Dickson County Schools' Pat Semore and Scott Malugin filter the district's wireless traffic through an Aruba controller at headquarters to enforce security policy.
May 06 2011

Securing the Wireless LAN

Enterprise-class wireless controllers and access points work in concert to protect K–12 schools.

June 2011 E-newsletter

Securing the WLAN

Firewall 2.0

Core Cisco ASA Commands

SonicWALL NSA E5500

When Tennessee was awarded one of the Department of Education's “Race to the Top” grants last fall, the pressure was on for the state's school systems to support the inevitable influx of mobile devices and applications. For Dickson County Schools Technology Director Pat Semore and his team, that meant making the district's wireless network more sophisticated and secure.

Semore and his team believed moving from an ad-hoc, consumer-grade wireless network to an enterprise-class one would be the key to meeting the demands of the grant. “Every teacher has to be evaluated every year – that's a big job for principals and assistant principals to carry out manually,” Semore says.

To speed the process, Semore and Network Technician Scott Malugin are creating a well-designed and scalable wireless LAN (WLAN). They purchased 26 Aruba AP-105 802.11n access points to deploy throughout the county's 14 K–12 schools and an Aruba MMC-3200 Multi-Service Mobility wireless controller to install at the district office.

With a centrally managed WLAN, users can complete evaluations via mobile devices, such as tablets, and then automatically upload data to a district server once they're in the vicinity of each school's administrative office AP, Malugin says.  To ensure this process is secure (and to satisfy compliance requirements with federal laws such as the Children's Internet Protection Act), the IT team has set firewall policies at the controller level. All traffic is tunneled from the APs to the main controller so that the policies can be enforced. “As the wireless implementation grows, we will eventually move the firewall policies to controllers at each school,” Malugin says.

Tiered Access

Malugin also plans to add tiers to Dickson County's wireless access. Currently, there is support for “guest” access where users have access to the Internet, but not the LAN. Employees have encrypted access via WPA2 for county-owned equipment such as notebooks. In the future, Malugin plans to integrate role-based authentication into the school's electronic directory using RADIUS to enable teachers and staff to access resources via their Novell credentials. Not only would this eliminate the need for technicians to supply encryption keys, but it would also automatically place each of the 8,500 students and 678 teachers at the county's 14 schools under the appropriate WLAN firewall settings.

Craig Mathias, a principal with wireless and mobile advisory firm Farpoint Group, says Dickson County's approach is the right one. “Firewalls [for wireless traffic] should be in the WLAN system itself and would likely live in a controller or multiple-distributed controllers,” he says.

He adds that WLAN systems like Aruba's make it easy to create multiple classes of users with specific permissions. Brocade, Cisco Systems, Extreme Networks, HP, Juniper Networks, Nortel Networks and SonicWALL are among those that also have secure controller and AP WLAN gear.

Enforce and Control

At Marshall Community Unit School District C-2 in Marshall, Ill., the IT team is putting the finishing touches on a WLAN to support 480 notebooks purchased for the high school through a grant. Technology Coordinator Darin Hostetter credits wireless networking with making deployment far more rapid than it would have been if he'd had to add network switches to already-overburdened wiring closets and perform hundreds of cable runs. However, he says security is a sticking point.

“Wireless is not as easily controlled as wired, where you have one cable going to a machine,” Hostetter says. “Instead, someone 300 feet away from an access point can pick up a signal and hack into the network.”

To prevent unauthorized access to Internet content, all wireless traffic from the Motorola AP 650 802.11n APs are sent through the high school's Motorola RFS6000 WLAN switch to the district's content filter, which sits on the primary wired network.

Hostetter is hoping to soon roll out policy enforcement to the controller as well. “We had to get up and running quickly to support all the new wireless devices, and now we can go deeper with our security plans,” he says. Although the high school has been the primary focus thus far, access points are being installed in all five district buildings. Hostetter says 20 APs will be spread among the unit office, high school, junior high school and two elementary schools.

He also has plans to use the controller's capabilities to segment the wireless network into VLANs so that access and content for teachers, students, staff and guests can be kept separate. “We have teachers from other schools come and present to our faculty,” he says. “It would be great to give them a key that's valid for one day of guest access to the network.”

Tamara Reynolds