You are on page 1of 33

Network Security – Draft

Network Security – Draft DfES Network Services Project Network Security Draft v3.1 Copyright © 2004 The

DfES Network Services Project

Network Security

Draft v3.1

Copyright © 2004 The JNT Association

Network Security – Draft

UKERNA manages the networking programme on behalf of the higher and further education and research community in the United Kingdom. JANET, the United Kingdom's education and re- search network, is funded by the Joint Information Systems Committee (JISC).

For further information please contact:

JANET Customer Service

UKERNA

Tel:

0870 850 2212

Atlas Centre, Chilton, Didcot Oxfordshire, OX11 0QS

Fax:

+44 1235 822 212 0870 850 2213

 

+44 1235 822 397

 

E-mail:

Copyright:

This document is copyright The JNT Association trading as UKERNA. Parts of it, as appropri-

ate, may be freely copied and incorporated unaltered into another document unless produced for commercial gain, subject to the source being appropriately acknowledged and the copyright pre- served. The reproduction of logos without permission is expressly forbidden. Permission should be sought from JANET Customer Service.

Trademarks:

JANET®, SuperJANET® and UKERNA® are registered trademarks of the Higher Education Funding Councils for England, Scotland and Wales. The JNT Association is the registered user of these trademarks.

Disclaimer:

The information contained herein is believed to be correct at the time of issue, but no liability

can be accepted for any inaccuracies.

The reader is reminded that changes may have taken place since issue, particularly in rapidly changing areas such as internet addressing, and consequently URLs and e-mail addresses should be used with caution.

The JNT Association cannot accept any responsibility for any loss or damage resulting from the use of the material contained herein.

Availability:

Further copies of this document may be obtained from JANET Customer Service at the above

address.

Network Security – Draft UKERNA manages the networking programme on behalf of the higher and furtherservice@janet.ac.uk Copyright: This document is copyright The JNT Association trading as UKERNA. Parts of it, as appropri- ate, may be freely copied and incorporated unaltered into another document unless produced for commercial gain, subject to the source being appropriately acknowledged and the copyright pre- served. The reproduction of logos without permission is expressly forbidden. Permission should be sought from JANET Customer Service. Trademarks: JANET®, SuperJANET® and UKERNA® are registered trademarks of the Higher Education Funding Councils for England, Scotland and Wales. The JNT Association is the registered user of these trademarks. Disclaimer: The information contained herein is believed to be correct at the time of issue, but no liability can be accepted for any inaccuracies. The reader is reminded that changes may have taken place since issue, particularly in rapidly changing areas such as internet addressing, and consequently URLs and e-mail addresses should be used with caution. The JNT Association cannot accept any responsibility for any loss or damage resulting from the use of the material contained herein. Availability: Further copies of this document may be obtained from JANET Customer Service at the above address. © The JNT Association 2004 NDD/NSP/RS/NS NDD/NSP/RS/NS/3.1 2 June 2004 Page 2 of 33 " id="pdf-obj-1-68" src="pdf-obj-1-68.jpg">

© The JNT Association 2004

NDD/NSP/RS/NS

Network Security – Draft UKERNA manages the networking programme on behalf of the higher and furtherservice@janet.ac.uk Copyright: This document is copyright The JNT Association trading as UKERNA. Parts of it, as appropri- ate, may be freely copied and incorporated unaltered into another document unless produced for commercial gain, subject to the source being appropriately acknowledged and the copyright pre- served. The reproduction of logos without permission is expressly forbidden. Permission should be sought from JANET Customer Service. Trademarks: JANET®, SuperJANET® and UKERNA® are registered trademarks of the Higher Education Funding Councils for England, Scotland and Wales. The JNT Association is the registered user of these trademarks. Disclaimer: The information contained herein is believed to be correct at the time of issue, but no liability can be accepted for any inaccuracies. The reader is reminded that changes may have taken place since issue, particularly in rapidly changing areas such as internet addressing, and consequently URLs and e-mail addresses should be used with caution. The JNT Association cannot accept any responsibility for any loss or damage resulting from the use of the material contained herein. Availability: Further copies of this document may be obtained from JANET Customer Service at the above address. © The JNT Association 2004 NDD/NSP/RS/NS NDD/NSP/RS/NS/3.1 2 June 2004 Page 2 of 33 " id="pdf-obj-1-74" src="pdf-obj-1-74.jpg">

Network Security – Draft

Network Security

1 Purpose 4 1.1 Scope 4 1.2 Target Audience 5 1.3 Strategic Issues 5 1.4 Summary
1
Purpose
4
1.1
Scope
4
1.2
Target Audience
5
1.3
Strategic Issues
5
1.4
Summary of Responsibilities
5
1.5
National Education Network
.................................................................. .
7
1.6
Interoperability and Standards
8
2
Management Framework
8
2.1
Policies
...................................................................................... . . . . . . . . . . . . .
8
2.2
Resources
........................................................................... . . . . . . . . . . . . . . . . .
10
2.3
Chain of Responsibility
10
3
Network Design
11
3.1
Partitioning the Network
11
3.2
Firewalls
11
3.3
Measures to Protect Data, Communications and Systems
13
3.4
Mobile and Remote Working
13
3.5
Wireless Networks
14
4
System Protection
14
4.1
Responsibilities
15
4.2
Privileges
......................................................................................... . . . .
15
4.3
Configuration and Maintenance
15
4.4
Access Control
................................................................ . . . . . . . . . . . . . . . . . . . . .
15
5
Content Protection
16
5.1
Virus Scanning
.................................................................... . . . . . . . . . . . . . . . . .
16
5.2
Content Filtering
17
6
User Education
17
6.1
Awareness and Good Practice
18
6.2
Terms and Conditions
18
6.3
Training and Updating
18
6.4
User Support
18
7
Security Incident Response
18
7.1
Reporting Process
19
7.2
External Interference with the School’s Network
19
7.3
Abuse by Internal Users
19
7.4
Content and Privacy Incidents
20
7.5
Network Monitoring
20
7.6
Information Dissemination
20
8 References
Appendix A: Glossary
Appendix B: Internet Services in a School Network
22
24
32

Network Security – Draft

1 Purpose

School networks are complex and serve a rapidly developing set of educational requirements, some of which challenge the technology and its security, implemented within limited budgets. Many agencies are involved in providing the end-to-end network service. There are networks on school premises, regional networks, Internet connectivity and the National Interconnect via JANET. The whole forms the National Education Network. At least three layers of educational management are involved: schools, local authorities and national oversight. Suppliers include commercial network suppliers and Internet service providers, Local Authorities (LA), Regional Broadband Consortia (RBC) and national agencies such as UKERNA. These agencies must work together to produce a consistent, functional and secure IP network across the various management domains.

