Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Cool school nets test security

Related linksToday's breaking news
Send to a friendFeedback

By Ellen Messmer and Phil Hochmuth
Network World, 03/25/02

Gigabit Ethernet for kindergartners? Wireless LANs for high schoolers?

That's the trend across the nation as K-12 school districts install high-speed and newfangled networks, granting teachers and students access to large private networks and the Internet. Some districts even have connected schools with carrier-speed metropolitan-area networks (MAN) the likes of which could make a Fortune 500 company envious.

Ways to land a cheap WAN

But the rise in school networks - helped by grants from federal and state governments and deals with local cable TV and utility companies - has led to security concerns about hackers and virus outbreaks.

"It keeps me awake at night," says Bill Cook, CIO for the Clovis Unified School District near Fresno, Calif., which has 4,000 staff and 32,000 students at 35 sites.

A Cisco PIX firewall guards the Internet access point in and out of the school district's network, which consists of Ethernet LANs in the schools and T-1 lines in between them. But like the corporate world, the Clovis school district last year was hit by the Nimda virus, causing a network brownout.

The school district, which has PCs in every classroom and is striving to ensure that every junior high and high school student has one to work on, is so worried about security that it just hired a company called TruSecure to perform a vulnerability-assessment across the system.

"It's to reduce the possibility of hacking," says Cook, who recalled one instance when a hacker hijacked school servers to distribute copyrighted material. "We had inadequate information-security practices in place."

And it's not just outsiders trying to break into school servers and PCs; it's the students.

Clovis school district is tightening security in several ways on its 10,000-node network. Currently, the schools' 802.11 wireless LANs, mainly from Avaya, let anyone with a wireless access card connect without proper authorization. But in the fall, Clovis will require registration of the media access control address of each Ethernet card, wired or wireless, to be attached to each student name. "Our motivation is to get their laptops 'certified,' and our support staff will inventory the software on the machine," Cook says.

In addition, students, parents and school staff have to sign "acceptable-use policy" documents to use the network and Internet. This legal document notes that files, e-mail and other information on the district's equipment are subject to search at any time and that there are no privacy or ownership rights in that information, regardless of having any personal password.

An "A" in infrastructure

At the Exeter School District in Pennsylvania, a deal with the local cable TV provider let the school build a low-cost metropolitan Ethernet network, with T-1 access to the Internet.

"You could consider what we have to be a MAN," says Joe Way, network manager for the schools. Way has connected Exeter's high school, middle and elementary schools with a combination of Cisco 3600 routers and wave division multiplexing (WDM) transceiver gear from Radiant Communications. WDM lets the district run eight 1-gigabit channels over the schools' fiber backbone, providing ample bandwidth for Exeter's 3Com voice-over-IP system and letting it centralize servers and eliminate interbuilding T-1 lines, which cost around $2,000 per month.

With the advanced network come security requirements to keep children safe and protect the schools' resources from hack-savvy kids.

"Kids are smart . . . they could easily [track down] our school's core addresses if they wanted to cause mischief," Way says.

Way uses a mix of security applications: Riverdeep's FoolProof Security software for locking down PC configuration; N2H2 for filtering content from inappropriate Web sites; and Packeteer traffic-shaping software to squeeze bandwidth for MP3 downloads or to drop Internet chat traffic, which is forbidden by the schools' acceptable-use policy.

Way also takes advantage of policy management on 3Com SuperStack III 4400 Layer 4 switches to prevent traffic from student PC labs from touching administrative servers. He also is upgrading his firewalls with Cisco PIX boxes and adding Cisco intrusion-detection software.

Another protection scheme

In Washington state, the local and state government helped Central Valley School District near Spokane build a network to support 11,000 students and 1,500 staff at 23 sites.

The district maintains three T-1 lines, which cost about $6,000 per year but are paid for by the state. T-1s also hook Central Valley to Washington's "K-20 Network" for kindergartners through high school for all 296 school districts, according to George Amend, instructional technology supervisor at Central Valley.

The district's Ethernet-based, LANs are getting larger and faster, with two new high schools scheduled to be built by this fall with gigabit-speed connections into each classroom from a fiber-optic backbone. Integration firm Tylite is installing the network with Central Telecom East for about $450,000. The schools also will run their phone system on the network.

With the users at the school district being mainly children, there is a strong need for protection from the uglier side of the Internet, particularly pornography, Amend says.

The federal law known as Children's Internet Protection Act requires schools to filter for inappropriate content and the district's local school board establishes a specific policy for the Internet, in this case banning content related to drugs and alcohol, violence and pornography.

The district filters out this kind of content using N2H2's CyberPatrol at its Internet gateway. The school pays N2H2 about $9,000 per year to keep the list of undesired content updated. Central Valley, which has one main Internet access point, uses Symantec's Norton AntiVirus product to filter known viruses. Amend says school district personnel watch the CERT Coordination Center's Web site for security alerts, spreading news by fax about problems.

Like Clovis in California and Exeter in Pennsylvania, Central Valley has an acceptable-use policy that students must sign, though each school may have its own variation.

"You can't go to an auction, play games or pick up your personal e-mail, and there's no chat room online," Amend says.

Inappropriate use can lead to disciplinary action, but the biggest concern is dealing with hackers - especially the district's students. "When we catch them - and it has happened - the student is suspended or dismissed," he says.

RELATED LINKS

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Contact Senior Writer Phil Hochmuth

Other recent articles by Hochmuth

RELATED LINKS

"Internet access in U.S. Public Schools and Clasrooms 1994-2000" Government survey in PDF. National Center for Education Statistics.
May 2001.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.