How To Secure A School Network

Transcription

1 Introduction Hello everyone. Today we re going to take a look at network security in light of the changing face of a school Network. History of network security As recently as five or six years ago, most networks were definite entities with clear and distinct boundaries, that would look something like this; Conceded, this is a very basic model, and you may have used all manner of other variations. However, it demonstrates how most stations are managed or in other words, they are joined to the domain and the network management team control user permissions, program sets, the software that was installed upon them, which printers they could use and pretty much everything else. Network security meant making sure a firewall was in place, using a suitable anti-virus solution and controlling users to connect to and use the network with logon credentials, passwords and permissions. How network usage is changing As modern technologies have exploded onto the scene in the 21 st Century, the boundaries of a classic network have become blurred. The existing managed set up has been joined by all manner of devices and solutions, many of which are not necessarily joined to the domain. 1

2 As you can see, it s very different. Access is no longer limited to desk-based users. People want to connect from home to work more flexible hours. Users will want to use their own personal devices such as PDAs, smartphones and netbooks at school. Printers can now connect wirelessly and VOIP telephony is being adopted as a smart way to improve communications and reduce costs. A recent survey conducted by RM quizzed secondary school network managers on their expected usage of mobile devices in the next two years, and the positive feedback was surprisingly high. With this new breed of network, it is not advisable to rely solely on existing controls to keep your network safe and secure, because there are more risks to consider: Antivirus software is often down to personal choice Users control and manage their own devices, and can install any software Users may not realise if their devices are at risk, or infected Downloading of illegal or pirated content by users through the school connection may result in disconnection by the ISP Wireless connections are much more common, and need to be extra secure External Data Storage devices are difficult to monitor and keep track of Personal devices can be a distraction from work Remote access to your network infinitely increases the attack vector. 2

3 Wouldn t it be easier to simply refuse access for anything that s not directly managed by you? Appealing as this sounds, a dynamic network is now well established and here to stay. Empowering your users to connect to your network has a lot of benefits, including: Personal devices help to keep costs low, as users pay for and maintain their own hardware and software. This is particularly important, in light of the recent constraints on funding for education Denial of access will result in dissatisfied users who are more likely to complain Modern technology has resulted in some fantastic learning tools put an ipad in front of a student with a media project to see for yourself Remote access encourages staff and students to work outside of school hours, increasing productivity. Devices What can we do about these risks? Can we eradicate all of them to help keep a safe environment? In theory, yes we can. However, it s all about compromise more control often means more overhead in both cost and effort, and finding a happy medium between security of your network and convenience for your users is unique to your school. This session will go through some practical tips to help you find the right balance and implement any measures you feel are appropriate. Let s start by examining a managed device, which is joined to your network as part of the domain. Users log on to the domain with credentials such as a username and password. Schools make much heavier use of roaming profiles than business environments, as many users are not tied down to only one computer. The Active Directory (AD) is used to organise computers and users into groups, and policies are used to mandate what a user can and cannot do on the machine he is using. All in all, there is a lot of control and this remains a secure solution. Not all devices, though, can be joined to the domain easily. What solutions exist for different types of unmanaged devices? Unmanaged netbooks Most home netbooks run on a Home edition of the Windows operating system. The main difference between these and other editions of Windows is that they do not have the capacity to authenticate against the domain, meaning a user cannot join their device to the network. If a user has a Professional OS edition, it s best to join them to the domain wherever possible, and make them a managed machine. However, for Home operating systems and Guests, there are a number of ways to facilitate access: 3

4 Connection without authentication Connecting the device either wired or wirelessly, without authentication against the domain, would provide Internet access, as well as shared resources. The main drawbacks of this solution are: Access to resources such as the Internet, shared folders or printers would mean regular prompts to the user to authenticate, though this can be eased somewhat with Windows 7 credential manager Someone could join your network and easily access your Internet connection by simply plugging a network cable into their computer, or through an unsecure wireless connection. 1. Putting your Guest WLAN on a separate VLAN will help to keep traffic from unmanaged devices separate from your core network, but may restrict access to shared resources. 2. Secure your wireless network, and issue out a password from reception for guests. Change it regularly to avoid users reconnecting at a later date without further authorisation. RM Connector for CC3 and CC4 RM Connector software facilitates Home operating systems authenticating against the domain, using a server and client side installation. This allows registered users to connect with their normal logon credentials, and gain access to shared areas, printers and the Internet It is also configurable to Block, Warn or Ignore if virus definitions and/or Windows Security Updates are out of date It is easily installable on the device by the user, who downloads the software from a website hosted locally on the school server RM Connector provides an Acceptable Usage Policy screen, which users have to accept before they can connect. This means they are presented with the school s policy on network usage and have to confirm acceptance before proceeding RM Connector Service Release 1 was released earlier this year, so Windows Vista and Windows 7 (32 & 64-bit) are now supported RM Connector automatically relinquishes proxy settings upon disconnection from the school network, meaning your user s connection will continue to work at home automatically CC4 Store Our new network for small schools - uses RM Connector Technology, and includes all of the features above. If you support a small school in your local area, you may want more information on this innovative new product. CC4 Anywhere CC4 Anywhere allows users to access the school network by logging on to a Citrix XenApp Remote Desktop Server and accessing their profile from there. 4

