School Security Strategy—Simplified


Safety is a top priority for schools, and the best way to manage the risk is to address the top IT security issues for 2007-2008, and anticipate concerns on the horizon.

Much like the stock market and gas prices, the world of IT security is always changing. A virus hits, the world responds. Major threats one year become passing threats the next. Vendors in the space are constantly reinventing themselves to provide customers with the latest and greatest methods for stopping the most pernicious threats first. On the K-12 level, where budgets are slim and staffs are slimmer, simply keeping up with all of it is a full-time job.

The key is focusing on the biggest security issues of the day. Here's a rundown of the top four security concerns for the 2007-2008 school year—proxy servers, content filtering, network access control, and identity management—as well as an inside look at some potential safeguards for 2008-2009.

Proxy Servers

In the world of computer networks, proxy servers are servers that handle user requests by forwarding them to other servers. These proxies exist all over the internet, in many cases free of charge. Because so many districts are cracking down on the websites available in their schools, students have discovered they can use proxies to circumvent blockers and access pages that are otherwise off limits. While students check Gmail or, network security devices think nothing is out of the ordinary at all.

This was the problem this past year at the Boerne Independent School District in Boerne, TX, where IT Director Steve Stewart says students were visiting proxy servers as frequently if not more frequently than they were visiting legitimate websites. Once on the proxies, students would fan out to sites with pornography and violent games. Toward the end of last year, the district used software from 8e6 Technologies to supplement another vendor's perimeter filter and block many proxies from the start.

"It's not so much that we view students as threats, but you never know who's going to use the proxy to get on to our network," Stewart says. "Are we censoring what they can and cannot use? Yes. But it's our job to keep the district safe."

The 8e6 technology blocks proxies using signature-based network pattern detection. The Security Edge Platform from another vendor, DeepNines, uses similar Bayesian algorithms to block a list of known proxies. At Highland Park Independent School District in Dallas, technologists have used this software to eliminate what they had termed a "proxy server epidemic" in which students were using the circumventions to access applications they weren't supposed to use.

Many of these applications were innocuous: peer-to-peer programs, instant messaging, and, to name a few. Still, those programs consume critical bandwidth, negatively impacting network performance overall. Ron Smith, administrator of technical services, says that over a six-week period with the new technology, the district blocked more than 2,200 proxy server attempts, saving 926 kilobytes of bandwidth per second and improving network performance by nearly 22 percent.

"Their deep inspection of each port and protocol prevents unwanted behavior even on non-traditional ports," he says. "Since the [technology] is invisible, even the most astute student is unable to locate or harm it."

Content Filtering

With the history of spam, spyware, and e-mail viruses, content filtering certainly is nothing new. Nowadays, however, technologists are finding that they must scan internet traffic to make sure students don't put the district in violation of the Children's Internet Protection Act of 2000. This law stipulates that any school receiving funding support through the E-Rate program must filter content that is obscene, pornographic, or otherwise harmful to minors. Failure to do so could put E-Rate funding at risk.

While software from 8e6 and DeepNines also handles content filtering, technologists at the Rochester Central Unified School District in Rochester, IL, instead have turned to iPrism technology from St. Bernard Software to monitor regular web traffic. This technology is a piece of hardware with software built in. According to Tom Woodruff, the district's director of technology services, all he had to do to set it up was check off which types of content he wanted the appliance to block.

"If we find that a group of users or a single user is going to a particular [non-academic] site constantly, we can say that's a site we don't want and manually set the device to enforce it," he says. "What I like about our filter is that we can change it whenever we want."

At the Kentucky-Tennessee Conference, the administration body for 20 elementary schools and two high schools near the Kentucky-Tennessee border, officials recently implemented the NetSupport School tool from NetSupport to monitor and control which web pages users are visiting when they access the internet with campus equipment. So far, according to Richard Stephenson, IT director and educational resource administrator, the product has worked wonders.