This document sets out a number of policies, activities and controls that are needed to give a reasonable level of technical security to the educational network. It does not consider the detailed location or operation of controls, specific details of policy or technical systems configurations, though these are essential to match the security of the network to its intended use. The document only lightly treats issues of information security or other aspects of content.

A number of other existing documents are referenced. Some of these are examples of policy or technical design; others are papers on how to prepare these. Where possible, examples of best practice in the schools sector have been referenced supplemented by examples from other sources.

1.1

Scope

To be effective, security must be built in at all stages of the procurement, configuration and management of a network. This document therefore contains recommendations that will need to be taken into account at all these stages.

The main beneficiaries of a secure network will be schools and their pupils. The recommendations therefore apply directly to computers and networks within schools. However, security must also be considered in all procurements of products and services related to the network, including software, computers and network connections, whether bought by individual schools or on a regional or national basis. The recommendations are therefore directly relevant to suppliers to schools, including LAs, RBCs and commercial network suppliers and service providers.

Security decisions can have a very wide impact across the Internet. The nature of a school’s network and the services it delivers may affect the behaviour of upstream and other networks and services, and vice versa. Decisions affecting security should therefore involve wide consultation and an informed appreciation of their impact both locally and on a wider scale. If this is not done then it is highly likely that mismatched expectations will result in a network that is both less functional and less secure than it could have been.

Network Security – Draft

1.2

Target Audience

This document should be of interest to four principal audiences:

Staff in schools involved with their school's internal network;

LA or RBC staff designing, building or operating their wide area network; also those coordinating the networking activities of schools;

Suppliers and service providers involved in the provision and management of local or regional schools' networks;

Content providers who are making bodies of media-rich materials available to schools online.

1.3

Strategic Issues

Building and managing a secure network service is a collaborative effort, so anyone with management responsibility for any part of the service should be aware of most of the contents of this document. Schools take ultimate responsibility for the security of their pupils and networks, so will need to take the leading role in ensuring that there is a management framework for security (Section 2), that systems within schools are configured and maintained to protect them against security problems (Section 4), and that all those using and operating the network are aware of and competent to discharge their responsibilities for security (Section 6). Those schools that wish to use remote or mobile access, or wireless networks, will need to be concerned with Sections 3.4 and 3.5 respectively.

In the areas covered by the remaining sections of this document – Network Design (Section 3), Content Protection (Section 5) and Incident Response (Section 7) – schools and Local Authorities will need to work together to determine the most effective way to deliver a secure service that meets the ICT requirements of education. A recurring theme is the need for adequate resourcing of recurrent costs in technical and support staff, in management involvement and in regular updates to software and hardware.

It should be noted that some information will have multiple target audiences (e.g. pupils, parents, technical and management staff) so may need to be presented with different form and content for each group.

1.4

Summary of Responsibilities

This document sets out a number of activities that will be required to ensure an acceptable level of security on the educational network. Some of these are primarily the responsibility of schools, others the responsibility of the managers of regional networks. The most likely division of these responsibilities is summarised here, based on information from a number of regional schools networks. Details of these activities are set out in the following sections.

Network Security – Draft

1.4.1

Schools

School managers will normally be responsible for ensuring that:

Risk assessments are made of their school’s use of ICT. (Section 2.1.2)

They have an appropriate security policy to address the identified risks. (2.1.1)

There is a process for regular review and periodic updating of the policy. (2.1.3)

There are sufficient resources and skills to maintain all ICT systems in a secure

fashion. (2.2 & 4.1) Security responsibilities are clearly defined. (2.3)

Appropriate policies exist and are implemented to cover remote and mobile

working, where this is enabled. (3.4) Wireless networks are used in a secure manner. (3.5)

Access to networked computers, and especially privileged access, is controlled.

(4.2)

All systems are configured securely before being connected to the school network

and that there is a maintenance plan to ensure that security measures are kept up to date. (4.3) Appropriate records are kept of computer use by individuals. (4.4, 7.3)

All networked systems run anti-virus software with an up-to-date configuration.

(5.1)

All users of ICT equipment receive appropriate training and updating in safety,

security and good practice in ICT use. (6.1 & 6.3) All users of ICT equipment agree to be bound by an Acceptable Use Policy. (6.2)

Support is available to all users of networked computers. (6.4)

Users are encouraged to report security problems and there is a process for

handling such reports. (7.1.1) Processes, agreements and systems to handle external attacks on the network are

in place. (7.2) Sufficient records of use are kept to allow internal misuse to be traced to an

individual. (7.3) Appropriate policies are in place to report and deal with inappropriate content or

misuse of personal data. (7.4) Network use is measured and monitored to enable faults and security incidents to be identified and dealt with. (7.5)

1.4.2

Local Authorities/RBCs

Local Authority/RBC managers are normally responsible for ensuring that:

Central facilities are provided to support the core network applications required for education, as defined in the security policy. (Section 2.1 and, for example, Appendix B)

Network Security – Draft

Networks are appropriately partitioned with routers and/or firewalls so that

(3.2)

effective controls can be applied. (3.1) An appropriate policy (usually default-deny) is implemented on those control

points to support educational use in accordance with the agreed security policy.

Appropriate proxy servers are provided for necessary services that cannot

effectively be protected using simple controls. (3.2) Encrypted protocols are available and enforced for sensitive traffic, in particular

remote management of ICT systems. (3.3, 4.3) Electronic mail messages are checked for viruses on mail servers. (5.1)

Appropriate content filtering systems are implemented to support educational use

in accordance with the agreed policy. (5.2) There is an advertised process for external parties to report security incidents

involving the network. (7.1.2) Sufficient records of use are kept to allow internal misuse to be traced to an

individual. (7.3) Procedures exist to deal with misuse of the network involving inappropriate

material or contact with pupils: this may require cooperation with the police and other external agencies. (7.4) Appropriate advice and assistance and training are available to school managers to help them fulfil their responsibilities. (2.2, 7.6)

  • 1.5 National Education Network

The National Education Network, connecting schools to each other and to the Internet, comprises a number of different management domains, shown in the following diagram. At the ends of the network are the computers and networks on school premises, for which schools themselves are responsible. Connecting schools in a geographic area are systems and networks controlled by a Local Authority (LA) network, which may be combined with, or a client of, a more general-purpose Regional Network. Connecting these regional networks together is the National Interconnect via JANET.