5 External access is forced through the Citrix Access Gateway (CAG), to ensure a secure connection. VLANs can be used to force any unmanaged device to access the connection via the CAG. CC4 Anywhere can also be used to connect almost any device that has an Internet connection. I m not going to harp on any more about these RM products that I m sure you ve all seen and heard of before, except to say that they are designed with unmanaged devices in mind and are therefore natural candidates to help you manage your network more easily. Software A personal netbook user is most likely to be a local admin on the machine, and has sufficient permissions to install and uninstall any software he chooses. He may choose to install applications, which aren t appropriate for use within school hours, or an application that may pose a threat, such as malware. If the software relies on an Internet connection, however, its usage can be controlled by denying access via proxy settings. This means the software will continue to work at home, but is inhibited within the confines of the school network. Examples of where you may want to consider doing this are Facebook, Spotify, certain websites, instant messaging software and others. Of course, some schools find these apps useful, so it s really down to the preference of your Senior Management Team. Other considerations include whether or not you want users to have access to their phone s camera and other peripherals, whilst connected to the network. Local admins, of course, have permission to change any configuration settings you may have set up for them. The best way to discourage this is to have a minimum criteria, so that any breach in rules results in the connection being broken and access becomes restricted. A good example of this would be using a proxy. If the user doesn t have the correct proxy settings configured on their machine, they will not be able to access the Internet, but can still access shared areas and printers. Client antivirus Your user may not be using your preferred antivirus solution, which isn t necessarily a big deal in itself, provided he does have a suitable alternative and his virus definitions and Windows Security Updates are valid. RMVP5.1 s Find Unmanaged Computers and Unmanaged Detector features can scan the network and alert you when a computer logs on that doesn t have the RM offering of Symantec Endpoint Protection 11 on it. Once identified, the user could then be provided with a copy of the Home Use software to install on their machine locally, which is covered by the free RMVP5.1 home use licensing. Smartphones & PDAs Many users now have Smartphones and PDAs, which are a great example of a device that can be used whilst carrying. Unlike laptops, which whilst mobile, tend to be used in between 5

6 journeys, the Smartphone is accessible on the go. Working on a variety of mobile operating systems, they achieve much the same goal. Many users take advantage of the Mail-Sync features in their phones, among others, but are often reluctant to do so on their 3G connection, which can be slow and at times eat into their data usage allowance. Other applications can also help increase productivity and facilitate learning, so facilitating access to the network is a win-win situation. Mobile antivirus From a security viewpoint, antivirus software is rarely found on mobile devices such as smartphones, though it seems that a shift in opinion is happening, with many experts now recommending mobile anti virus software as critical. Generic mobile antivirus products are available. Symantec, Kaspersky and F-Secure are just some of the development companies who have created products to fill this niche, but of course they all come at a price and most of them are only available for Windows Mobile or Symbian OS. The debate still rages on about whether or not certain phones such as the Android, Blackberry or iphone could benefit from some type of antivirus software. Many experts agree that it s just a matter of time before hackers and malicious users discover ways to infiltrate these systems and cause havoc, which is undoubtedly why many popular computer antivirus creators such as Symantec and Kaspersky have jumped in with both feet to the mobile antivirus market. The truth is this: as smartphones become a more necessary part of our daily lives, there will always be people out there who are bent on destruction, creating malware and trying to disrupt the chain of communication. Microsoft Exchange ActiveSync A lot of smartphones have the capacity to interact with Microsoft Exchange ActiveSync, which is an integral feature in Exchange 2010, with no additional licences needed. Using Exchange ActiveSync, mobile users can access , voice mail, rights-protected messages, and instant message conversations on their smartphones. As a network manager, you can choose to limit which device models are authorised and remote-wipe the device if a security breach occurs. Policy support and allow/block/quarantine lists, including exceptions down to the individual user level, come as standard. Realising that mobile access is becoming an industry standard, in all enterprises, including schools, most mobile phone manufacturers now offer ways to easily configure their models to be used with ActiveSync. ios ios 4 devices include the iphone, ipad and ipod Touch families. A recent poll conducted by the tech firm Westcoastcloud found that one in ten children under the age of ten now own an iphone, while one in 20 owns an ipad. ios does not feature any added security software. Because the iphone does not share apps, the risk of spreading a virus from phone to phone is very low. However, there have been a few reports indicating a breech in iphone s security system, especially when those phones have been altered or changed in some way. This 6

