School CIO: How to Fix Your Bleeding Heart
Keeping Your Network Secure
In the wake of Heartbleed, the bug in the widely used Open SSL used to encrypt and secure thousands of well-known Web sites, all of us have potentially had many of our passwords compromised. So whether we have school IT security staff or not, there are steps districts of all sizes can take to keep their networks safer. Tech & Learning’s Christine Weiser spoke with Drew Lane, currently serving as director of technology for Derby Public Schools and soon to be serving as executive manager for the Shawnee Mission School District, KS, and Steve Young, Chief Technology Officer for Judson ISD in Texas, to ask for their tips. Here are highlights from the conversations.
Set up a separate guest wireless network and do not allow these devices on your main network.
Most schools can set up a guest network that allows users to access only the Internet, but not any internal resources. There are also some products, such as Aruba’s ClearPass, that allow network managers to perform authentications and configurations that can provide temporary credentials for users to allow access to approved additional resources using the guest network.
Do not allow users to install software on district computers, but consider safe exceptions.
Most districts choose not to authorize users to install complex or potentially hazardous software on their devices. However, in an app-based world, districts may want to offer some customization on this limitation. For example, JAMF offers the ability to control what Mac users can and cannot install on their devices. Chromebooks offers Google Apps domain administrators the ability to configure access to authorized Web apps with those devices. The Windows world is a little trickier, but products like Kaseya can help network managers provide remote script execution. Another option is to use a product like Citrix, which allows users to stream authorized apps from a data center without overtaxing bandwidth or requiring traditional installation.
Consider a network access control solution to secure wired network ports.
Tech & Learning Newsletter
Tools and ideas to transform education. Sign up below.
Network access control on wired ports is a good idea. However, if you take this control to the next level for your wireless network, you need an IT team that has the skill set to manage this control. Our district implements layers of control. When devices are plugged into our wired ports, those devices, depending on their trust level, have access only to the Internet. Products like Brocade and Aruba’s ClearPass offer the ability to authenticate authorized devices to access additional school resources safely. Cisco also offers similar NAC devices.
Consider internal firewalls for high-value servers with critical data or at least find a way to restrict network access to these servers.
Installing internal firewalls is a good idea, and again the district has to decide what data must live securely behind a firewall and who will have access to those critical data. There are products, such as PaloAlto firewall, that allow districts some flexibility by allowing the network administrator to monitor traffic and shape data as well as determine what can be accessed by authorized users. For example, if you are a campus with multiple buildings on the same WAN, a firewall from PaloAlto allows the administrator to customize the access and shape traffic for each building.
Keep servers and security appliances up to date and patched.
This is another important security step, but also comes with a “gotcha”: before patching that firmware, ask, why was it released? What does it address? Our district has had instances when we installed a patch that then introduced a bug that came with a whole different set of problems. When possible, implement all updates and patches on test hardware before rolling out to the entire network.
Endpoint antivirus and malware security is still critical, but don’t count on these tools as your only line of defense.
Today’s malware and viruses have switched from destruction theft. These intruders are now less interested in destroying data and more interested in harvesting data to use to their advantage. For example, a ransomware virus encrypts your data and you can only retrieve that data by paying for a code. This is where an incremental backup of data can be crucial. If a district or user has incremental backups over time, there’s a better chance that unencrypted data can be retrieved from a recent backup. But prior to recovering that data, the client device should be completely sanitized to prevent the recovered data from simply being re-infected. If data security personnel are available, it’s also a good idea to conduct an investigation to see if the source of the ransomware can be determined.
Install firewalls, spam filters, and Web filters.
Many of these solutions are converging into next-generation combined products, but most of these can offer a range of services, including scanning for bad Web sites, phishing links, viruses, malware and more. The only caution: you need to be careful with products that put all of your security eggs into one basket. When you start looking to one appliance to do multiple tasks or services, you will need a backup plan if something goes wrong. What happens if that device dies? Ideally, a district will have hardware redundancy in place, but few can afford a complete backup system. As an enterprise, you need to decide what services your district can and cannot live without. Next, you should focus your backup plan on those systems deemed most important. This will save redundancy costs and keep those vital network components running, even if it is at a smaller capacity. For example, we focus on our DNS service. If our main service goes down, we know that a virtual server can’t process the DNS as quickly, but it can still process some.
Restrict ICMP traffic at the firewall to limit hackers’ ability to scan your network.
ICMP traffic is a must-have for network troubleshooting. However, this is also an area of high vulnerability if not managed by a knowledgeable IT expert. ICMP can quickly turn what should be good traffic into a weapon without expert management.
People are the key to overall safety.
Yes, there are many tools out there to keep your network safe. But the best investment a school district can make is in the people who know how these tools work. As a manager who is responsible for my district’s network safety, I don’t know how to keep us 100% safe, but I know the importance of having staff who DO know how to keep the network safe. If you can’t hire full-time staff, negotiate with third-party vendors to outsource those skills. Also, when you can afford to do it, have a disinterested third party do “penetration testing” on your network and assess your weaknesses. Reliable vendors like CDWG can help your district find reputable consultants to help with this.
In summary, when you are building a network for today’s environment, you want to first consider your wireless network as your primary network. Build your capacity there for coverage, density, and bandwidth. Your wired network becomes the “workhorse” responsible for carrying all the traffic generated by your wireless network’s to/from data closets and ingress/egress points from your enterprise. While still important, wireless networks now make wired networks a secondary point of connectivity for endpoint devices. Follow these steps, and sleep a bit better at night.