Connection to the Internet should be provided at the LA/RBC or higher level; Internet connections lower down the network are likely to cause serious operational, management and security problems. Internet connection aggregation has clear benefits and it is recommended that this be considered by Local Authorities.

Network Security – Draft ∑ Networks are appropriately partitioned with routers and/or firewalls so that (3.2)

Network Security – Draft

This structure reflects the management domains within the network: identifying who is responsible for systems and networks at each level. It is likely that the physical network will have the same organisation, though the locations of the boundaries may vary between different regions and schools depending, for instance, on networking technology and management arrangements.

  • 1.6 Interoperability and Standards

As described above, the National Education Network consists of a number of different domains, managed by different organisations. For a functional and secure network to be achieved, the policies and technologies used in the different domains must be consistent and interoperate. This will only be achieved by all parties working to agreed standards, either formal international standards or local agreements. In networking, an arbitrary decision in one management domain can affect the operation and security of all others.

Where they exist, international standards are to be preferred as they are better understood and more likely to be supported by easily available products. In these documents, such standards will therefore be highlighted when appropriate. However, it is important to note that many standards, particularly more recent ones, may still provide some flexibility of interpretation. Apparently standards-compliant products may not always work together as well as might be hoped, and prior testing to ensure compatibility is always advisable.

The UK Government’s e-Government Interoperability Framework (e-GIF) makes recommendations with respect to the adoption of appropriate standards:

http://www.govtalk.gov.uk/interoperability/egif.asp. The Government Strategy Framework and guidelines on Security:

There will also be a need for local agreements, within the overall security standards, particularly regarding the management and configuration of the network. For example, if a school does not allocate IP addresses to computers in a way agreed with the authority that runs the regional routers, then the network is unlikely to be able to transfer packets as intended. In the area of security, these local agreements are likely to dominate, covering topics such as the types of traffic allowed on the Internet, how services such as mail and web browsing are provided and how use and misuse of the network are to be accounted for.

2 Management Framework

  • 2.1 Policies

Policy on the purpose of the education network is beyond the scope of this document. However, that policy will determine the services and facilities required and will affect the acceptable use policy for the network, which in turn has an impact on the security policy.

To permit some concrete proposals to be presented, a sample set of network applications and services is set out in Appendix B, together with recommendations as to how they can most easily be provided in a secure fashion. It is believed that these are sufficient to meet

Network Security – Draft

most of the needs of school staff and of daytime and other students, mainly while they are on school premises.

2.1.1

Security Policy

A clear overall policy sponsored and endorsed by top-level management must set out the need for security, what it is intended to protect, the methods used and the responsibilities of those involved. This high level policy will be supplemented by many other documents setting out:

security requirements;

References:

responsibilities;

procedures for administration including monitoring;

measures and processes for individual areas of concern such as viruses and

content filtering.

http://www.kent.gov.uk/eis/ - follow ‘broadband’ link to ICT security policy

2.1.2

Risk Assessment and Management

All decisions on security must be based on a consistent risk assessment. Risk assessment highlights those areas where security is most important and where the greatest benefits can be obtained. Without risk assessment it is easy to waste resources on ineffective solutions to minor problems. Risk assessment must be an ongoing process to take account of changes to the network’s requirements and in the surrounding environment. Risk can never be removed, but by taking informed decisions it can be kept at an acceptably low level.

Major classes of threat include but are not limited to:

Interference with the proper running of a school network, either from outside the

network through network attacks and worm programs or from inside when software and hardware are introduced by authorised or other users (perhaps on CDs or on portable computers which have been compromised while outside the school); Abuse by authorised users which results in potential interference with networks

elsewhere, such as the sending of inappropriate messages; Exposure of users to inappropriate content or to Data Protection violations.

2.1.3

Review and Updating

There must be a regular review of all the security policies, measures and processes to ensure that security is continually kept in step with developments in the school's network and with changes in known threats. Without this vigilance security will inevitably deteriorate.

Network Security – Draft

  • 2.1.4 Change Management

There must also be a process whereby changes may be requested to the security policy and detailed implementation to meet changing educational needs. All changes must be assessed before they are implemented to determine whether any increased risk is justified. If approved changes require additional resources then these must be provided. If a request is refused then this must be discussed with the person requesting it, and alternative ways to achieve the same ends considered, so that security is not seen as preventing educational innovation. Security implementation should be discussed at the earliest possible stage of any new development or procurement by authorities or schools.

  • 2.2 Resources

Sufficient resources must be made available on a continuing basis to safely develop, maintain and manage the network and services provided. Schools must ensure that they are able to make informed decisions on the safety and educational issues presented by computers and networks. School managers must therefore ensure they have access to sufficient advice and assistance for all aspects of network operation, security and use. It is likely that in most cases Local Authorities or Regional Broadband Consortia will be the main source of support.

In most school environments the resource most likely to be scarce is staff effort dedicated to the network; it may be possible to delegate or outsource much technical effort to commercial or local government suppliers at reasonable cost, but there is no alternative to informed oversight by local management of safety and educational matters. Planned, regular and ongoing investment in user awareness, system administration and security monitoring reduces both the likelihood that a security incident will occur and the disruptive impact of any such event.

  • 2.3 Chain of Responsibility

Where some or all network services are outsourced, it is essential to establish as part of the agreement how security issues are to be resolved. One fundamental process is to identify and maintain contacts in the parties to the agreement who are to cooperate as necessary. These contacts will need to cooperate on security matters to discuss and agree policies and processes and to disseminate information on new security threats and actions to be taken.

Beyond that it is desirable (but more difficult) to set out specific undertakings; an RBC or Service Provider may expect a school to trace abuse to an individual user and to discipline them appropriately, a school may expect an RBC or Service Provider to block traffic to or from a particular external network, a school approached by the police may expect an RBC or Service Provider to provide certain information on a confidential basis, and so on. Good working relationships, established through frequent and open contact, are the best way to achieve responsible and effective processes.

