Last week, we discussed security risks arising from the trend toward “one-to-one” computing initiatives in K-12 schools. This week, we hone in on actions IT can take to secure their schools' multi-vendor cloud environment.
Running a modern high-speed data network requires the following fundamentals for data-security:
Modern Network Segmentation and Access Control
Legacy network design techniques in education often used segmentation of networks at the core switch or even a router to control access between networks of differing security levels. Managing these access lists was time consuming and relatively primitive. One could only enforce the most rudimentary (at best L4 – address and port) traffic rules. This often resulted in allowing access to resources that user groups should not have – especially in shared computer environments.
The early firewalls capable of application awareness (L7) were not fast enough to sit between segments of a LAN – in spite of their capabilities to identity traffic in advanced ways such as by user or by time of day in addition to application used.
Today we have the capability to easily segment traffic between networks using a high speed and inexpensive firewall capable of controlling traffic based on any number of criteria including user, application, time of day and source device type. We can also scan this traffic for malware, apply Intrusion Detection and throttle or guarantee bandwidth. With a cluster of firewall appliances, we can provide very high reliability. It is common practice in education to route traffic between networks of differing security levels through a modern firewall, leaving the switching infrastructure to do what is was designed for – forwarding packets to their destination at "line speed." Some of these devices can even sit in a switch chassis – reducing the space needed and power requirements in the data center.
Network Access Control in a K-12 Environment
With the advent of 1:1 teaching and digital curriculum, the K-12 school has extended the learning environment from the physical campus to anywhere in the world. This presents unique security challenges to any K-12 security administrator. A campus or district Network Access Control system can play a major role in protecting the IT environment. A NAC system, as it is commonly called, serves four primary functions:
- Identification of devices and profiling of the devices that are connected, including device type and operating system.
- Enforcement of IT policies that define what a user can access, with what device type, and when makes for a consistent user experience
- Protect IT resources via dynamic policy controls that integrate with third party security products.
- Perform advanced and automated endpoint security checks on devices attempting to connect via wired, wireless, and VPN connections.
The boundaries of IT's domain now extend beyond the four walls of an organization. And the goal for many organizations is to provide anytime, anywhere connectivity without sacrificing security. Network Access Control systems can be very valuable in a K-12 environment. These systems enable users to be authenticated with specific policies applied to their network access. Examples of NAC systems are user authentication with policies applied at network access that control what parts of the network the user can access, what speeds the user connects at, and what times and devices are accessible to the user. Network Access Control systems automate machine scans of outside computers that access the network, and in the event that a device violates known policy it can be disconnected or quarantined while in session.
Solution Overview of Aruba Networks ClearPass
One NAC product we recommend to our K12 clients is ClearPass, from Aruba Networks (an HPE company). The ClearPass system allows you to do the following:
1. Identify what devices are being used, how many, where they’re connecting from, and which operating systems are supported – this provides the foundation of visibility. The result is continuous insight into the enterprise-wide device landscape and potential device security corruption, as well as which elements come and go, giving you the visibility required over time.
2. Enforce accurate policies that provide proper user and device access, regardless of user, device type or location; this provides an expected user experience. Organizations must adapt to today’s evolving devices and their use – whether the device is a smartphone or surveillance camera.
3. Protect resources via dynamic policy controls and real-time threat remediation that extends to third-party systems. This is the last piece of the puzzle. Being prepared for unusual network behavior at 3 AM requires a unified approach that can block traffic and change the status of a device’s connection.
Organizations must plan for existing and unforeseen challenges. With their existing operational burden, it’s not realistic to rely on IT and help desk staff to manually intervene whenever a user decides to work remotely or buy a new smartphone. Network access control is no longer just for performing assessments on known devices before access.
Security starts with visibility of all devices – you can’t secure what you can’t see. The ClearPass Policy Manager and AAA replacement solution provides built-in device profiling, a web-based administrative interface and comprehensive reporting with real-time alerts.
All contextual data collected is leveraged to ensure that users and devices are granted appropriate access privileges – regardless of access method or device ownership. The built-in profiling engine collects real-time data that includes device categories, vendors, OS versions, and more.
There’s no longer a reason to guess how many devices are connected on wired and wireless networks. Granular visibility provides the data required to pass audits and determine where performance and security risks could come from.
True security only occurs when there is overarching visibility and control – ensuring that only authenticated or authorized devices connect to the network. This stems from a multivendor, wired and wireless per device policy. Template-based policy enforcement lets IT build wired and wireless policies that leverage intelligent context elements: user roles, device types, MDM/EMM data, certificate status, location, day-of-week, and more. Policies can easily enforce rules for employees, students, doctors, guests, executives and each of the device types they try to connect.
Wired Is Now the New Threat
ClearPass OnConnect is a built-in feature that enables organizations to lock down those thousands of wired ports using non-AAA enforcement. No device configuration is needed and one command line entry in the switch is all it takes. Standard AAA/802.1X methods are also supported for wired and wireless. This allows for consistent policy enforcement and an end-to-end approach that siloed AAA, NAC, and policy solutions can’t deliver.