7 can cause the iphone to download and run unauthorised software, including many spyware programs, which can slow your system down and may even lead to identity theft. Meanwhile, you can use Apple s Configuration Utility to create a downloadable app, which your users can then install on their ios device to automatically prepare their machines for connection to the network. DEMO OF APPLE iphone CONFIGURATION UTILITY Demo_Wireless_Config_iOS.mobileconfig We ll just concentrate on some of the more popular settings, as the utility is pretty comprehensive, and in true Apple style, very intuitive; General Passcode Restrictions WiFi Exchange ActiveSync Credentials certificates can be used, if IIS is configured to accept it Mobile Device Management Advanced. Once you re happy with your app settings, test it on a single device before exporting the file and sharing it with your users. You could host it on a website, along with a set of download instructions. This app will not stop an iphone from contracting a virus or malware outside of your school network, but it will ensure that your existing controls, such as an Internet proxy and network antivirus solutions, have the opportunity to catch any threats it presents to the network. The added benefit is that it automates a lot of configuration that your users may otherwise rely on you for, such as setting up synchronisation for , calendars and contacts, and will inevitably save you time. With ios 5 recently released, there may be some additional things to think about, such as whether use of icloud and/or wireless sync could/should be disabled by policy. This may prevent data from being stored on cloud-based or local devices that aren t part of the school network, though I m not convinced this would be much of a concern from a school s viewpoint; certainly not for most users. Blackberry According to the people who make the Blackberry smartphone, additional security is not necessary due to their on-board security, but many experts are quick to disagree and insist that it is just a matter of time before the popularity of the Blackberry model makes it a target 7

8 for a virus attack. Nevertheless, Blackberry holds firm to their security statement, saying simply: The BlackBerry solution focuses on containing malicious programs. The BlackBerry software and core applications are digitally signed to ensure integrity and control access to the Application Programming Interfaces (APIs). Thus, the core BlackBerry smartphone functionality can t be directly accessed by other applications. Android Unlike many smartphones which are Windows or Symbian-based, the Android runs on a platform akin to Linux. Naturally, this means there are fewer virus attacks with the Android, mainly because most of the harmful programs are written to attack Windows-based programs, because that s what the majority of people use. However this does not mean that the Android is completely immune to the threat of attack. To date, except for a few isolated incidents, the Android ranks very high in terms of security - at least when measured against Windows Mobile and Symbian-based phones. Natively, Android phones can t connect through a proxy server, which may frustrate users who want to use the Internet via the school s wireless network. However, there are some free apps available that have been developed by users who found themselves far too frustrated with the lack of access. Having not tested any of these out myself, I d be reluctant to recommend any. However, simply Googling Android Proxy will result in a number of forum hits that share opinions on which ones are the best. Please be aware that most of these apps require rooting of your Android phone, which invalidates any support you may have had with the vendor or manufacturer, so it s up to the phone s owner as to whether they value network access over the warranty of their device. Android are aware of the issue, but to date no fix has been announced. Windows Phone Windows Mobile has some really nifty features for users who want to access network resources. Now there's no need to know your CAS server URL - all you need is your address/password, and Windows Mobile will use the Exchange auto-discover service to automatically provision your device for push /calendar/tasks/security. This makes it less likely for you to have to support your users in setting up their Exchange settings on their personal device. The nicest thing, however, about the Windows Mobile, from a network manager s perspective, is that v6.1 and above can join the domain by authenticating against the domain using the Domain Enroll feature and System Center Mobile Device Manager. This facilitates management of security, applications and settings through Active Directory-based policies. It s a way of managing this otherwise unmanaged device and it s a free download from the Microsoft website! Of course, it really depends on how many of your users have Windows Mobile 6.1+ as to how useful this tool is to you. 8