Network Security – Draft

  • 3 Network Design

The design of the networks concerned must:

support the services and applications that schools need, and

make it possible to implement the above security and use policies.

The following sections cover aspects of network design from a security standpoint. A more detailed discussion of network design is set out in the Network Design document.

  • 3.1 Partitioning the Network

All except the smallest networks will be divided by a combination of network devices (such as routers, switches and firewalls) and administrative procedures into distinct parts. The intention is to separate the network into areas in such a way that systems, users and information within any one area have a similar level of trust and risk.

In many schools, for instance, staff computers will be considered less likely to be the source of abuse than those available to students. Staff computers may therefore have a more open policy on acceptable content and may be allowed access to local services, Web sites or other Internet services not available to students.

If a school network includes Web servers or other systems intended to be reached from the Internet, the risk that they will be interfered with is significant. Part of the benefit to a school of outsourcing the operation of such servers is to transfer risk to the provider concerned. If such systems are implemented at all, they should normally be placed in their own part of the school network and trusted very little by the rest of the network.

For schools connected to the same LA or RBC network, it may be technically possible to configure regional and school network devices so that their networks behave as one. It might seem attractive to allow computers in different schools to exchange or share information just as they can within a school. Unfortunately there are serious risks in weakening the partitioning of the network in this way, and these are very hard to manage and control. Without an effective partition, security problems such as virus infections in one school can very quickly spread to others. Even if there are no technical security problems, private information can also leak very easily across an unpartitioned network. It will almost always be better to arrange cooperation using well-known services and applications such as e-mail and Web pages, probably on secure servers located outside the schools’ LANs, where an application gateway can manage the transfer of information through firewalls.

  • 3.2 Firewalls

All host systems (client or server computers) on the network must be protected against hostile traffic from the Internet and from other parts of the network by at least one firewall or other network control device implementing a default-deny policy (see below). The location of these devices should be chosen to implement the partitioning mentioned above.

Network Security – Draft

In most cases it should not be necessary for a school to partition their network by deploying an internal firewall. It should be possible for the LA or other provider to operate the firewall function separating the school network from the Internet.

All network traffic represents a risk. The services permitted through each firewall and the systems to which traffic is allowed to flow must therefore be agreed using a risk assessment and change management process (see sections 2.1.2 and 2.1.4), with all changes approved and recorded so that they can be reversed if required.

Management of firewalls and similar devices requires high-level skills and should only be undertaken by suitably experienced staff. The implementation by schools of their own firewalls independently of the RBC/LA central firewall service is likely to lead to complications. Therefore, most of the schools that have firewalls will outsource their management to the network suppliers or RBC/LA staff.

All schools considering implementing their own firewalls should first understand the implications for IP videoconferencing and content delivery. In order to enable IP videoconferencing it is recommended that each local authority, rather than each school, deploys either an H.323-aware firewall, or a proxy server alongside an existing firewall. Issues relating to IP videoconferencing and firewalls are discussed in the associated Videoconferencing document.

Firewalls need to be adequately sized for the traffic they handle and also, in the case of firewalls within LA/RBC networks, for the very large number of simultaneous network connections made over the network. Firewall rule-sets will need to be reviewed to ensure consistency and efficiency.

Where firewalls are implemented at school level as well as RBC/LA level, care is required to ensure reasonable agreement on the rule set. LAs should provide guidance to their schools on how to achieve this.

Reference:

  • 3.2.1 Default Deny

Firewalls acting at network level sit between parts of a LA/school's network (they are network devices which may also act as routers or switches) and are configured with sets of rules specifying what network traffic can pass between the parts. “Default-deny” is an approach in which these devices are thought of as broadly keeping the parts of the network separate and will have a rule to this effect, overridden only where specific exceptions are needed. Only traffic that is explicitly permitted by policy will be allowed to pass: all other traffic will be blocked by the default rule.

Servers can also be configured to respond only to certain parts of the network, with a similar effect. Again, default-deny is the aim and servers should be unavailable to parts of the network for which no explicit exception has been made.

A finite number of services or classes of service must be identified which the network is to provide and these services must be explicitly and specifically permitted, with all other services and facilities disabled at firewalls and other control devices, and at servers in the network.

Network Security – Draft

Some applications (such as video) use the network in ways that make the rules in a default-deny firewall impracticable. These may need local servers supporting the applications concerned, acting as proxies or gateways to simplify the demands on firewalls.

The default-deny strategy will inevitably restrict access to new on-line services where these do not use configurations already available. All additional routes into a network reduce security to some degree and this must be balanced with the educational benefits of the new service. Worm attacks that use open ports to scan IP address ranges for vulnerabilities are likely to continue to increase; to reduce exposure to these it may be necessary to open some ports only at the specific times when their services are required and close them afterwards. Flexibility in network use will then depend on the provision of flexible and easily-managed firewalls.

Content and service providers and product vendors must ensure that precise information is available to firewall managers and that the number of additional ports to be opened is kept to a minimum. Schools intending to use new products or services must identify and agree well in advance any changes to their own firewalls and those of the LA/RBC within the relevant security policies and guidance on firewall management (see 3.2).

  • 3.2.2 National Interconnect

Although regulated by Acceptable Use and Security policies and subject to the usual statutory obligations, JANET is a very large network with no policing of the nature of the content which it transports. For practical purposes operators and managers of LA and RBC networks should treat the National Interconnect as posing a similar level of threat as is present from the Internet as a whole.

For this reason traffic from the Interconnect Service should be filtered through any firewall that the RBC operates towards the external world.

Reference: National Interconnect Technical Specifications

  • 3.3 Measures to Protect Data, Communications and Systems

Additional technical and policy measures must be used to protect sensitive information, communications and systems. Depending on the type of information this may involve, for example, encryption, virtual private networks or manual processes for transferring data from systems that cannot safely be connected to the network. Web services that require users to enter passwords or other sensitive information must use SSL. If systems are managed or maintained remotely across a shared wide-area network this communication should be regarded as sensitive (see section 4.3).

  • 3.4 Mobile and Remote Working

Providing facilities for access from other networks, for example through remote working options, represents a serious risk, as security will then depend on factors such as home computers and public networks, that are outside the control of the school or its service providers.