Specifically, at Madison Academy, one of the two high schools with a 1-to-1 laptop initiative, the filters are set to monitor internet activity and prevent students from accessing objectionable content even when they're outside of school. Stephenson says that Madison students are divided into three different tiers based upon performance in class, and that as the students score better on formative assessments, they receive privileges to surf the web more freely.

"Our research has shown that the better students are doing in class, the more we can trust them not to abuse the privilege of unfettered web surfing," says Stephenson, who adds that the school uses Microsoft Active Directory to keep track of which students merit access to what. "With the bad kids, we're trying to train them that with responsible use of the internet comes certain tangible rewards."

Analyzing the Study

June marked the release of the annual CDW-G School Safety Index, a research project benchmarking the current status of public school district safety. Based on 14 elements of physical and cyber safety, the survey of 381 school district IT and security directors highlighted the indicators of strong district safety programs, as well as the barriers to school safety.

Overall, the CDW-G School Safety Index revealed that districts are having greater success with cyber security than physical security. Key findings concluded that:

  • School districts rely too heavily on technical solutions to protect networks and buildings and need to focus more attention on educating students about physical and cyber dangers.
  • Tech-savvy students are putting the district network and themselves at risk by sidestepping IT security procedures through measures like proxy servers.
  • Districts rely heavily on the telephone to communicate with faculty and parents during emergencies.
  • Lack of budget, staff resources and proper security tools limit a district's ability to protect itself.

Bob Kirby, the company's senior director for K-12 education, says the bottom line is that even those schools that perceive to be safe aren't nearly as secure as they could be.

"To a large extent, security is too often in the eye of the beholder," he says. "From a broader perspective, however, the index shows the potential for schools to do more–especially in the areas of safety education and emerging communication technologies."

Case in point: Acceptable Use Policies (AUPs). While nearly every responding district reported having some sort of policy that outlines acceptable use, a whopping 37 percent of districts said they update these AUPs less than once a year. Experts say this apathy renders the policies virtually ineffective; if policies aren't changing to react to security threats over time, some question the point of having them at all.

Another challenge: Cyber security. Here, many responding districts (81 percent) said that they monitor student Internet activity, but only 38 percent reported having a closed district network to provide more control over communication and content access. According to Kirby, with Internet-oriented security threats increasing every day, more and more districts should consider tightening controls to minimize risk and maximize the learning experience for everyone involved.

"Being safe on the Web requires a commitment," he says. "Hopefully a number of these big-name companies will demonstrate that commitment before it's too late."

Network Access Control

Think of network access control (also known as network admission control, or NAC) as the ultimate bouncer. The technology sits at the edge of a network and requires that every device that logs on undergo a thorough investigation to make sure the device complies with the network's security policy. In most cases, the software quarantines non-compliant devices until they comply. For school districts, this can provide an additional level of security that can stop rogue computers from wreaking havoc.

Such is the case at the Williamson Central School District in Williamson, NY. After years of seeing visitors come onto campus and plug right into the network, Network Administrator Kevin O'Dell embarked on an effort this summer to install NAC technology from StillSecure. The product, SafeAccess, requires visitors to download all of the latest anti-virus signatures and Windows updates before allowing them to log on.

"Once they pass inspection, they can do whatever they need to do," O'Dell says of visiting users. "Until that point, we've got them covered, and we don't let them do anything beyond basic internet."

At the Round Rock Independent School District in Round Rock, TX, a similar solution from Mirage Networks saved the district from being crippled by the Sasser worm back in 2004. At the time, the district's anti-virus protection was fairly sophisticated and had blocked the Sasser virus from propagating on in-network computers. And when unknowingly infected visitors tried to log on, the system forced those users to remove the nefarious program before giving them a green light.

Dan Scott, lead systems engineer, looks back on the Sasser experience with a sigh of relief. Considering the district boasts 46 campuses and more than 40,000 students, a single outbreak could have crippled the wide area network (WAN) for weeks. Looking forward, Scott says the Mirage box will enable technologists to continue preventing virus outbreaks, and will cut down on unwanted spyware, keystroke loggers, and other forms of malware, as well.