9 Symbian The Symbian OS is maintained by Nokia. Some estimates indicate that the cumulative number of mobile devices shipped with the Symbian OS up to the end of Q is 385 million! That s a lot of users. However, on February , Nokia announced that it would migrate away from Symbian to Windows Phone 7. Motorola, Samsung, LG, and Sony Ericsson have also made known their pending withdrawal from Symbian in favour of alternative platforms including Google's Android, Microsoft Windows Phone, and Samsung's bada, meaning the future lifespan of Symbian is in question. Symbian OS has been subject to a variety of viruses, the best known of which is Cabir. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth, signals. It is believed to be harmless, except that it results in a shortened battery life on the phone due to constant scanning for other Bluetooth enabled devices. Either way, it successfully highlights the potential threat to mobile devices. So far, none of the known pieces of Symbian malware have taken advantage of any flaws in the Symbian OS. Instead, they have all asked the user whether they would like to install the software, with somewhat prominent warnings that it can't be trusted. Other known hostile programs do require user input to run, so education is the key to preventing any outbreaks. Symbian OS 9.x devices can be hacked to remove the platform security introduced in OS 9.1 onwards, allowing users to execute unsigned code. This allows altering system files and access to previously locked areas of the OS. The hack was criticised by Nokia for potentially increasing the threat posed by mobile viruses as unsigned code can be executed. Data storage The last type of device that we need to investigate, in the changing face of a modern network, is a data storage device. This could be an SD card, a USB flash drive or external hard drive, and pretty much any device that is used for storing data, which isn t directly managed by you. Staff and contractors within any organisation, including schools, are responsible for data security and the protection of personal and sensitive data under the Data Protection Act The Information Commissioner s Office (ICO) provides a set of recommendations, based upon the legal requirements set by UK law. Failure to comply with these recommendations is taken very seriously and may lead to substantial monetary penalties. Examples where the Data Protection Act has been breached In April of this year, a UK school was found in breach of the Data Protection Act after the theft of an unencrypted laptop from a teacher s car. The laptop contained personal information relating to 90 pupils at the school. Whilst not excusing the theft, the sensitive data should not have been on the laptop and the data should have been 9

10 encrypted. The laptop should also have been stored in a secure place overnight. The school were unaware of the need to encrypt portable and mobile storage devices, though they did have a policy stating that laptops should not be kept in cars whilst away from the school premises. In November 2010 an unencrypted laptop was stolen from the home of a subcontracted employee to the Legal Services Commission. The individual was fined 60k. In February 2011, two unencrypted laptops were stolen from the home of a Council employee. This individual was undertaking a subcontracted role for a nearby Local Authority at the time, and both agencies were fined 80k and 70k, respectively. With wide deployments of flash drives being used in various environments (secured or otherwise), the issue of data and information security remains of the utmost importance. The use of biometrics and encryption is becoming the norm with the need for increased security for data. On The Fly Encryption (OTFE) systems are particularly useful in this regard, as they can transparently encrypt large amounts of data. Many USB flash drives are now available with encryption. Encryption Whilst most if not all of you in this room will know the importance of data security, your staff may not and it is vital to decide upon a strategy, educate them and then issue guidelines on what is and is not acceptable. Make network shares password protected and/or encrypted as appropriate. Encryption is becoming increasingly used to prevent access to any sensitive or protected data that may exist on a device or in an electronic communication. First and foremost, strict guidelines on where personal data can and can t be stored is the first line of defence and should remain as such. Two main types of encryption exist; Storage encryption Both the storage device, and the data that exists on it, are encrypted in their own right Encrypted laptops Encrypted USB flash drives Data encryption The data is encrypted at a granular level Encrypted files and documents Encrypted s It is possible to use both types of encryption in parallel, for example a file that is already encrypted can be stored on a hard-drive, which is also encrypted. DESlock DESlock is our offering for encryption. Having worked alongside DESlock since 2009, we now sell DESlock+ Pro, with hard disk encryption fully supported by RM. 10

11 TrueCrypt TrueCrypt is a piece of open source software that is already used in many schools. It can create a virtual encrypted disk within a file or encrypt a partition or sometimes the entire storage device. However, it like other data storage solutions is not infallible, and has been criticised for a number of issues, some of which are listed below. TrueCrypt volumes are recognisable, though not with 100% certainty. Suspecting TrueCrypt encryption may make the data more desirable, if not more accessible. Passwords are stored in the memory. TrueCrypt stores its keys in RAM; on an ordinary personal computer the DRAM will maintain its contents for several seconds after power is cut (or longer if the temperature is lowered). Even if there is some degradation in the memory contents, various algorithms can intelligently recover the keys. This method, known as a cold boot attack (which would apply in particular to a notebook computer obtained while in power-on, suspended, or screen-locked mode), has been successfully used to attack a file system protected by TrueCrypt. TrueCrypt documentation states that it can not secure data on a computer that has any kind of malware installed. Some kinds of malware are designed to log keystrokes, including typed passwords, that may then be sent to the attacker over the Internet or saved to an unencrypted local drive from which the attacker might be able to read it later, when he or she gains physical access to the computer. In some cases a Secure USB Drive may use a hardware-based encryption mechanism that uses a hardware module instead of software for strongly encrypting data. BitLocker BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. However, it only works if you have a Trusted Platform Module (TPM); a special microchip in some newer computers with advanced security features. The latest version of Bitlocker, included in Windows 7 and Windows Server 2008 R2, adds the ability to encrypt removable drives. BitLocker does not contain an intentionally built-in backdoor; there is no way for law enforcement to have a guaranteed passage to the data on the user's drives that is provided by Microsoft. The lack of any backdoor has been a concern to the UK Home Office, which tried entering into talks with Microsoft to get one introduced, though Microsoft developer Niels Ferguson and other Microsoft spokesmen state that they have not granted the wish to have one added. Nevertheless, in February 2008, a group of security researchers published details of a so called "cold boot attack" that allows a Bitlocker-protected machine to be compromised by booting the machine off removable media, such as a USB drive, into another operating system, then dumping the contents of pre-boot memory. The attack relies on the fact that DRAM retains information for up to several minutes (or even longer if cooled) after power has been removed. This is very similar to the aforementioned attack on data encrypted by TrueCrypt. 11