Network Security – Draft

  • 3.4.1 Policy

If a school perceives the need for some or all of its users to reach some or all of its network facilities from elsewhere in the Internet (for instance while working from home), it must prepare a policy statement indicating what is required and the responsibilities of the user, the school and the network provider to ensure that security is not put at risk.

  • 3.4.2 Systems

If remote access facilities are to be provided then a risk assessment must be performed and appropriate technical and procedural controls put in place. Typically there will be an enhanced need for users to authenticate themselves, possibly with an additional authentication step and separate cryptographic tokens or certificates. If systems need to be accessed remotely, they should normally be outsourced and located outside the school's local area network.

Reference: NAACE laptops for teachers

  • 3.5 Wireless Networks

Wireless networks offer great flexibility in use, but also many opportunities for misuse. They should not be viewed as a simple extension of a wired network, in either performance or security terms. Wireless access points, if required, must be connected to a dedicated network segment, separated from the rest of the school network and Internet by a firewall configured only to allow essential traffic. Additional authentication measures are required to ensure that only known users and computers can connect to the wireless network, and encryption must be used to protect the authentication process and any other sensitive data that may pass over the network. Current wireless encryption standards have problems – WEP encryption can be relatively easily broken and the WPA/802.11i approach is not yet standardised across different manufacturers – so these should not be relied upon as the only form of protection. Schools that use wireless networks must make their users aware of these additional issues and train them in good practice for using such networks safely. More details of the security issues in installing and using wireless networks can be found in UKERNA’s Factsheet.

References:

  • 4 System Protection

A “system” here means a computer, which may be a server, a desktop system for single or shared use, a portable computer (laptop, tablet, handheld etc) or a network device such as a switch, router or firewall.

Network Security – Draft

  • 4.1 Responsibilities

Every system connected to the network must have a designated owner whom the school holds responsible for its security. The owner must be given appropriate resources, skills, and information to fulfil this responsibility; clearly the level appropriate will depend on the nature of the system and the part of the network to which it is or can be connected.

  • 4.2 Privileges

Users of any system must be separated at least into those who are authorised to maintain the system and those who are not. Technical and procedural measures must be in place to ensure that each group only has those privileges they need.

  • 4.3 Configuration and Maintenance

All systems must be configured securely before they are connected to the school network; this should be explicitly stated in any agreements for supply or for outsourced management and maintenance. Particular care must be taken when updating or reinstalling applications or operating systems, to ensure that earlier security measures are not undone.

All systems must have a maintenance plan to ensure that they are kept appropriately secure. For systems that are exposed to external networks this must involve keeping them up to date with security patches and anti-virus protection; other systems should be updated regularly. Again if maintenance is outsourced, such updating should be made explicit in the agreement with the supplier.

Particular care is needed on remotely located hosting services where privileged traffic (e.g. system maintenance) and unprivileged (service use) pass over the same network, making network-level protection less effective. Where systems are managed remotely across a shared wide-area network, encrypted tunnels or virtual private networks should normally be used to protect sensitive information against deliberate or accidental eavesdropping.

  • 4.4 Access Control

4.4.1 Users

Users should be required to prove their identity before gaining access to computers or networks. Schools should discourage the sharing of personal identities by issuing advice, and possibly by preventing more than one simultaneous instance of use of a single account. Shared accounts may be appropriate in circumstances where use can be monitored and managed in other ways.

Privileged accounts must have at least username-password protection; all use of these accounts must be logged. Schools must be able to account for all use of networked computers, typically by keeping logs of access to all sessions.

Network Security – Draft

4.4.2

Central and local authentication

It is technically feasible for an LA to authorise access to services it operates directly with some authentication scheme, and to make the same scheme available for use in its schools. An individual user might then have the same user name, password or other au- thentication tokens for all services whether operated by LA or school; they may be able to access many services seamlessly with a single sign-on. Indeed, it is possible to envisage an authentication scheme managed and operated at national level.

Drawbacks to this approach in practice include:

It sets up a single point of failure or compromise;

It introduces a dependence on remote LA facilities even for users who at the time

only require services local to their school; User management becomes more distant from end users in schools;

End users and support staff experience confusion when some but not all services use central authentication.

Although the impact of most of the above problems can be limited with care and vigil- ance by all concerned, authentication at LA level is not at present appropriate for most services in schools.

4.4.3

Systems

Policies and technical controls must be in place if laptop or similar systems are to be connected to the network when these have also been connected to other networks. Laptops are now one of the most common infection vectors for computer viruses.

5 Content Protection

  • 5.1 Virus Scanning

Security policies at LA/RBC and school level must make clear the requirement for virus scanning.

All end-user systems must run anti-virus software, with definition files regularly updated, automatically if possible. Disabling this protection should be seen as a serious disciplinary matter. External e-mail both entering and leaving the network should be checked by up-to-date anti-virus software, preferably at the mail server. Internal mail should be checked in transit. Mail servers, fileservers and other application servers must be scanned regularly to find infected files or messages that may have arrived by other routes.

School management must recognise that maintaining anti-virus measures requires considerable resource and determination. Frequently ICT support staff are overwhelmed by the magnitude of the task or their efforts are defeated by systems that move around the school and are taken home. Scanning tools that detect vulnerabilities across the network should be used on a regular basis.

Network Security – Draft

References:

  • 5.2 Content Filtering

Security policies at LA/RBC and school level must make clear the requirements for content filtering. Schools will need to distinguish carefully between the educational policy for content filtering, decided by management, and the configuration of software to implement the policy, undertaken by technical staff.

It should be noted that there is a considerable responsibility placed on both management and technical staff in ensuring pupil safety and security. Management of filtering systems takes time and requires appropriate procedures in the security policy to ensure that breaches of policy can be effectively dealt with.

Two major areas in which the content of network traffic presents a specific risk and should normally be filtered are Web browsing and e-mail. It may be practicable locally to identify and suppress some Unsolicited Bulk E-mail (a common source of undesirable content) but much effective suppression is on the basis only of the source of the messages. Commercial products and services are available for filtering e-mail and selectively blocking access to Web locations; these are more appropriate to Local Authorities and service providers and many schools will outsource the activity. Note that if filters are to be effective, other routes of access by users to content must be blocked, for example it must not be possible to view an external web page without passing through the filter.

