How to secure run a school / college network?

[muttleymacclad]

Hi guys,
I'm looking at taking on some extra work in a local secondary school with about 1000 pupils, as an assistant network mgr (or IT dogs body by the looks of the job spec!!).

Can any of you who do this role let me know how the average school network is set up and how its managed? Obviously every school will be slightly different but any general info would be great ta. I'd like to be on the ball if I get asked for an interview.

Thanks in advance
Mml



Sent from my D5503 using Tapatalk

[blacksheep]

Depends on what they want to spend - it's usually software based restricting websites. The companies that target schools are usually a rip off. Have a google around for corporate security software, website restriction etc.

obviously you want each computer locked down so the user can't install/run alternate code, obvious ways round this and plenty smart Alec kids will know how to do this and get the master password - as for master password make it long, at least 12 chars with numbers, symbols letters etc and the one that fucks most up is chars with accents such as é.

Are there different subnets for years or subjects (or both) - storage as well, segregation of student work etc.

tbh they probably won't know what they want so if you go in with a professional sounding plan at the right price you'll be ahead of most of the game.

[consoles]

We use Smoothwall for our proxy/web filtering
Student accounts are locked down using windows policies which are vigorously tested before rolling out, as for a subnet for each year ? not sure why you need that when you can simply map profiles and home drives.
IT technicians job in a school is proper dogs body work tbh

[muttleymacclad]

Thanks guys. I get the impression it's a dogs body work, but will give me a chance for a bit more structure in my life, I'll be able to do my private IT work for a few good regulars and its a 5 minute walk from my house.

Sent from my D5503 using Tapatalk

[muttleymacclad]

So i'm being interviewed next week, haven't had an interview for years! Have to dig my suit out now and get a hair cut.

[cyprus]

Start here:

http://www.rm.com/shops/ranger/Default.aspx

Designed specifically for education, Ranger Software provides everything you need to manage your ICT network and equipment, improve the effectiveness IT in the classroom and protect pupils from the increasing threats of cyber bullying and grooming. With Ranger software you can:

• Simplify network management and administration
• Improve ICT network continuity
• Improve network security and control
• Streamline ICT budget - and allocation-planning
• Simplify and enhance ICT in the classroom
• Improve energy efficiency and sustainability
• Protect students from cyber-bullies, paedophi1es and inappropriate behaviour

With a simplified Ranger-enabled network, staff are freed-up to focus on what they do best - be that teaching, managing or developing the ICT network.

[akimba]

Have a plan for some sort of PC refresh policy maybe like all computers get wiped and reinstalled overnight/on shutdown (seems common practise in schools these days)
Support for tablet devices, Apple seems to be pumping iPads into schools heavily over the past few years bit like Bill did with windows ;-)
Do some research into interactive whiteboards seem all the rage but really just a PC with a Bluetooth pen attached

[consoles]

Ranger networks are ok, but as they are a front end to your AD etc used for too long you forget the simplest things within AD we used it for 3 years and took ages for me to get my head back around AD having used ranger for so long.

[MajorFU]

I'd say use VLAN's and as many as you want. Broadcast domains could be allocated by class / year / dept or a mixture of them all. As most VLAN's will have similar restrictions config templates can be used for minor changes that affect multiple VLANs

You can secure resources quite easily by either restricting certain VLAN's on certain Trunk Links as well as using Firewalls between VLANs that need to communicate

[Over Carl]

Sorry if it's a bit of a hijack but the VLAN per year thing interests me as I am baffled how this would be implemented. From what I remember, schools would typically have IT rooms and computers in places like the library that were either shared between all years or reserved for a certain group. Would this mean the VLAN changes during login or something?

[MajorFU]

VLANS are logical layer 2 separation of networks, eg you can have 3 x 48 port switches in a stack which looks like 1 x 150(ish) port switch but you can have say 5 vlans with 30 ports in each vlan and you can either filter and route between vlans in this switch if it has layer 3 funtionality or you can run a layered collapsed core design with the virtual default gateways (SVI's) configured on a router or layer 3 switch in a "router on a stick" type design. from there you can apply access lists or even route to a firewall.

The thing is nobody in 1 vlan can get to any other of the vlans unless you have allowed it with either a static route or access list/firewall

Most switches will also support the use of 1 x data vlan and 1 x voice vlan per access port and even if all ports have the same voice vlan they can all be in different data vlans

hope this clarifies

[Over Carl]

I've setup and configured VLAN's before, but those tended to be more static, say maybe servers on one VLAN, desktops one 1st floor on another, desktops on 2nd floor on another, phones on their own VLAN, etc.

The thing that baffles me is how the computers would change VLAN when a student from a different year logs in.

[MajorFU]

They don't mate, you just either connect the computer to the new port in the new VLAN and its gets a new IP in that VLAN or if there is no physical move then you just change the data VLAN on their port to the new one and then there will get new IP details

That's the benefit of VLANs, its a logical separation rather than physical

[muttleymacclad]

Well I had the interview this morning and did ok in I think but struggled a bit with the networking practical assesment.

MAjorFU was pretty much correct, It was all run on server virtualizations, which i told them i was new to. Broadcast Domains were allocated by dep't etc.

Will hopefully find out in the next 24 hours.

Thanks for everyone's help.

mml

[MajorFU]

Good luck mate, network engineering rocks. I rarely speak to idiot users, mostly other network guys or server guys.

[consoles]

we have various vlans, but the main ones are Curriculum "all pupils/staff" Admin for our connection into LCC payroll etc WLAN with 3 levels of access filtering cisco phones internal cctv
each year group is in its own security group which dictates what resources that year group can access which also applys to our smoothwall depending who logs on as to what filtering is applied for net access.

[muttleymacclad]

So no decision has been made yet. Although i call BS.
I reckon they've offered it to someone before the weekend and the person they've offered to is stalling. Apparently i will know one way or another tomorrow.

[blacksheep]

You only had the one interview mate? Almost everywhere I know will be looking at 2-3, some of those might be phone ones.

[muttleymacclad]

It was a low paid school job, they still haven't appointed yet, keep emailing me saying 'tomorrow'.

Sent from my D5503 using Tapatalk