BOYD’s, networks and security in a school environment

Following a recent conversation with a non-technical school’s principal about BOYD’s (bring your own device), networking options and security, she asked us to put some notes together and post them so that those with responsibility could better understand the issues involved. Hence we have put this blog post together. BOYD’s are a great idea, and in particular with schools. The idea that the student can bring an iPad pre-loaded with books and materials needed for school is a massive improvement on the historic BC (before computers) act of growing and felling trees, printing books that eventually bend the spine of school going children. This drive toward BOYD’s in both business and education is only going one direction – forward – and those that decide for whatever reasons not to embrace it are simply going to be left behind in time. But embracing BOYD’s in education is not just about getting iPads for students. There are a myriad of issues that need to be addressed and not least wireless infrastructure and security, each of which leads to a significant investment termed the TCO (Total Cost of Ownership) of such a solution, and the that can be a very hefty price in a multi-story school with lots of steel and concrete to contend with. To make a simple analogy: think about the average upstairs/downstairs home with the family wireless router alongside the telephone that is normally tucked away in a corner of a living room, or if you are better prepared or just lucky, in the hallway that may be more central. There is little doubt that the wireless reception is the rooms furthest from that router will have a much degraded performance as distance and building infrastructure increasingly become factors. The other issue is digital management of the BOYD and the content that the student accesses on it, and by extension the potential for material other than educational content being introduced to the school’s wireless network. This is where the school has to contend with content management and network security including segregation of nets for students, teachers and administrative staff. At this point the ‘bucks’ element is probably emerging in the readers mind and rightly so because any attempt to do this on the cheap or cut corners on the networking infrastructure and security will leave a school exposed to a digital mess that will linger in the wings and eventually bite you when your system has become mission critical, and at that moment the cost of a solution and the implication of downtime while it is solved are a real mess. So the solution is to get it right up front with the necessary expertise, solution and investment. That sounds a bit ideal in the perfect world but there is no doubt that the more complete the solution is before being rolled out, then the better for everyone. The good news is that many schools have already created such systems and are running them on a daily basis, and so there are templates in place that should give any school a good steer on how to design and implement such a system. One of the first considerations is to decide on what types of devices will run on the network, how they will connect, and what types of applications will be facilitated on them. Will phones and tablets be allowed? How about desktop computers? Is the school running any servers for centralised data access? Is the school allowing external access to their system for staff and parents? Straight away the school has to consider a wired network, a wireless network, the devices that will run on it, the applications that will run on the devices, and the role of the user using that device, and the bandwidth allocation for individual users or roles. In a school with hundreds of students and staff, at peak usage times it is akin to a busy hotel or a medium sized business. However, the school has the distinct disadvantage that it is not generating business revenue and so has to be very careful in its capital outlay. One issue that is very important to the school is alternatives to heavyweight mesh solutions that are all things to all people and come with a price tag to match. The TCO for one school after an initial outlay and a couple of years maintenance retainer exceeds €20k, and even for that there are deficiencies in what is running, and in particular in the area of security. In fact it is surprising the amount of instances where vendors offering all manner of applications and infrastructure solutions install and configure their wares in a manner that can leave the school open to all kinds of trouble, and often a non or quasi technical resource within the school that is not an IT specialist, or teacher with a background and comfort level in the area, is either completely unaware of such issues or has some knowledge but bends to the fiscal demands of a hard pressed administration that is trying to do the very best for its staff and students. There are cost effective ways to do mesh if that is the road that a school is going but it invariably requires someone with a knowledge of configuring and managing/maintaining systems like Ubiquity as an example. Security is equally important and again requires someone with a knowledge of the issues and solutions to keep things running properly. For instance the majority of schools using a popular online application that allows staff and parents to interact with personal data through the internet was for the most part configured with no SSL (Secure Sockets Layer) in place meaning that all data entered or retrieved, including usernames, passwords, and personal data was traveling between device and school data store in clear text without any encryption. Yikes! This is annoying to interested observers and people with a technical background visiting schools for safety talks etc because we know that installing a certificate (that we understand is freely available for schools from HEAnet) is not the biggest deal in the world. And yet these schools are threading water in a pool labelled data protection and are blessed that no-one has complained or made a query to the data controller, normally the principal. Another instance found with some schools is the use of MAC (machine access control) address filtering as a sole security measure on a wireless network. The address itself is assigned to each digital device and used for identification in a network environment. However the idea of using this address as a security mechanism through which a particular device is allowed access to a network is flawed since it is possible to alter that address to match another device that has already connected to the network. Another solution is to use captive portals (a web page that a new user on a network is presented with that requires a number or password that is usually circulated by staff to students or visitors connecting) but they suffer a similar issue to the example with the MAC address and can usually be circumvented very easily. Both of the previous examples make for messy networking at one level, and a complete security failure at another. The premise in these cases is that the network administrator does not want to use a passphrase (WPA, WPA2 – hopefully NOT WEP – security) which can be a headache if large numbers of users forget the password and it is either simplified to the degree that it is useless, ubiquitous to the extent that it is the product code on the rear of every computer screen in the building, or complex to the degree that it is written on a post-it note that is found in the top drawer of each staff members desk, or school bag of each student in the school. So the admin decides not to use a passphrase: what can possibly go wrong? Straight away it is obvious that all data traveling on the network itself is passing in clear text except in cases where the web server to which the device is browsing is using HTTP (secure sockets layer) where all data exchanged is encrypted. Next, it is difficult to stop an unauthorised user from connecting to the network. And then comes another problem – since the school wireless network is OPEN (without security) then it potentially compromises each and every connecting device and its user to very simple and yet powerful security flaws that are outside of the school environment. These are two actual scenarios that inadvertently arose during our live demonstrations that highlight issues around trusting technology and leaving WiFi switched on etc. Can I respectfully suggest that if you are responsible for a school network (network admin or principal) or are the owner of it (school board) then you really need to understand the point being put forward in the following real world examples. Scenario #1: in a demonstration involving a few hundred students seated in a school gymnasium, it became apparent that staff members seated at the rear of the venue and marking up exam results to the school system had inadvertently connected to the demonstration network system. This occurred because functionality in the demo software detected their devices and the (open – no security – with MAC address filtering only) school network to which they were attached and implemented a very simple routine that resulted in them connecting seamlessly to the demo network and uploading their results to the school through it. Scenario #2: the school switched off its WiFi router and students then were asked to check their wireless devices which at that moment were in their bags or pockets. On doing so they discovered that they were connected to the schools WiFi, even though the school’s actual WiFi was powered off. They had in fact connected to the demonstration network. Any school not implementing WiFi security can suffer the consequences of scenario one above, and any user of that system can suffer the consequences of scenario two. Where a school were using the popular online solution mentioned earlier that does not implement SSL then not only could we see the marks being uploaded, but could very simply either alter them, or worse, completely take over the teachers connection to the school admin system and interact freely with any school application that they have access to. And so we began this piece talking about BOYD’s and the possibility of using mesh or static WiFi solutions, the idea of using in-house educational knowledge as against consultants and solution providers, the total cost of ownership, the small matter of releasing personal data and credentials onto the internet without encryption, and some issues that can result in not implementing adequate security systems in schools networks. To the very progressive education lady that challenged me to put my musings and meanderings in print, my promise is fulfilled. pmk