Where user activity is monitored, care is required to ensure human rights are not breached. One essential action is to ensure all users are aware of any monitoring processes in place (see also section 6.2).

  • 6 User Education

Many users of school networks will be young or will have limited interest in or understanding of networking. The material referred to in the following paragraphs must be designed and presented so that it is likely to convey its message effectively to all users concerned.

In particular, schools may need to remind users of their responsibilities in appropriate network/Internet use at the point of access, rather than assuming that staff or pupils accept a general abstract rule.

Network Security – Draft

6.1

Awareness and Good Practice

All users must be made aware of their responsibilities for security, and must be educated in and encouraged to follow good security practice. The dangers of Internet use have been widely publicised, and awareness of the associated advice on safe Internet use should be encouraged.

References:

6.2

Terms and Conditions

All users must agree to appropriate Terms and Conditions for their use of computers and networks. Where appropriate, informed consent should also be obtained from parents, guardians or carers before children are given access to networks or the Internet in particular. Breach of the Terms and Conditions of use must be regarded as a serious matter, destroying trust in the network and harming its usefulness for everyone.

Terms and Conditions should include:

Purpose and principles of use of ICT;

Types of use explicitly permitted;

Types of use explicitly prohibited;

Responsibilities of schools, staff, pupils and parents;

What monitoring of use is done, and what data retained;

What level of service is provided.

6.3

Training and Updating

All users, teachers and support staff must be trained to use computers and networks safely. The level of training should be appropriate to the user’s level of responsibility for security. Appropriate opportunities to update training (e.g. training courses, conferences, on-line or printed materials) must be provided.

6.4

User Support

Support in the use of computers and networks must be readily available to staff and pupils. This must at least provide assistance in how to use computers and networks safely.

  • 7 Security Incident Response

Classes of security incidents include (among others):

External interference with the proper running of a school network;

Abuse by internal users affecting the school network or other networks;

Exposure of users to inappropriate content or to Data Protection violations.

Network Security – Draft

Incidents may be identified by users within the school, by other Internet users or by network staff (either in the school or in one of its Local Authority or commercial service providers).

Some incidents may involve Law Enforcement agencies, and schools should have a policy for handling interactions with them. In many cases it will be appropriate for the Local Authority to take some part.

  • 7.1 Reporting Process

    • 7.1.1 Internal Users

There should be clear guidelines for all users on how to recognise a security incident and how and where to report it. No blame must attach to making a report, even if it turns out to be incorrect. Many reports include personal data, and a confidential method for reporting may be necessary. The school must decide to what extent it will handle reports locally and under what circumstances the incident will be passed to the Local Authority or other service provider.

  • 7.1.2 External Bodies

The school must decide together with its Local Authority and other service providers the route by which a person outside the school should report abuse or other security events they believe are attributable to the school. There are several mechanisms in common use for deciding where to send such reports, and all parties need to agree who will respond and how those who may receive the reports should forward them to the designated places.

  • 7.2 External Interference with the School’s Network

In reporting an incident to whoever is responsible or will be asked to resolve it, it is important to provide suitable details; typically time and time zone, IP address and the nature and scale of the activity. In some cases a school or its service provider will need to characterise hostile traffic quickly and take steps to mitigate its impact on the network. Each of these requires technical systems to collect and correlate information from multiple sources, as well as effective procedures and working agreements. In some cases it will be necessary for the school, local authority or service provider to disable a computer, service or organisation to contain the impact of the incident; policies, agreements and technical constraints must make this possible.

  • 7.3 Abuse by Internal Users

Given reasonable information (for example time and time zone, IP address and nature of activity) in a report about an incident originating from within the school's network, it must be possible to quickly identify the computer and person responsible for the incident and to prevent any further damage. This requires technical systems to collect and correlate information from multiple sources, as well as effective procedures and working agreements. In some cases it will be necessary to disable a computer, service or organisation to contain the impact of the incident until its source can be removed; policies and agreements must permit this.

Network Security – Draft

  • 7.4 Content and Privacy Incidents

Schools must encourage staff and pupils to report when there has been inappropriate use of the network, for example accessing inappropriate material, or where personal data is being misused, perhaps in e-mail or chat room exchanges. The appropriate response will depend on the nature of each report, but is likely to involve school and local authority working together. Service providers may also be involved to trace the origin of material or communications. In most cases it will be appropriate for the local authority to lead the investigation, with schools dealing with any local effects. Schools must be prepared to cooperate to preserve information from their systems (whether or not it is likely to be used as formal evidence) and must have procedures in place and agreed with their local authority.

  • 7.5 Network Monitoring

Systems and policies must be in place to permit routine monitoring of the quantity and type of traffic on the network. This information may indicate security incidents, which should be handled as described above, as well as other operational issues. The policy must make clear what information is to be gathered, who should have full or limited access to it, how it will be protected against loss or damage and when and how it will be disposed of. Much of the information will be subject to Data Protection and other legislation so users should be made aware that monitoring is occurring.

Monitoring should also include logging of anomalous events such as packets from unexpected sources, failed attempts to authenticate or attempts to view a Web page that is not meant to be accessible. Intrusion detection systems may help to automate some of this monitoring and give early warning of problems, but their output still needs time, skill and judgement to interpret. Legitimate activity and routine events may also be logged. In general, for this information to be of any use some person or process must examine it and make a judgement on its significance. It is possible to some extent to automate the process so that only exceptions and summaries are presented to a person, but these still need to be interpreted by a skilled person. The monitoring activity may be outsourced, if confidentiality issues can be resolved, or the information may merely be accumulated so that it is available if a security event is detected in some other way.

Monitoring is essential to achieve a satisfactory level of security and managers must be prepared to devote sufficient staff and equipment resources to it.

  • 7.6 Information Dissemination

As well as reactive procedures to be followed once an incident has occurred, schools and local authorities need to anticipate new threats and take steps to prevent them causing incidents. Local Authorities and Regional Broadband Consortia must help schools to counter new technical and non-technical threats to their network by announcing threats to

Network Security – Draft

responsible contacts within each school, and recommending actions to be taken by school managers and their technicians.

The information disseminated may come from commercial or other professional security services and response teams, from vendors, from Internet bulletins and similar sources, or from local knowledge. Information from some of these sources may need additional interpretation or explanation to make it directly useful to schools.

