Securing a Multi-Vendor Cloud Environment at School
Modern Network Segmentation and Access Control
Legacy network design techniques in education often used segmentation of networks at the core switch or even a router to control access between networks of differing security levels. Managing these access lists was time consuming and relatively primitive. One could only enforce the most rudimentary (at best L4 – address and port) traffic rules. This often resulted in allowing access to resources that user groups should not have – especially in shared computer environments.
The early firewalls capable of application awareness (L7) were not fast enough to sit between segments of a LAN – in spite of their capabilities to identity traffic in advanced ways such as by user or by time of day in addition to application used.
Today we have the capability to easily segment traffic between networks using a high speed and inexpensive firewall capable of controlling traffic based on any number of criteria including user, application, time of day and source device type. We can also scan this traffic for malware, apply Intrusion Detection and throttle or guarantee bandwidth. With a cluster of firewall appliances, we can provide very high reliability. It is common practice in education to route traffic between networks of differing security levels through a modern firewall, leaving the switching infrastructure to do what is was designed for – forwarding packets to their destination at "line speed." Some of these devices can even sit in a switch chassis – reducing the space needed and power requirements in the data center.
Network Access Control in a K-12 Environment
With the advent of 1:1 teaching and digital curriculum, the K-12 school has extended the learning environment from the physical campus to anywhere in the world. This presents unique security challenges to any K-12 security administrator. A campus or district Network Access Control system can play a major role in protecting the IT environment. A NAC system, as it is commonly called, serves four primary functions:
- Identification of devices and profiling of the devices that are connected, including device type and operating system.
- Enforcement of IT policies that define what a user can access, with what device type, and when makes for a consistent user experience
- Protect IT resources via dynamic policy controls that integrate with third party security products.
- Perform advanced and automated endpoint security checks on devices attempting to connect via wired, wireless, and VPN connections.
The boundaries of IT's domain now extend beyond the four walls of an organization. And the goal for many organizations is to provide anytime, anywhere connectivity without sacrificing security. Network Access Control systems can be very valuable in a K-12 environment. These systems enable users to be authenticated with specific policies applied to their network access. Examples of NAC systems are user authentication with policies applied at network access that control what parts of the network the user can access, what speeds the user connects at, and what times and devices are accessible to the user. Network Access Control systems automate machine scans of outside computers that access the network, and in the event that a device violates known policy it can be disconnected or quarantined while in session.