Sunday 24 May 2015

"New Skool" Wireless Security

We all know about wireless security. It’s written on stone.

First, you need some form of management software to create a security profile which includes a wireless key or a certificate to identify the user or computer on the network.  If you have a BYOD policy you may well have a second process that enrolls personal devices through an on-boarding mechanism that make use of a second security profile. Lastly the customary guest network is thrown in, possibly using some form of token system to drop guests into a third profile.

There are variations of this with various licence requirements and dependencies on local services such as certificate authorities, radius servers and captive web portals.

There’s no point in questioning this because you need a wireless security layer to safeguard… well what exactly.

In a traditional network you have all sorts of physical resources that you need to protect, the console ports of storage devices, servers and UPS systems.  Ideally administrative and personal data shares should not be visible from the guest network and you may want to protect the servers that host the core applications such as SIS/MIS from student access and the BYOD network.

Traditional installations can't be both secure and simple, so we’re all are stuck with this complexity for a few years yet.  Enjoy the experience.

But what if you don't have any servers, local data or applications, do you need the same level of network security?

Once you are outside the school gates SaaS systems are unprotected by any mechanism that controls access to the network - so why is the requirement imposed when you’re inside the school ?

There are two reasons why you might want some level of access control. The first is to force the user to present a set of credentials so network activity can be linked to a user account and the second is to safeguard the one important resource that SaaS depends on, the bandwidth of the internet connection.

To take the last point first.

Protecting bandwidth only becomes a requirement when you don't have lot of it. In some parts of the world (particularly the Far East) institutions and governments have made investments in fiber infrastructure which means gigabit connections for larger schools is not uncommon. While this is very much the exception and will remain so for a while there is only one trend and that's for higher bandwidth at cheaper rates. There'll come a point when the effort to maintain the barriers to this ubiquitous resource just won't be worth the time or the cost.

After all, do we meter water usage and electricity on a per student basis or recharge visitors to use the rest-room or recharge their mobile phones. A flippant example perhaps but you get the point. In time broadband, will be just like any other unity resources and the layers of protection will be replaced with monitoring and basic management.

In the meantime if we assume that access to the network for the guest/BYOD devices will be through the wireless AP’s a basic safeguarding process could be put in place by using the  ‘bandwidth throttling’ mechanism supported almost all enterprise wireless vendors systems.

The user identification issue has some validity but the protection cannot be placed at the wireless access level because every student has a smart phone with personal data plan. In a SaaS school this will work in exactly the same way as devices provided and managed by the school and since the school has no control of this connection the game is over.

In a SaaS school the security boundary has to move back to surround the SaaS suite itself which includes content filtering. Authentication in the future will use a cloud based user database such as Google or Windows Azure Active Directory (WAAD) rather than in-house servers with an 'easy to use' single sign-on wrapper provided as part of the service. SaaS providers such a Securly and GoGuardian have recognized this and have rushed to fill the gap in the security market with offerings that have proved very attractive for education.

Having said all that it would be really nice if wireless vendors could wake up to the inevitable demise of in-house radius and certificate servers and provide a simple, easy to use service that can utilize a cloud based user directory such as Google.

Ahhhh... network level protection, there you go.   I'm guess I'm "Old Skool" at heart.

Update:  Meraki now offers authentication with Google.

No comments:

Post a Comment