Security Issues

When a school requests a customised security change this usually falls into one of two categories. These categories are explained in detail below. Where the customised security change could constitute a security risk the principal of the school wil be required to complete a security waiver before the change can be implemented.

Inbound access from the internet to the school

If the school is allowing access from the internet to a server at the school then the school should ensure that the operating system on the exposed computer is kept fully patched and up to date to ensure that there is minimal risk of a malicious attack.

To enhance security for inbound connections, these connections can be limited to specific hosts on the internet. This will suit some needs (eg an accounting company needing access to school financial data) but it will not suit eg remote access needs where teachers require access from home to school-based network resources. In this latter case access from anywhere on the internet will be needed.

Where the school allows for username/password access to locally held network resources it will be important to use strong passwords for all accounts that could potentially have access as it will be possible for people on the internet to use brute-force password cracking to gain access to a school system. All passwords should be regularly changed.

See the website:

http://www.securitystats.com/tools/password.php

This website will be able to tell you if your passwords are suitable for use in the environment that you want to use, as well as give guidelines for generating strong passwords.

Examples:

"pollyanna" is a weak password

"po11y4nn4" is a better password

"po!!y4nna" is a really good password

"p0!!yAnn4" will score top marks."

Inbound access can also mean allowing access to a webserver at the school - often called an "Onsite server". Typically such servers do not require password access unless they are also hosting email. Servers like this should also be kept fully patched but as they do not generally expose confidential school data to the public internet they are not seen as a security risk requiring a security waiver if they are operating on ports 80 and/or 443. However, should other services be deliberately exposed using these ports (eg remote access services) then the school will be required to complete a security waiver.

The SchoolZone service does support secured inbound access methods that will not require a security waiver to be completed. It will still require the approval of the principal or other school senior managers to implement. Full details on secured inbound access can be found on the SchoolZone FAQ website.


Outbound access from the school to the internet

If the school is opening outbound access from the school to the internet then the school will be exposing members of its internal community to services offered that are outside the control of the school. There are many instances where this is desireable eg access from the school to a hosted student management system.

Schools should examine these needs carefully to ensure that there are valid benefits from opening access outbound. Again, this access can be limited to specific hosts inside the school network to target specific hosts on the internet to further enhance security.