Flipping the Switch on Mobile Security

• By Bridget McCrea
• 08/11/09

East Grand Rapids Public Schools in Michigan has taken a novel approach to mobile computing, one that has required a novel approach to wireless security. The district encourages students to bring their own devices to school and use them in their classes.

"We felt that if a student could learn better working in front of a computer," said Jeff Crawford, manager of networking and security for East Grand Rapids Public Schools, "that he or she should be able to maximize that learning tool."

Of course, any time you allow students to use their own devices, you introduce "all sorts of variables" (such as computer viruses, for example) into the classroom setting, said Crawford. Originally, he said a school IT representative would sit down with every student for about 30 minutes to look at the device or laptop, set it up on the school's network, and discuss the security concerns and measures.

"During the following three years, we had 30 students go through that process, and only 17 kids actually used their laptops in class," said Crawford. "It was underwhelming, to say the least." Knowing there had to be a better way to get more students using equipment that they were already familiar with (i.e., their own computers), Crawford set out to find a more viable way to promote and, hopefully, expand the program.

Crawford started looking for a solution to provide network access control (NAC), a computer network security approach that unifies endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. His early options included large vendors like Cisco Systems and Juniper Networks, both of which were hawking "entire solutions" that included wireless access points, controllers, switches, and the like.

Crawford wasn't interested. "Not only are they expensive, but these vendors lock you into a solution," he explained. "I'm a big believer in open standards and open source options, and I don't like anyone telling me what's best for me. If I purchase a solution, it has to rely on open standards and be able to 'play well' with everyone else."

That's where Avenda came in. Avenda is the developer of a "network policy solution for securing wireless and wired access solutions for any operating system." After an unexpected meeting with the vendor at a trade show, Crawford came up with a plan for integrating the Avenda's solution for the 2,800-student East Grand Rapids School District, which comprises three elementary schools, one middle school, and one high school. Known as eTIPS, Avenda's 5000 Series NAC platform is a network access security suite that features guest access and provisioning, RADIUS authentication, 802.1X support, and endpoint device detection and management.

The system, which was installed in two days, integrates with the district's existing Cisco wireless solution. Students, teachers, parents, guest speakers, and other authorized individuals log into the system with a user name and password to gain free access to the wireless Internet from their laptops and mobile devices.

Originally intended for use at the middle school level, the solution has since been expanded to the district's high school. Crawford said guest speakers and other visitors to the campus find the option especially useful in that it allows them to get connected by setting up an account and obtaining a password. "They can connect just like they would at a hotel," he added.

Crawford said the automated system has cut down on the time it once took to initiate a student on the use of wireless access. It has also boosted usage numbers significantly. "We didn't even advertise the new solution, and we already have 226 students using it," said Crawford. "We basically just flipped the switch, and the news spread."

Even more importantly, Crawford could now quickly see exactly who is using the school's wireless system and whether their individual computer firewalls were intact and operating. "We can observe who is getting onto our network and ensure that they're not doing what they shouldn't be doing," he explained.

Up next, said Crawford, will be a push to secure the school's "wired" Internet access system. "Right now we're consolidating all of the equipment we have that requires access to create a sort of one-stop IT security shop," stated Crawford, who said he looks forward to a time in the near future when he no longer has to change a password in 100 different places just because someone "leaked" the secret word to the wrong person. "Next time around, it will be just one password change at a single source."