12 BitLocker also doesn t prevent against data being taken off the live machine that hosts the storage drive. If someone is able to gain access to the data server, they can take the data unencrypted there and then. Pretty Good Privacy (PGP) PGP encryption is another piece of software, currently distributed by Symantec, but with many variants available as freeware, that uses a serial combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography for datacommunication or s. Each step uses one of several supported algorithms. Each public key is bound to a user name and/or an address. Interestingly, in 1993 PGP s founder, Phil Zimmerman, found himself on the wrong side of a criminal investigation after PGP encryption found its way outside of the USA, shortly after its release. US export regulations considered cryptosystems using keys larger than 40 bits as munitions, and not owning a munitions license, he was suspected of dealing in nonexportable weapons! After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else. To prove a point, he published the source code in a hardback book, which developers could then scan in using OCR technology and build upon. Whilst trading in the software itself was illegal, distribution of books was protected by the US Constitution s First Amendment, pertaining to freedom of speech. Thankfully, PGP encryption no longer meets the definition of a non-exportable weapon. There is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means. Current versions are recommended as earlier editions have been found to have theoretical vulnerabilities. Evidence suggests that as of 2007, British police investigators are unable to break PGP, so instead have resorted to using RIPA legislation to demand the passwords/keys. In November 2009 a British citizen was convicted under RIPA legislation and jailed for 9 months for refusing to provide police investigators with encryption keys to PGP-encrypted files. All in all, it s a pretty good tool. Encryption summary The overall message, then, is that encryption is better than nothing, but like most security solutions, it has its limitations. There is no replacement for users being careful with where you store data, how you transport data and having a lockable cabinet! Portable storage control Portable storage control means restricting what can and can t be achieved using removable media, such as preventing executables from running, or making contents read only. Custom template One method for establishing portable storage control involves creating a custom administrative template that contains a group policy template, which provides access to a setting that can be used to disable a USB port. Instructions and code for creating this 12

13 template can be found on the Microsoft website. If you're too intimidated to create a custom administrative template, you can download a template copy from a variety of websites. RM Tutor 5 Another useful, but underused tool, can be found in RM Tutor 5 powered by NetSupport for Community Connect. Predominantly used by teachers, RM Tutor has a number of features to help control usage on client machines, as required; Media blocking facility for all removable media. Teachers can choose to make media types read only and/or prevent executable files from being run. Internet blocking uses black and white lists to restrict which websites can be accessed by users. RM Tutor Encryption Utility can be used to protect against access from nonauthorised clients, who may have got hold of the Tutor client software (see TEC in the RM Support Knowledge Library. Tech Console, designed specifically for network managers (Tutor 5 on CC4 only): 1. View all managed computers across the campus, monitor computer screens in each classroom, generate a full hardware and software inventory from each PC, remotely manage services and processes, deliver files to all selected computers in a single action and much more. 2. This tool is particularly useful, not only to offer remote support, but if you are concerned about a particular user or group of users you can monitor their usage, without them realising. This may sound quite big-brother, and in all honesty it is. Imagine, though, how useful this would be when trying to deal with an instance of cyber-bullying or known attempts to bypass the school s proxy. Disabling AutoRun Another option you may like to try is disabling the AutoRun facility on portable media. Many virus files use autorun.inf to begin executing and infecting your computer. This spreads itself across the computer by making the multiple copies of the autorun.inf and.exe files on every drive of the computer, and potentially the network. Any portable media used thereafter may then be re-infected, ready to be spread onto other machines. Viruses could connect to a malicious website and install a key logger on your PC, which would seek to steal all sorts of sensitive information. Conficker and Stuxnet both make use of this vulnerability. Please note that disabling AutoRun may inconvenience your users, and as with any new introduction, it s always best to test it on a sample of machines first! Microsoft has already issued an update, which disables AutoRun on USB devices only for Windows XP, Windows Vista and Windows Server 2003 and 2008 operating systems. As it is not a security update, it would not automatically be made available through WSUS on CC4, though it could be manually packaged up and distributed across the network. To disable the AutoRun feature on other removable media, or for Windows 7, firstly, check the Microsoft knowledge article for KB967715, to make sure you ve installed the relevant updates to fix a known bug that prevents you from disabling AutoRun; 13