"Best-case scenario, our visitors are safe before they even get here," he says. "Worst-case scenario, they're not safe, but we make them get safe before they log on."

Identity Management

In the olden days, school districts used printed rosters to manage user identities. Today, the art of identity management is far more complex, with broad-sweeping databases that create a random number for every student, assign each individual user a unique descriptor, and store these identities in a secure location, usually off-site. Because districts are becoming increasingly paperless, identity management has become important to maintain student records. Next, the goal is making sure the data stays private.

Technology gurus at Pascack Valley High School in Hillsdale, NJ, faced this challenge recently when the school deployed the UTM Model CR 1000i from Cyberoam to manage an identity-based security system that allows students to roam around campus and stay connected to the internet. District Network Administrator Willie Pico says that in addition to creating a unique identity for each user, the tool also enables technologists to track traffic by specific user names.

"It provides instant visibility into any student's activity and allows us to make proactive policy changes as needed," says Pico. "Student security policy settings apply wherever they are on campus, providing assurance that no abuse of resources will be permitted."

At the Weber School District in Ogden, UT, technology officials have embraced an identity management solution that incorporates the eDirectory and Identity Manager products from Novell. The solution was designed to integrate identities from a variety of disparate applications, including student registration, financials, human resources, and more. Dave Brooks, the district's director of technology, says that for years employees updated this information manually.

The district now has a consolidated view of 31,000 student and staff identities, based on the latest information from human resources systems. With the help of Novell Identity Manager, the new approach also automatically synchronizes identity information across other applications, eliminating the need for humans to do a computer's work. What's more, each student and staff member now has a single ID and password to manage their identities across the entire campus network.

"We've freed up our IT staff from mundane user management so they can work on innovative projects," Brooks says. "Now we can give students consistent and secure access to the information they need to be successful in school."

Next up: Physical Security

Looking forward, experts say one of the biggest security issues for the 2008-2009 school year will be physical security. This issue, thrust into the nation's collective consciousness after the Virginia Tech massacre, will be the subject of a full-length feature in the November issue of T.H.E. Journal. In general, the topic covers the kinds of security measures you'd see at a major multi-national corporation: biometrics, ID cards, surveillance cameras, and more.

One district that's currently leading in this area is Morgan Hill Unified School District in San Jose, CA. Over the last two years, officials have installed 56 SNC-RZ25 Internet Protocol cameras from Sony in two different high schools. The cameras record up to five days of footage, and have empowered school officials to deter vandals and graffiti artists from defacing school property. Al Solis, director of facilities, says the cameras also have helped nab at least one thief in the act.

"We saw the guy's face, clear as day, on the video," he says, noting that as of August 20, the suspect had not been caught. "Without this technology, we wouldn't have even known where to look."

If anybody knows about physical security in the K-12 environment, it's Ken Trump. As president of Cleveland, OH-based consulting firm National School Safety and Security Services, Trump opines on school safety just about every day. His advice: in choosing physical security tools, districts should go for those that improve the ability to communicate in both everyday and emergency situations so that districts are prepared for anything.

Equally important to Trump is the issue of access control. This discipline includes automatically locking doors, buzzer-camera-intercom systems, and new technologies that scan drivers' licenses and check sexual offender databases upon request. While all of these issues are important, Trump says that administrators will continue to struggle with security policies, and the task of creating a welcoming environment for legitimate users while making sure illegitimate users stay out.

"Security equipment is only as effective as the weakest link in the human chain behind the equipment," he says. "The bottom line is that security technology is only one piece of the puzzle."

-Matt Villano, a writer and editor based in Healdsburg, CA, is a regular contributor to T.H.E. Journal.

This article originally appeared in the 10/01/2007 issue of THE Journal.