In some cases it may be appropriate to require schools to acknowledge that they have received and acted upon the information or advice received, to prevent insecure schools posing a threat to their users and the rest of the network.

Network Security – Draft

Virus Scanning

Content filtering

External Attacks

Internal Attacks

Network Monitoring

General information

National Interconnect Technical Specifications

Regional broadband Consortia (RBC)

Network Design

DfES ICT in Schools Network Services Project

UKERNA, March 2004

Videoconferencing

DfES ICT in Schools Network Services Project

UKERNA, March 2004

Network Security – Draft

Appendix A: Glossary

This glossary explains the terms used in this document. An extensive general networking glossary can be found at the JANET National User Group Web site:

Address

In this document refers to an IP address. An IP address is the unique layer

identifier for a host on the local IP network.

Authentication

The process or processes which enable one party in an electronic communication (typically a user or a client) to say to another party (a server or provider) who they

are in a way satisfactory to that second party. Examples include supplying a user or account name and a password, presenting a smart card and entering a PIN, having a thumbprint recognised, sending a cryptographic certificate which matches one held by the other party or responding to a challenge in the correct way. Note that in some situations it may not be obvious which way round the roles are; when connecting to a 'secure' Web site using SSL it is the Web site that seeks to convince the human user's Web browser of its identity. The purpose of authentication is usually to support authorisation, the granting or denial of access to some resources.

Broadband

A transmission medium capable of supporting a wide range of frequencies. It can carry multiple signals by dividing the total capacity of the medium into multiple, independent bandwidth channels, where each channel operates only on a specific range of frequencies. [Source: RFC1392]

In a networking context the term means ‘at least 2Mbps in both directions’.

The term has been adopted in common usage to refer to connections to the Internet at speeds of 128Kbps or greater. These may be asymmetric.

The OECD definition is an Internet connection at a speed greater than 256Kbps.

The UK Broadband Stakeholder Group definition of broadband is: ‘Always on access, at work, at home or on the move provided by a range of fixed line, wireless and satellite technologies to progressively higher bandwidths capable of supporting genuinely new and innovative interactive content, applications and services, and the delivery of enhanced public services.’

CA

Network Security – Draft

Certificate Authority. (see 'Encryption')

Network Security – Draft

CERT

Computer Emergency Response Team (also known as CSIRT, Computer Security Incident Response Team, or IRT) Coordinates responses to computer security threats and incidents on behalf of some community or network. Where the constituency for a CERT is identified with an Internet domain name such as 'ja.net', the team can usually be reached through a corresponding e-mail address beginning 'abuse@' or 'security@', such as 'abuse@ja.net' or 'security@ja.net'. A CERT will accept reports of suspected security events from its own constituency and will engage with the CERTs of other providers or communities to resolve external threats; it will also deal with relevant complaints about its own customers from outside. It will issue advisory material from time to time. It is essential that the CERT function in an organisation has the support of senior management, as security response is sometimes disruptive to other activities. CERTs cooperate regionally and globally through organisations such as CERT/CC and FIRST in the US:

Certificate

A collection of data which indicates entitlement to some resources. A certificate is typically unintelligible to a human reader and is produced and read using cryptographic software. It may include the identity of the person or object to whom it refers, some details of the resources to be made available (such as a time limit), and some indication of a chain of trust. Certificates are of value to persons or computers controlling resources because those controllers can confirm that they were issued with the authority of a party they have arranged to trust for that purpose (a 'Certificate Authority'). X.509 is the most widely accepted standard for cryptographic certificates.

Data Protection

Legislation and guidance on the use of information about individual people ('personal data'). UK legislation is harmonised with EU Directives; practice in the United States has far less emphasis on the care to be taken with personal data, and the international nature of the Internet makes this a complex issue. The UK lays down Data Protection Principles and requires people and organisations handling personal data to register with the Information Commissioner:

Default-deny

A style of management and configuration for control devices in networks (such as routers, firewalls, proxies and servers) in which no access is permitted by default, and every item of access needed (port, protocol, service, network etc) must be explicitly enabled.

Network Security – Draft

DHCP

Dynamic Host Configuration Protocol. Computers in a TCP/IP network can obtain much of the configuration information they need to connect to that network from a DHCP server if one is provided. In most simple environments this enables client computers to be connected with minimal preparation on the server and none on the client. 'Dynamic' refers in part to the allocation of IP addresses from a pool to clients when they connect; the same client may receive different addresses on separate occasions, and only the DHCP server will have records of the transient allocations. Specified in RFC 2131:

DNS

See Domain Name System.

Domain Name System

The basic name-to-address translation mechanism used in the IP environment. Used to translate between human-friendly names such as www.ja.net and the numeric IP addresses that computers themselves use to communicate. DNS information can also be used to direct the operation of some Internet services, notably electronic mail. UK schools can have domain names ending in 'sch.uk'. DNS is specified in:

Encryption

Changing information into a form where it has particular properties of privacy and integrity; and recovering the original information when appropriate. Typically, encryption software combines the real data with one or more items of artificial information, called keys by analogy with the processes for securing physical objects. The results of encryption look very much like random sequences of letters and other characters; software with access to suitable keys (which may or may not be the same ones as before) can relatively easily recover the original information but it is intended to be impracticable to do so without such keys. It is possible to make some or all network traffic private or secret, and to digitally sign information so that a recipient can confirm its integrity and its origin. The costs of doing so are increased processing by encryption software, reduced efficiency in network traffic, and substantial complications in the management of keys and the associated levels of trust; encryption is the answer to some problems but not to all.

FE

Further Education.

Network Security – Draft

Firewall

Router or access server, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.

Can also refer to software on a portable, desktop or server computer which restricts access from the network to services on the computer itself.

Gateway

1.

A computer which exchanges information between two networks in two different forms, rather like an idealised language translator. For instance, an e- mail gateway might accept e-mail in some proprietary form inside a network and change it to Internet e-mail form for transmission elsewhere.

2.

A router at the boundary of an organisational network, passing network traffic to and from a service provider and the Internet. Computers in the network need to be configured to send their Internet traffic to such a gateway router.

HE

 

Higher Education.

Internet

The global public network comprising many interconnected, but independently

operated, service provider networks.

Internet Protocol

The communications standard used on the Internet.

