Home About CSP Departments Archives Buyer's Guide Media Kit e-News Subscribe Contact


WELCOME TO CHRISTIAN SCHOOL PRODUCTS
The Five Pillars of Wireless Security
By: Richard Schulte

New technologies, applications and uses have allowed wireless networking to mature throughout the K-12 school community. With this maturity, the management and security of wireless networks have become increasingly complicated. Trying to manage these complexities without a solid strategy and the right tools can create high ongoing costs or, even worse, security risks. 

Ongoing operational costs now rank as the top concern of those deploying wireless networks. Schools implementing these networks have also learned that security is not a question of a single password; rather, effective security policies are enforced by multiple components and operate at multiple layers. And the better a school’s security policy, the less likely it is that unplanned security breaches will drive up the cost of ongoing wireless network administration.

So what makes a school’s wireless network secure?

Pillar One: AP Management
The first layer of security starts with the wireless infrastructure. This is manifested by maintaining preferred configuration sets, staying up-to-date with firmware versions, and detecting rogue access points connected to your network. 

It sounds unlikely, but configuration settings of installed access points can often change without the IT administrative staff realizing it. Sites need to have a method of centrally automating the detection and re-configuration of access points as to avoid creating security holes.

Since known hardware errors are reported to public security bulletins, hackers can easily use this information to exploit your wireless infrastructure. Maintaining your firmware will help your school avoid falling victim to known exploits.

With their low costs and abundance, SOHO access points (those available at retail stores) can easily make their way into the private network, creating huge security holes by allowing in anyone within range. Detecting not only the presence but also the location of rogue access points can help IT departments remove these security risks before they are exploited. 

Schools without wireless networks may be especially vulnerable to rogue access points – for example, well-meaning teachers may install unsecured wireless access points in the classroom in order to access the Internet or other resources while teaching classes. While the teacher’s intention may be to use the access point for legitimate academic needs, unauthorized users outside the school network can detect and tap into the network, creating an enormous security risk.

In other words, rogue access points in a school without a wireless network may be indicators that the school could benefit from a wireless network because they demonstrate faculty, staff, and students’ genuine need for wireless access.

On the other hand, if a wireless network is already in place, detecting rogue access points may be a subtle way of learning that coverage is weak or non-existent in places, or that admission security is so intense that it deters usability. 

Pillar Two: User-Based Security
Security by means of MAC (media access control ID) filtering and static WEP (wireless equivalent privacy) keys is weak and outdated. Schools need to look at how they can manage users, not devices. However, for many companies, this becomes difficult, as there may be a variety of users that require different authentication types.

Having the ability to centrally manage all types of authentications can keep overall management costs down and protect the integrity of those entering the network.  Different authentication types include the IEEE 802.1X standard, a Captive Web Portal, the Windows login request, ideally in combination with the MAC address of the device (this verifies that the user is accessing the network via the correct device). 

Schools must decide which authentication methods are appropriate for which users and enforce network access controls based on the type of user and type of authentication used. For example, most faculty and staff members’ laptops, as well as students’ machines, can take advantage of the 802.1X standard widely available on enterprise-class access points. This, in turn, can encrypt session traffic using WPA or WPA2, the successor for WEP, giving the option of allowing some users access to a large number of internal services in addition to general Internet access.

For other types of users, or for devices that do not support 802.1 X, alternatives will need to suffice. For example, faculty and staff using devices that do not support 802.1X, such as certain PDAs, can take advantage of captive portals that access Web login authentications. Since these sessions are not encrypted, traffic to data-sensitive applications should be barred.  

Even with the security concerns of wireless networks, guest access has become increasingly popular due to the ease of connectivity and speed at which students and employees can access information and complete transactions. Adding guests, however, is not a binary decision – it’s not a question of everyone getting access or no one getting access.

This is because guest users can include a variety of user types, including visiting students, parents, educational consultants, visiting faculty, sports reporters and many others, each with different authentication and authorization needs. Creating a guest access policy should take these considerations in mind, and the technology must support the school’s decisions.

The emphasis on user-based security policies does not imply that device-type security should be dismissed altogether. As with the infrastructure, the endpoint devices must stay up-to-date with vulnerabilities such as virus, Trojan horses, and worms that can enter and corrupt the network. Discovering these vulnerabilities and quarantining these endpoints, with steps towards remediation, will reduce these risks. An automated method of doing this will reduce the IT staff’s involvement and overall management costs.

Even with authentication and access right policies, and scan and block technologies to protect endpoint devices, intrusion detection is necessary to warn IT administration when holes in security policies allow any type of malicious access to the network. While a general intrusion detection product can help, specific issues--such as port-scans (users detecting your wireless network and looking for exploits) or dictionary attacks (attempting as LEAP or other 802.1X authentications or Web Portal hacks)--are specific to the wireless network.

Pillar Three: Network Monitoring
If intrusions are detected, how will you be notified? Often, discovering questionable network behavior requires correlating multiple data points, and a central management system capable of correlation will uncover network behavior in a manner that manual correlation cannot. 

Unless a trouble ticket is generated, most administrators do not have enough time in the day to match the authentication information in RADIUS logs to the device information on each access point and then to the bandwidth information on switches and routers. However, that is precisely what many administrators do in the case of a trouble ticket to determine what may have happened to cause the behavior witnessed by an end user. Centralized, correlated alerting and logging can assist problem discovery and reduce problem resolution times.

Pillar Four: Metrics and Reporting
Once the network is running and security policies are enforced, schools need a way to measure the usefulness of the wireless investment. Most administrators have only anecdotal information and no real evidence to demonstrate the productivity gains generated by the addition of the wireless network or applications added to a wireless network.

Prior to the installation of a wireless network, a school should understand the criteria for success and have robust reporting tools to generate the success metrics, be it how often users log onto the system, the number of devices, or time spent on the network. Not only can metrics be used to understand the success of the infrastructure or applications, but understanding bandwidth used by specific applications or devices may also influence capacity planning as a deployment moves forward.

Pillar Five: Performance Management
With security concerns addressed, and good visibility into how the network is used, the last step is to ensure a quality of service to the priority users and applications on the network. Not all users or applications are the same; bandwidth is a shared resource on each access point. Using a priority-based system, and not a fixed or hard-segmented system, will ensure bandwidth is reserved for the right users or uses at the right time. 

Central management of not just infrastructure, but also user-based security policies and performance management, in addition to network monitoring and reporting, will lower overall management costs and provide metrics for ROI and capacity planning.

A central framework for this will offer schools the ability to layer security implementations while offering the appropriate security method to the different types of users and devices on the network. 


Richard Schulte is the chief executive officer and president of Roving Planet, www.rovingplanet.com, which provides policy-driven network management and control solutions for K-12 schools.


Voice Broadcasting







©Copyright 2012 Christian School Products

For Religious Products, Goods And Resources, Visit The Religious Product News Website
Christian School Products Archives
2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005
Christian School Products