14 DEMO Windows Server 2008, (Windows 7?) or Windows Vista Use either of the following methods: 1. Click Start 2. Type gpedit.msc in the Start Search box, and then press Enter. 3. If you are prompted for an administrator password or for confirmation, type the password, or click Allow. 4. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click AutoPlay Policies. Then either Or 1. In the Details pane, double-click Turn off Autoplay. 2. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives. 3. Restart the computer. 1. In the Details pane, double-click Default Behavior for AutoRun. 2. Click Enabled, and then select Do not execute any autorun commands in the Default Autorun behavior box to disable Autorun on all drives. 3. Restart the computer. DEMO Windows Server 2003, Windows XP Professional 4. Click Start, click Run, type Gpedit.msc in the Open box, and then click OK. 5. Under Computer Configuration, expand Administrative Templates, and then click System. 6. In the Settings pane, right-click Turn off Autoplay, and then click Properties. 7. Click Enabled, and then select All drives in the Turn off Autoplay box to disable AutoRun on all drives. 8. Click OK to close the Turn off Autoplay Properties dialog box. 9. Restart the computer. Infrastructure There are many solutions that can be placed within or alongside your core infrastructure to implement generic security measures. Some we know and love, and have been in use for a number of years. However, different technologies pose different threats, and many solutions aren t designed to cope with the vulnerabilities present in this day and age. Usually, a combination of solutions is needed. Commonly used solutions are; Authentication As well as traditional methods, such as username and password logon credentials, twofactor authentication methods such as smart cards, USB & software tokens and biometrics are becoming increasingly used in enterprise to facilitate remote access. Biometrics is the 14

15 preferred option for schools, as tokens or cards that use algorithms tend to be very costly. Fingerprint recognition is often used with cashless catering systems and libraries. Usable by children as young as three years old, it is a simple and effective way of preventing fraudulent use of many different systems, including laptops with integrated fingerprint recognition. One common misconception of such devices is that they store a copy of the fingerprint, raising concerns over civil liberties. However, the software stored is in fact a series of some 30 digits, from which it would be impossible to reconstruct the print and parental consent does not have to be legally sought. AV Antivirus software is used to prevent, detect and remove all sorts of malware. It remains an integral part of any security solution within a school network. Some antivirus software don t consider a proxy may exist e.g. Microsoft Security Essentials, so some users may have difficulty connecting to the Internet when using their personal device at school. Internet proxy Most schools use an Internet proxy to evaluate connection requests to the Internet, according to a set of rules much like a firewall. This works well for managed computers, access for unmanaged devices can be difficult to impose. In a Windows network, NT LAN Manager (NTLM) protocol can be used to authenticate all devices against the proxy server. This greatly reduces the likelihood of unauthorised access and can serve unmanaged devices, which are not joined to the domain. Encouraging use of the school network for Internet access means that traffic is recorded in proxy logs, ensuring a reference is available if needed at a later date. Pin codes can be used with smartphones to avoid having to enter unwieldy usernames and passwords. If you are considering using NTLM authentication on your proxy, be aware of the following lessons from previous such rollouts: Before implementing NTLM, audit the applications being used on your LAN. Some applications simply do not support NTLM authentication, and understanding what applications are being used and testing them in an isolated environment before going live with proxy authentication will greatly reduce the impact of the change and the number of support calls that you receive from your users. This has the added benefit of creating a greater understanding of the type of applications that are running on your network, with some you may previously have been unaware of. As a considerable number of third party apps do not support proxy authentication you will need to decide whether to: o Permit the URLs in question to bypass proxy authentication, by using a whitelist. o Take a stance on third party applications that are permitted for use on the wireless network. You will see far fewer authentication prompts and much greater support for proxy authentication if your Windows PCs and laptops are joined to the domain. For users 15

