Obama alma mater gets an education in 'net security

Punahou School in Honolulu has moved into the networking vanguard since presidential candidate Barack Obama graduated from the K-12 school in 1979.

The private school's 45 buildings are now connected via a fiber backbone and point-to-point laser system for short-range wireless communications, with Cisco switches and a voice-over-IP system for 500 phones, all installed in just the last two years. The 76-acre campus also is Wi-Fi enabled.

Except for the very youngest of Punahou's 3,700 students, most attending the school have a laptop assigned to them at the start of the school year, and are given strict instructions that it's intended for academic purposes, not fun and games.

"We have an acceptable-use policy and students have to sign it, and sometimes parents do, too," says David Parrish, chief architect of the IT network at Punahou. (Yes, if Barack Obama were in high school there now, he'd have to sign it, too, to use the school computer and network.)

Punahou recently installed Secure Computing's Secure Web appliance for Web and malware filtering, which blocks access to Internet porn and Web sites known to host malicious software. The school also decided to ban social-networking sites, such as Facebook, because the school administration wants to keep students focused on education.

"When I was in school, kids would pass notes," Parrish says. The modern equivalent, he says, is students contacting each other via the Internet or text messaging. While Punahou students are allowed to carry cell phones and personal devices, they cannot use them in the classroom.

In addition, Punahou has established a security policy based on 802.1X wireless authentication for laptops used by both students and faculty, setting up role-based access to the Internet using Microsoft Active Directory.

The school deployed Cisco's Security Monitoring Analysis and Response System (Cisco MARS) appliance to monitor the campus network to detect possible attacks, suspicious behavior or unauthorized application use.

"It's very good at getting a handle on what’s going on in your network," Parrish says. However, the MARS approach to mitigating problems -- which often is to shut down ports automatically -- isn't always the best approach for the school, he says.

For example, many incidents MARS picks up involve teachers trying to plug in a device or do things on the network that could have been better resolved with a phone call or visit to straighten things out, Parrish says. Still, MARS has caught kids breaking the rules by running applications like the peer-to-peer BitTorrent or attempting other downloading hijinks.

To keep tabs on what students do with the laptops they've been given, the school uses management software from LANDesk. IT staff can inspect laptops to find out if unauthorized applications, such as games and iTunes, have been installed contrary to the school's wishes.

"We don't want these games to be used on the laptops," Parrish says. Students who violate acceptable-use policies could get sent to the school's IT "outpost," a computer-support room where machines are re-imaged and game programs removed.