Security Access Management
Security has to be applied to all access point in any kinds of school, large or small to make sure that the school only give access to people who are authorised to access the school information. For authentication, there are 2 approaches which are through user or device authentication.
Device authentication provides a safe environment for school only devices that should be used in the facility. This provides a less flexible access for users but establishes a secure network with WPA2 encryption. On the other hand, user authentication needs their unique credentials for every users that has been registered in the database who want to access the network. This approach is used for a infrastructure where it has a BYOD implemented and it needs to be established with EAP or a captive portal.
A pre-shared key or a password for accessing a network is probably the most commong authentication methods we have encountered, however it is only suitable for small schools or offices where it does not have many users to access the network. This method could be risky to the network if it is providing more users on the network as the pre-shared key are getting out of control.
An alternative for medium to large school or organiztions is the WPA2 Enterprise which uses protocol 802.1x/EAP for user authentication. This utilizes more security in the environment as the user has to authenticate their credentials to the authentication server through the AP. With the EAP methods that supports TLS, it increases the security of the network as it will generate a PKI for the user credentials.
More commonly seen is a captive portal where it might be encountered in aiports, hotels, cafes, etc. To connect to the network itself could be utilized with WPA2 or an open SSID. After the device is connected to the network, it has to do a user authentication on a web browser to be able to get internet access. With user authentication, it can authorize which information can be accessed by the user.
To consider which authentication, authorisation and encryption method would depend mostly on the situation of the environment. Small school or organization would be better to have a WPA2 with PSK and regularly updating password. This will take less time and effort in configuring while still providing decent security to the network.
Public areas where it needs to cover wide range of users that come and go would be best established with a captive portal with ot without the WPA2 authentication. This method suits the infrastructure of a guest network in schools or offices where it still provides access to internet but restricted through the user authorisation made with the authentication server.
For medium to large schools use, especially with BYOD rules applied, a user authentication is a must. That is why WPA2 Enterprise that utilizes protocol 802.1x/EAP would be the best method to use. This gives internet and information access to the authorised users. This method would be suitable for internal access as all the authenticated users needs to be registered priorly to the authentication server. Thus, students and staffs might have the same method on connecting to the network but can have different level of access.
Common Security Issues and Management
There are several issues that have to be faced in a school network, especially a large school network, from securing AP to behavioural restriction of the users. There will be several things to be considered such as the threat surface, vulnerabilities, risks, costs and much more.
In a large school network, we would assume that it should use a WPA2 Enterprise with user authentications. Most students would have their own devices connecting to the school network and this will widen the threat surface for the network. Having a VLAN for students would be a better options as it adds more security even with more expenses. This will secure access for students specifically in their own network and have their own authorization. Another benefit of this that the student network could be seperated in different categories as different faculty might have different need for their tasks.
By making sure that every AP is utilized with WPA2 with user authentication greatly reduces the vulnerability of the network to unauthorised users. Every user will need to authenticate their credentials to the RADIUS server to receive access to the network. For guests, a school can provide a different network for their access to the network with less privilege.
There are physical factors of APs that should be highly considered in a large school network as some places might by more crowded and would need more APs to cover all the clients that will connect to the network. It can be applied by limiting the number of client in the AP configurations or load balancing on APs so the bandwidth are even on each client.
Physically, AP should not be easily detactable and reachable to reduce the risk of somebody tinkering with the AP. It should also be in a strategic locations of the building to be able to cover all areas of the school with good signal strength. The vulnerability of a wide AP that covers outside school area would not be much of a problem as the network should be equipped with enough authentication security.
Bypassing firewall by connecting a new AP in the network should be prohibited and this should be socialised to all users and staffs. Continuous monitoring of the network should provide enough mitigation to make sure no unwanted additional AP is connected to the school network.
Students traffic should be maintained to prohibit inappropriate contents as it might be dangerous to the community or even the network. Blocking or quarantining user would be the immediate actions to take and should be reviewed on the source of the problem.
Marcellus's Blog 