16 of devices that cannot be joined to the domain, they ll need to familiarise themselves with Windows Credential Manager they ll be using it a lot! Dynamic Host Configuration Protocol DHCP is used as a configuration protocol for hosts on Internet Protocol (IP) addresses. Most schools use DHCP to avoid overheads within the network management team IP addresses are dished out as required, without the need to manually assign each one. Some schools have been known to deliberately max out the number of DHCP leases available, thus preventing access to the network from a potentially illegitimate request. The problem with this solution is that it also blocks out any legitimate requests, forcing the network management team to be directly involved in any such request for access. This kind of negates the whole point of using DHCP in the first place! Media Access Control address A MAC address is a unique identifier assigned to network interfaces. They are often assigned by the manufacturer of the Network Interface Card (NIC), and some schools use a white list to only authorise MAC addresses which are known to them. Like maxing out DHCP settings, this makes a lot more work for the network team, as any legitimate request for access has to come through them. I ve used MAC addresses to restrict access to a network myself before, but it was years ago when I shared a house with other lodgers, and got fed up of their friends maxing out my download limit. I only had to maintain five MAC addresses, which was very simple and straightforward. However, this is not an easily scalable solution; especially if you are trying to facilitate access to user s personal devices. The time and effort needed to maintain such a list would be vast, along with frustrating for users who can t get on to the network without jumping through a number of time-consuming hoops first. Using MAC addresses is also not particularly secure. Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware. Changing one s MAC address to exploit security vulnerabilities is known as MAC Spoofing, with which: Anyone with an receiver (laptop and wireless adapter) and a freeware wireless packet analyzer can obtain the MAC address of any transmitting within range, A user can hide the computer from the network, A user can impersonate an authorised device on the network, A user can use a previously assigned MAC address to avoid hassle when connecting a new machine. Wireless LANs WLANs are heavily used in schools as a way of unharnessing users from their desks. WLANs are also a good way of allowing controlled access to guest users who have laptops and mobile devices. 16

17 The first wireless network was developed by Norman Abramson at the University of Hawaii and was called ALOHAnet. This is nothing to do with security, but it s such an obscure fact that I had to include it! Gone are the days when wireless connections were slow, unreliable and insecure. Remote Authentication Dial In User Service (RADIUS) Servers maintain a consistent connection as users roam from one access point to another. A well-managed WLAN can be a secure way of allowing unmanaged devices to connect to your network, but poorly managed, it can be vulnerable to a huge number of threats; Wireless authentication methods Many schools, especially primaries, use off-the-shelf routers and fail to customise the security settings, meaning their wireless connection and router are both completely unsecured and vulnerable to anyone with an ounce of nous. I ve heard stories of opportunists logging on a school s router by connecting to the unsecured WLAN, Googling the default admin logon credentials, disconnecting it from the Internet, then offering to fix the connection for a set price. It s like malware in the flesh! WEP, whilst better than no security, has been found to have vulnerabilities that could easily be exploited i Security is rigorous, but hardware needs to be comparatively new to use it. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK). Change the access key regularly to increase security against previous users, who are no longer authorised. RADIUS acts as a gatekeeper through the use of verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as recording accounting information such as time connected. When used with IIS, the machine, as well as the user, is authenticated. Some schools are known to have used RADIUS with their wired network. This approach is not recommended, as the infrastructure within the wired network (switches, Windows clients) is not designed to accommodate wireless 802.1x. The end result could become very difficult to manage and maintain. Guest WLANs Hosting your guest WLAN on a separate VLAN to your main network can help to keep such users away from the core resources. Users with no domain authorisation can use resources such as the Internet without posing a threat to your network. Trapeze Having acquired Trapeze Networks in 2010, Juniper now offer SmartPass, which gives network managers dynamic access control over all users and devices on a wireless LAN. It can adjust access privileges as a user's circumstances change, and securely provision hundreds of guest users on demand. One of the most desirable features is individual sets of guest logon credentials that time-out after a set period. 17

18 Unified Threat Management Firewalls and antivirus software, whilst great at doing what they were initially intended for, may struggle to cope with the wide variety of attacks that may occur today. The next generation of network security is Unified Threat Management, or UTM. Identity-based UTM appliances, offered by companies like Cisco and Juniper, offer comprehensive protection against emerging blended threats, which are a combination of worms, trojans, virus, and other kinds of malware. While simple UTMs identify only IP addresses in the network, identity-based UTMs provide discrete identity information of each user in the network along with network log data. They allow creation of identity-based network access policies for individual users, delivering complete visibility and control on the network activities. The identity-based feature of such UTMs runs across the entire feature set, enabling enterprises to identify patterns of behaviour by specific users or groups that can signify misuse, unauthorised intrusions, or malicious attacks from inside or outside the enterprise. The strength of UTM technology is that it is designed to offer comprehensive security while keeping security an easy-to-manage affair. Enterprises get complete network information in hand to take proactive action against network threats in case of inappropriate or suspicious user behaviour in the network. As identity-based UTMs do not depend on IP addresses, they provide comprehensive protection even in dynamic IP environments such as DHCP and Wi- Fi and especially in a scenario where multiple users share the same computer, such as in a school. General usage Whether on managed or unmanaged devices, there are some guidelines which still hold true. Some of the most basic security measures are often forgotten in this world of technological advances, and the increased attack vector makes it even more important that we adhere to certain rules. Digital certification SSL Certificates are electronic documents, which are used by many web services to verify the legitimacy of a request and provide a secure connection. To try and save cost, some schools opt for self-issued certificates, generated from the domain controller, instead of purchasing an SSL Certificate from a trusted Certificate Authority (CA). However, when users first connect to the service from a unmanaged computer, they ll need to download and install the root certificate. Failure to do so will prevent connection to the service. To improve the user experience, and reduce overheads for the network team, SSL Certificates are strongly recommended as they are already trusted by the browser or interface being used. Acceptable Usage Policies AUPs have two main benefits they educate the user so they know what is expected of them in terms of what they are and are not permitted to do, and they are a record of acceptance of those conditions. Many AUPs are sent out once, clicked through and forgotten. To make your AUP more effective, follow the guidelines below. 18

