School CIO: How to Fix Your Bleeding Heart

5/30/2014 7:00:00 PM

Keeping Your Network Secure

In the wake of Heartbleed, the bug in the widely used Open SSL used to encrypt and secure thousands of well-known Web sites, all of us have potentially had many of our passwords compromised. So whether we have school IT security staff or not, there are steps districts of all sizes can take to keep their networks safer. Tech & Learning’s Christine Weiser spoke with Drew Lane, currently serving as director of technology for Derby Public Schools and soon to be serving as executive manager for the Shawnee Mission School District, KS, and Steve Young, Chief Technology Officer for Judson ISD in Texas, to ask for their tips. Here are highlights from the conversations.

Set up a separate guest wireless network and do not allow these devices on your main network.

Most schools can set up a guest network that allows users to access only the Internet, but not any internal resources. There are also some products, such as Aruba’s ClearPass, that allow network managers to perform authentications and configurations that can provide temporary credentials for users to allow access to approved additional resources using the guest network.

Do not allow users to install software on district computers, but consider safe exceptions.

Most districts choose not to authorize users to install complex or potentially hazardous software on their devices. However, in an app-based world, districts may want to offer some customization on this limitation. For example, JAMF offers the ability to control what Mac users can and cannot install on their devices. Chromebooks offers Google Apps domain administrators the ability to configure access to authorized Web apps with those devices. The Windows world is a little trickier, but products like Kaseya can help network managers provide remote script execution. Another option is to use a product like Citrix, which allows users to stream authorized apps from a data center without overtaxing bandwidth or requiring traditional installation.

Consider a network access control solution to secure wired network ports.

Network access control on wired ports is a good idea. However, if you take this control to the next level for your wireless network, you need an IT team that has the skill set to manage this control. Our district implements layers of control. When devices are plugged into our wired ports, those devices, depending on their trust level, have access only to the Internet. Products like Brocade and Aruba’s ClearPass offer the ability to authenticate authorized devices to access additional school resources safely. Cisco also offers similar NAC devices.

Consider internal firewalls for high-value servers with critical data or at least find a way to restrict network access to these servers.

Installing internal firewalls is a good idea, and again the district has to decide what data must live securely behind a firewall and who will have access to those critical data. There are products, such as PaloAlto firewall, that allow districts some flexibility by allowing the network administrator to monitor traffic and shape data as well as determine what can be accessed by authorized users. For example, if you are a campus with multiple buildings on the same WAN, a firewall from PaloAlto allows the administrator to customize the access and shape traffic for each building.

Keep servers and security appliances up to date and patched.

This is another important security step, but also comes with a “gotcha”: before patching that firmware, ask, why was it released? What does it address? Our district has had instances when we installed a patch that then introduced a bug that came with a whole different set of problems. When possible, implement all updates and patches on test hardware before rolling out to the entire network.

Endpoint antivirus and malware security is still critical, but don’t count on these tools as your only line of defense.

Today’s malware and viruses have switched from destruction theft. These intruders are now less interested in destroying data and more interested in harvesting data to use to their advantage. For example, a ransomware virus encrypts your data and you can only retrieve that data by paying for a code. This is where an incremental backup of data can be crucial. If a district or user has incremental backups over time, there’s a better chance that unencrypted data can be retrieved from a recent backup. But prior to recovering that data, the client device should be completely sanitized to prevent the recovered data from simply being re-infected. If data security personnel are available, it’s also a good idea to conduct an investigation to see if the source of the ransomware can be determined.

Install firewalls, spam filters, and Web filters.

Many of these solutions are converging into next-generation combined products, but most of these can offer a range of services, including scanning for bad Web sites, phishing links, viruses, malware and more. The only caution: you need to be careful with products that put all of your security eggs into one basket. When you start looking to one appliance to do multiple tasks or services, you will need a backup plan if something goes wrong. What happens if that device dies? Ideally, a district will have hardware redundancy in place, but few can afford a complete backup system. As an enterprise, you need to decide what services your district can and cannot live without. Next, you should focus your backup plan on those systems deemed most important. This will save redundancy costs and keep those vital network components running, even if it is at a smaller capacity. For example, we focus on our DNS service. If our main service goes down, we know that a virtual server can’t process the DNS as quickly, but it can still process some.

Restrict ICMP traffic at the firewall to limit hackers’ ability to scan your network.

ICMP traffic is a must-have for network troubleshooting. However, this is also an area of high vulnerability if not managed by a knowledgeable IT expert. ICMP can quickly turn what should be good traffic into a weapon without expert management.

People are the key to overall safety.

Yes, there are many tools out there to keep your network safe. But the best investment a school district can make is in the people who know how these tools work. As a manager who is responsible for my district’s network safety, I don’t know how to keep us 100% safe, but I know the importance of having staff who DO know how to keep the network safe. If you can’t hire full-time staff, negotiate with third-party vendors to outsource those skills. Also, when you can afford to do it, have a disinterested third party do “penetration testing” on your network and assess your weaknesses. Reliable vendors like CDWG can help your district find reputable consultants to help with this.