IP

See Internet Protocol.

JANET

See Joint Academic Network.

Joint Academic Network

The UK academic and research network, interconnecting higher and further education institutions and providing them with connectivity to the global Internet. JANET also provides the National Schools Interconnect.

Local Authority

A UK regional body which may operate its own local network providing service

directly to schools.

Network Security – Draft

LA

See Local Authority.

Local Area Network (LAN)

A network providing service to a small geographical area, such as a single

building or a campus. LANs are often provisioned using Ethernet technology.

LAN

 

See Local Area Network.

NAT

See Network Address Translation.

Network Address Translation (NAT)

A technology for translating IP addresses in the IP packet header. It is often used

where the IP addressing in use on a network is not globally unique (for example:

private IP addresses). Using NAT these internal addresses can be automatically translated into valid public addresses when communication outside the local network is required.

NTP Network Time Protocol

A standard way for computers connected to the Internet to exchange time information and synchronise their clocks. Some NTP servers are directly connected to atomic clocks or similar external references of high accuracy; other Internet users can run NTP servers which compare the time from several of these to set their own clocks and which can in turn support internal clients. Specified in RFC 1305:

Proxy

 

Intermediary program that acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them on, possibly after translation, to other servers. A proxy interprets, and, if necessary, rewrites a request message before forwarding it.

RBC

See Regional Broadband Consortium.

Regional Broadband Consortium

A body providing network services to schools and local authorities within a defined

region.

Router

Often used as a generic term for an IP router, however the term may be used to refer to a device that is routing other protocols in addition to IP.

Network Security – Draft

Spam

Unsolicited Bulk E-mail. The term 'spam' is used very loosely. It is usually best to

refer to 'UBE' (see below), 'e-mail abuse', 'marketing e-mail' or some other specific term appropriate to the context. A common form of e-mail abuse is the falsification of the origin of messages.

SSL Secure Socket Layer

Makes connections between computers with some security features provided by

encryption technology. The best-known application is secure HTTP, usually '

indicated by 'https://

...

at the start of a Web address. The Web server supplies a

certificate; the browser client has trust information built in so that it recognises the certificate and assures the user that the Web site is the correct one. Browser and server then negotiate for the subsequent traffic between them to be encrypted so

that it cannot be intercepted in transit in the Internet.

Switch

Ethernet switch.

Token

A generic term; an encryption token may be a key, a certificate or some other item

of data involved in cryptographic activity.

UBE

Unsolicited Bulk E-mail. E-mail is Unsolicited unless the intended recipient has chosen in advance to receive it; it is Bulk if it is sent indiscriminately. European Commission Directive 2002/58/EC:

Virus

A program which changes the way some other program works, and which can spread from computer to computer by e-mail, by exploiting weaknesses in the operating system or application software, or by deceiving a computer user so that they unwittingly take part in the propagation. Popularly refers to any unwanted program; 'worm' is used to mean almost the same thing. As well as propagating, some viruses and worms have damaging side effects such as damage to data, exposure of private data or the establishment of undesirable services on an infected computer.

VPN

 

Virtual Private Network.

VLE

Virtual Learning Environment. A set of services to support learning, bundled into a single product. As well as presenting source material, VLEs have management elements to cover registration, monitoring of progress and student support. Some products are Web based; others use proprietary protocols and servers.

Network Security – Draft

WEP

Wireless Equivalent Privacy, specified in IEEE 802.11b. An encryption protocol used with the 802.11 wireless standards and now regarded as providing only rudimentary security.

Wireless

Wireless networking connects end-user computers (typically laptops, tablets or handhelds) to wired segments of a LAN. Each computer has its own radio, either built in or in a PCMCIA or similar card; further radios in one or more 'access points' are fixed in the room or area where wireless is made available, and they

have the usual wired connections to the rest of the network. Current standards in widespread use (all from IEEE) include IEEE 802.11b and the faster IEEE 802.11g.

Worm

See 'virus'.

WPA

Wi-Fi Protected Access. Enhancements to WEP providing satisfactory privacy for wireless LAN use and a user authentication mechanism. An informal standard expected to be superseded by the IEEE 802.11i standard which will be very similar.

Network Security – Draft

Appendix B: Internet Services in a School Network

The following table lists Internet services likely to be required in schools' networks. It is by no means definitive or exhaustive, but the requirements of these applications illustrate the range of technical and management issues in making the network secure.

For most of these services there is a choice between local and outsourced provision. The second column gives the recommended approach for best security in each case. Recognising that there may be local or regional circumstances that make this recommendation inappropriate, the third column suggests possible alternatives; these are, however, likely to be more difficult to manage securely or give a less effective service.

Mail

Service

Filtered web browsing (inc. FTP) Web serving (public)

Web serving (internal) Video/Audio receiver

Video/Audio conferencing Remote access to filestore (very hard to do securely, so ensure that the risk is justified) VLE

Conferencing, Messaging Remote system monitoring/management

Recommended

Remote Web mail service with virus & UBE scanning

Via remote proxy/filter

Alternative

Mail system at school (scanning may be done on

central relay) Via local proxy/filter

Remote Web server

Remote Web server Hierarchical content delivery service See separate document If needed, use remote outsourced service (may be external to education network) Remote VLE server (may be external to education network) Remote server From designated remote address range through VPN tunnel

Local provision not recommended. If done, must be on a separate, untrusted, network segment Local Web server Direct from Internet servers

- VPN through central gateway to professionally maintained server on a separate LAN segment Local system

Local server

-

Network Security – Draft

Infrastructure services (not of interest to ordinary users)

Default route (gateway) DHCP NAT DNS resolver Connection firewall* DNS zone serving

From remote DHCP Remote (single address) None (single computer) Local resolver LA/RBC managed Remote server, data may be locally managed

Synchronise computer clocks Local timeserver slaved to remote (NTP) source

Local; static upstream Local server Local translator Remote resolver Locally managed Local server with offsite secondary Remote (NTP) server for local clients

Web server certificates (to support SSL)

Centrally issued by authority Self-signed certificate from

or commercial CA

local server

* The deployment of school firewalls, whilst potentially providing a greater level of security, can lead to complications if managed independently from a local authority/RBC central firewall service. It is therefore recommended that firewalls be deployed and managed either in conjunction with or by local authorities/RBCs (see section 3.2).