19 Make it clear using normal language. Lots of technical jargon and confusingly long sentences will make the user less likely to understand what is meant. Tailor it to your target audience. Perhaps a separate AUP is required for students and staff? Consequences must be detailed. A user is less likely to make a breach if they know what the subsequent response will be e.g. loss of Internet during breaktimes for a week. Regularly revise and resend the AUP, highlighting any changes since the last one. Keep it short use hyperlinks to a web page for users that want to access more detailed information. Passwords A strong password is a useful weapon against unauthorised access. When Hotmail s security was compromised a few years ago, the most common password was found to be Weaker passwords are easier to remember, but the majority of security solutions today that use passwords have a reset option. Most schools have individual user accounts, each with a unique set of logon credentials. However, group logons are still commonplace for some, especially in primary schools. Individual user accounts mean that any breach of the AUP or security can be traced to that individual user. Group logons cast reasonable doubt over any accusation. Group credentials are often posted all over teachers notice boards, so they don t forget the details, and security is undeniably compromised. Many schools don t insist that users change their passwords regularly, and this too vastly increases the risk that their account could be compromised; the longer a password exists, the more time is available to crack it. Encourage users of unmanaged devices to password protect their device. If they have a Home Edition OS with no security logon, the chances are the wireless settings are configured to connect automatically, so a stolen computer could pose a real security issue. Ensure that any network shares are also password protected. Making areas read only does not stop someone from accessing the information, so it s a simple and effective way of protecting your data. Finally, don t use the same password for all your different accounts, especially those that contain sensitive data. In March of this year, a UK school suffered yet another breach of the Data Protection Act, after a pupil hacked a teacher s website account, and re-used the same password to access other parts of the system. This included the SIMs data for 20,000 individuals, of which 7,600 were pupils. The data was then published online. 19

20 The future of security It s all very well reacting to recent changes, but what s going to happen next? A look ahead will help us prepare for the future of school networking. The Cloud I know, I know here s yet another person talking about the cloud. Everyone knows it s just another name for the Internet! That may be so, but renting networks that are hosted on the cloud, instead of managing a traditional network of locally run servers, is likely to be the reality within the next year or two. Less overheads means cheaper running costs, and in the current climate, this is a solution that will really appeal to a lot of schools. In terms of security, some may be concerned about how much control exists over sensitive data and access to the network. Suppliers will have to provide robust offerings to gain confidence in their solution. The traditional boundaries of a school network will become even more blurred, as everyone moves towards their own personal piece of the cloud. Mobile data storage devices may become a thing of the past as everything becomes accessible online and Internet black spots disappear. Windows 8 Windows 8 Metro UI will have a new type of photo login screen designed for touch. You will be able to record your own unique sequence of touch points and swipes to authenticate, instead of using a password. Its efficient processing and small footprint mean it is as likely to be found on unmanaged devices as managed ones and is an accessible way to join a domain for students as young as 3 years old. You may recall in our last round of Seminars that Matt s future technologies presentation talked about how Microsoft were planning to provide ARM processor support for Windows 8 (ARM being a processor architecture that was historically for low power devices). Well its happened, and in the keynotes seminar on 14 September 2011, the end user experience was done on exactly that an ARM based device. So what? Well it blurs the boundaries between managed, Windows computers and unmanaged Windows phones. The ARM device demoed had a built-in 3G modem. At what point will we cease to recognise the difference between smartphones and slate computers? Malware The future of malware won t be so much about how the software itself will be engineered, as how potential victims will be targeted. Have you ever accepted a friend invite on Facebook or connected to someone on LinkedIn you didn't know? Maybe, you thought this was someone from school you had forgotten about or a former business partner whose name had slipped your mind. "When people make trust decisions with social networks, they don't always understand the ramifications. Today, you are far more knowable by someone who doesn't know you than ever before in the past," says Dr. Hugh Thompson, program chair of RSA Conferences. 20