In summary, when you are building a network for today’s environment, you want to first consider your wireless network as your primary network. Build your capacity there for coverage, density, and bandwidth. Your wired network becomes the “workhorse” responsible for carrying all the traffic generated by your wireless network’s to/from data closets and ingress/egress points from your enterprise. While still important, wireless networks now make wired networks a secondary point of connectivity for endpoint devices. Follow these steps, and sleep a bit better at night.

comments powered by Disqus
Tweets
Photo GalleriesView All Galleries >
Acer C720-2844 Chromebook

(www.acer.com) The Acer C720-2844 Chromebook model delivers speedy performance, a quick boot time of seven seconds, and a matte anti-glare display tha...

Britannica ImageQuest

(www.britannica.com) Britannica Digital Learning has upgraded ImageQuest, a resource for schools and libraries that provides nearly three million rig...

ClassFlow

(www.classflow.com) Promethean has released ClassFlow, a free, all-in-one, cloud-based teaching tool that lets teachers create and deliver interactive...

Adobe Voice

(www.adobe.com) Adobe has released Adobe Voice, an animated video app for the iPad that lets users create and share video stories. The app incorporate...

DeskBoard

(www.boxlight.com) The BOXLIGHT DeskBoard mobile cart adjusts both height and tilt for the P8 ultra short throw interactive projector on a white surfa...

Core 36M

(www.bretford.com) Bretford has introduced Core 36M, a 36-unit charging cart that is optimized for Chromebooks but which also supports most tablets, l...

Edmentum Sensei

(www.edmentum.com) Edmentum Sensei is a mobile optimized solution that helps administrators visualize and track overall school, teacher, and student p...

HMH Player

(www.hmhco.com) HMH has released HMH Player, a new native app for iOS and Google Chrome that streamlines the learning experience for improved digital ...

Juice Power System

(www.bretford.com) Bretford has unveiled an easy-to-use modular power system with exchangeable power components. The Juice Power System uses unique &#...

LightSail

(www.lightsailed.com) LightSail Education has announced a literacy accelerator that combines books with in-text embedded assessments and real-time dat...

myON

(www.myon.com) myON has expanded its digital library to include a set of literacy tools to further personalize the reading experience for students whi...

Nervanix Clarity

(www.nervanix.com) Nervanix has released Clarity, an application that monitors student attention levels as they study and guides them to revisit conce...

MathBall

(www.robotslab.com) RobotsLAB has introduced MathBall, a smart sensor basketball and tablet system that offers curricula in algebra, pre-calculus, phy...

MobileAsset.EDU

(www.waspbarcode.com) Wasp Barcode’s MobileAsset.EDU solutions include everything administrators need to account for their assets, from software...

OpenEd Assessment Creation Tool

(www.opened.io) OpenEd has announced a free tool that lets teachers easily create assessments with the question types required by Common Core standard...

Panasonic TH-80LFB70U

(www.panasonic.com) Panasonic’s TH-80LFB70U interactive LED display features high-speed, multi-touch, interactive capabilities to promote partic...

penveu interactive display system

(www.penveu.com) The penveu interactive display system is a handheld device that turns projectors and large screen displays into interactive whiteboar...

PresentationPro

(www.califone.com) Califone has updated its PresentationPro speaker. The PA310 readily connects with computers, LCD projectors, mobile devices, intera...

PowerSync+ Mobile Companion App

(www.bretford.com) Bretford Manufacturing, Inc. has announced the availability of the companion app for its PowerSync+ enabled charge and sync produc...

PureCharge Carts and Stations for iPad

(www.bretford.com) Bretford Manufacturing, Inc. has debuted the PureCharge family of iPad and iPad mini charging carts and stations. By offering pre-i...

ProQuest Research Companion

(www.proquest.com) ProQuest’s new information literacy product, Research Companion, offers videos that guide users through the research process,...

Sphere2 & Class Send Student Engagement Software Platform

(www.averusa.com) AVer Information has developed a Student Engagement platform, providing teachers and students with the tools to transmit document ca...

TabChargeCT2

(www.averusa.com) AVer has released the TabChargeCT2 charge cart solution, which can hold up to 40 Chromebooks, iPads, Android or Windows tablets, lap...

VoiceLift with Instant Alert and Emergency Video Monitoring

(www.extron.com) The Instant Alert function of the Extron VoiceLift Microphone, combined with a PoleVault, WallVault, or PlenumVault classroom AV sys...

SMART Board 6065

(www.smarttech.com) The SMART Board 6065 is an ultra HD, 4K interactive flat panel that offers collaborative capabilities while ensuring lessons run s...

Gaggle Unity Partner Program

(www.gaggle.net) The new Gaggle Unity Partner Program provides free data integration services for all educational technology vendors. Through the Gagg...

Waterford Early Learning, Reading, Math & Science

(www.waterford.org) Waterford Early Learning Cloud can be used at home or to supplement lessons in classrooms. It can also be used for individual adap...

NetSupport School

(www.netsupportschool.com) The latest version of NetSupport School allows teachers to monitor and collaborate with any mix of technology. An enhanced ...

Camtasia

(www.techsmith.com/camtasia) TechSmith’s Camtasia gives teachers the tools to record lessons, create videos, and engage their audiences. Educato...

Panasonic 3E

(www.panasonic.com) Intel has teamed up with Panasonic to announce the Panasonic 3E, which uses the Intel Education 2-in-1 reference design. Designed ...