of years,” Huber recalls. “We started to detect minor intrusions on our network, so we had a complete security analysis done, and then changed all logins and passwords. I learned how the university was handling its network issues and applied it to our schools.”

That analysis led to Huber’s insistence that the school district radically overhaul its network systems and go from the patchwork approach to standardizing on Cisco networking products.

Since the overhaul and the introduction of a hardware interface, Huber has not had to reinstall Windows on any of the 2,200 computers used by Greenwood’s approximately 3,900 students. The settings and applications are locked in, so any potential problems go away upon restart, and viruses are stalled.

“We started at the desktop level,” Huber explains. “Because of this overhaul, we don’t have to worry about a lot of security issues that others have to worry about.”

However, installing a wireless LAN and WAN brought a new set of security issues, according to Huber. With more possibilities for threats, he felt the only remedy for the wireless system was a complete lockdown of all the ports. But even that didn’t keep the system safe from intruders. When Indiana state officials informed Huber that someone was running credit card transactions through his wireless network, he realized that even a complete lockdown up front wasn’t enough.

“We have to keep checking to make sure that all the ports are locked down on a regular basis,” Huber says. “We open up access only when it’s necessary.” The outside threat was a result of allowing proxy services on the wireless WAN.

“Many proxy services allow [intruders] to act like they’re using our filter,” he explains. “They look like us, but they’re not.

“We’re not sure how the proxy services got turned on, but the antidote was to lock the system down, restrict access and remove proxy services from all the machines.”

With 600 notebooks on mobile carts moving among eight buildings, one of the main security risks Huber faces is a viral attack on the network. After discovering that 51 percent of incoming e-mail was spam, Huber added an e-mail filter. “We can filter attachments by extension type to help prevent viruses,” he says. “The most recent one didn’t cause a major headache because it wasn’t getting by the filter.”

Taking a Different Approach

Though filters and lockdowns make the most sense for Greenwood, they don’t provide the type of learning environment that’s encouraged at Kent School in Kent, Conn. The 100- year-old boarding school in rural New England has 550 students, each with his or her own notebook.

“We want to encourage kids to learn what they can with the technology at hand, so locking things down tight doesn’t work here,” says Adam Fischer, the director of information services and technologies at the Kent School. “It’s always a balance between what’s really causing the problem and how much the students benefit by being able to do a particular thing.”

His approach to network security is to physically separate the students’, teachers’ and administrators’ areas on the network. “We keep the kids out of the stuff we don’t want them getting into by physically separating them on the network,” Fischer explains. That model was retained when the schools changed over from a hub to a switched network.

Fischer took his time implementing a wireless network. For one thing, the school was already providing network services in all of the academic areas and dorm rooms on campus. For another, initial wireless installations were too slow.

“We had been using wireless for about six years on a portable basis,” Fischer explains. He designed wireless “suitcases,” which are lined with antistatic foam to hold an access point and 15 wireless PC cards. A teacher simply plugs the suitcase in and hands out the cards to students who don’t have wireless capabilities built into their equipment.

“Since we were already wired everywhere, this was parallel to existing technology and wasn’t too pressing,” Fischer adds.

As capabilities increased, however, wireless made more sense. “During recent renovations, we installed wireless access points in classrooms and the library, along with traditional wired access,” he reports. “In the library, it saved money compared to having a drop at every seat, and it provided new functionality because students using group study rooms can more easily collaborate. In an open space in which people tend to move around, wireless is obviously superior.” However, security remained a key concern for Fischer. Therefore, when he implemented a wireless network two years ago, he decided to restrict student use to activities such as browsing the Internet or intranet, getting e-mail and accessing individual files. Sensitive data is kept on wired systems.

Fischer acknowledges that there’s currently no such thing as a completely secure wireless network. “Wireless security is dependent on hardware, software and third-party applications,” he says. “Until there are verifiably secure, uniform standards incorporated into hardware and operating systems, I don’t think the wireless network can really be secure.”

The Institute of Electrical and Electronics Engineers (IEEE) 802.11 task group is working on new specifications for wireless security standards, but it suggests implementing some interim options in the meantime. These options include improved encryption schemes, a requirement that sensitive data be kept on wired networks, the implementation of firewalls and the use of virtual private networks.

Fischer took his security a little further by implementing what he calls a demilitarized zone. The DMZ is essentially a separate network created by switchgear and firewalls, which treat the network as though it were outside the school network where the student, faculty and administrative networks live, he explains.

There is also a firewall between the Web servers, which are on that separate network, and the Internet, so the servers are protected. “Someone wanting to come to my Web site never comes into my network,” Fischer says, “and someone who is from my network has to go through a firewall or two to get to it.”

Also, since the school is in a rural area, there’s no one nearby to gain wireless access. “If someone is in range to get the signal, they’d have to be on campus,” he says. “Even if a person is a guest of one of the students, he could not access any sensitive data.”

And wireless is going to get better, Fischer predicts. So far, the best wireless implementations in terms of security use proprietary products, he says. For example, he says Cisco products combine hardware and software to offer the latest encryption and wireless security standards.

“Those products seem fairly secure,” Fischer says. “Hopefully, they will become a standard, and then we’ll get them built into all wireless hardware.”

What’s the best approach for securing wireless networks without locking down everything? “Keep it simple,” Fischer advises. “If it’s not a secure system, then it’s not a secure system, so don’t use it for sensitive information.”

Based in San Francisco, Catherine LaCroix covers education trends, technology, and health-related topics for print and Web publications.

How Much Security Is Enough?

By some estimates, only 3 percent of education technology spending goes to security, and most of that occurs in higher education. So it’s no wonder that one of the biggest challenges cash-strapped school districts face is determining return on security investment (ROSI).

While it’s clear that some security is required, the difficulty is in calculating the necessary investment to achieve the appropriate balance between risk tolerance and security efforts. School administrators need to see hard numbers that justify security expenditures. But how can IT directors establish causation between financial impact and an unknown, undetermined event?

First, it’s important to assess the investment versus the chance of something happening, multiplied by the severity of the problem. Another method is to use a simple ROSI calculation, where ROSI equals annualized loss expectancy minus the yearly cost of safeguarding systems and information.

But before you can determine risk or the cost of covering that risk, it’s important to determine how much security your systems require. The first step is to assess your security needs by identifying the assets that need to be protected. Assets can include the networked computing infrastructure as well as the district’s confidential information.

After identifying the assets, focus on the threats and vulnerabilities of those assets—both internal and external. They can include sabotage and theft as well as natural disasters. Vulnerabilities are weaknesses or deficient security measures. Understanding what you have will help to determine what it would cost to replace assets versus what it costs to protect them.