FIREWALL SECURITY CASE STUDY: CHELTENHAM LADIES' COLLEGE - PROTECTING BOTH STUDENTS AND NETWORK WHEN INTRODUCING INTERNET ACCESS Friday 25 June 1999 PDF Print Cheltenham Ladies' College is one of the country's leading girls' boarding schools with a worldwide reputation for academic excellence. Founded in 1853, it flourished under the principle that the education of girls is as important as that of boys. Today the college has over 830 pupils aged from 11-18 and is one of the most famous boarding schools in the world. The use of information technology (IT) by pupils has been a high priority in recent years and is integrated into college subjects throughout the curriculum. Given the educational opportunities offered by the Internet and the college's commitment to IT, it was inevitable that the college would want to give students web access to help with a variety of educational tasks. The Internet undoubtedly offers many advantages for schools - something which is confirmed by educational initiatives on the 'net designed to help students learn such as the UK's National Grid for Learning and K12Net from the US. However, there are generally considered to be four main potential problems associated with the educational use of the Internet and any school has to face these issues before allowing pupils access. The potential problems are: - Time-wasting. Rather than researching work-related information, children may waste time 'surfing' the World-Wide Web and connecting to on-line sites concerned with sport, pop music and so on. - Exposure to unsuitable material. The Web contains large numbers of sites featuring pornographic, violent, subversive and otherwise undesirable material. - Contact with paedophiles. Through Internet chat sites, pupils may come into contact and be influenced by paedophiles or others who could do them harm, a risk highlighted by recent cases in the USA. - Hacking. Hackers may be able to use their own computers to break into a school’s computer systems and obtain confidential information. Hacking programmes are freely available from hacking bulletin boards and schools can be a popular target. All these aspects were considered carefully by the college when they decided in mid- 1997 that they wanted to provide Internet access. The effect on the school's computer network as a whole was also given serious thought. Robert Homan, a geography and economic history graduate, who teaches at the college, was given the responsibility of handling the introduction of the Internet. "Certain issues were uppermost in our minds," he said. "One was how we would protect the students from unsuitable material. We are in loco parentis and we have to make absolutely sure that they don't view sites which we would consider undesirable and potentially harmful to them, while at the same time allowing them the access they need. Another important issue was how we would protect the network as a whole from hackers." The network at the college consists of some 250 PCs running Windows 95, supported by 10 Windows NT servers on a 10/100 Mbit network. The network is connected to the Internet via the university network SuperJanet. The college's boarding houses are linked to the school network through a remote access server. The college's approach to security was twofold. Firstly it was decided to install a firewall, the mainstay of any form of network security. Secondly, a security policy was formulated with a clear message about what was and was not allowed and this was communicated to all those using the network, including admin staff, teaching staff and pupils. Parents were also made aware of the security policy and actively involved with it. The firewall Robert Homan was chosen by the school to handle the introduction of the Internet because of his long term enthusiasm for and interest in computers, dating back to the days when he dabbled with BBC micros. He had, however no professional qualifications in computing, so the choice of firewall was affected by that. "It had to be technically straightforward," he commented, "easy to install and easy to use. We wanted something that was going to be very, very secure but which also wasn't going to require a huge amount of expertise. The other key factor," he said, "was that it should have an effective Web-blocker, a means of protecting pupils from offensive material or people who might want to do them harm." Cost-wise, the important thing was that the college should pay a one-off cost and not pay per user (as is the case with some firewalls) because the potential number of users was very high with over 800 girls at the school. The firewall chosen was the WatchGuard SchoolMate, manufactured by US company WatchGuard Technologies and available in the UK through Surrey-based specialist Wick Hill. WatchGuard is one of a new breed of firewalls called network security appliances, which are a combination of hardware and software. Older generation firewalls are generally software only, often requiring skilled installation services. The WatchGuard SchoolMate Firebox chosen by the school provides exceptional security as it is completely separate from the school's network. The firewall software is located on the Firebox (the hardware element of 'WatchGuard'), and this sits between the network and the outside world, forming a physical barrier. As there are no log-on facilities on the firewall, it is exceptionally difficult for hackers to get past it and access the network. This arrangement provides a much higher degree of security than a traditional software-only firewall, which resides on an organisation's network, making it easier for hackers to gain access. "Several things attracted us to WatchGuard," remarked Homan. "It was designed specifically for schools, so addressed the issues that concerned us. It was already being successfully used in the school environment in the US. It was also plug and play, looked straightforward to implement and had a good Web-blocker." Homan found it useful to go along to one of Wick Hill's free demonstration days and once the decision was taken to choose the WatchGuard SchoolMate, he returned to Wick Hill for a training day. "When I actually implemented the firewall with the manual stage by stage, I found it relatively uncomplicated," he said. "You just really need the confidence to have a go and not be afraid of it." He added: "For an IT person, it would have been a piece of cake and for me it was distinctly manageable. Ease of installation and ease of use are really major benefits. With something more complex, you’d be more likely to make mistakes, when configuring it up for example." Homan also feels he has the backing of Wick Hill's experience should he need it. "Our relationship has been a good one," he commented, "and we have benefited a lot from their technical support and expertise." Besides the standard WatchGuard software, Homan chose a number of additional options. One was historical reporting, which provides reports on all sites accessed, and details how long they were accessed, who accessed them, etc. This helps to deter anyone from trying to use banned sites, as the reports will show exactly what they have done. Other useful reports include the 'Suspicious Activity' report which warns of any attempted security breaches, and exception reports which list denied connection requests, reboots, scan attempts and other activity logged by the firewall. Homan also chose the Web-blocker option which allows certain categories of web site to be blocked. Examples of the type of sites blocked are satanic/cult - e.g. any material advocating devil worship; violence/profanity e.g. material containing frequent use of words commonly accepted as profane or obscene; and drug culture e.g. material advocating the illegal use of drugs for entertainment. Other types of sites which can be blocked include pornography, sexual acts, illegal gambling, militant or extremist sites, sites advocating intolerance, and sites showing full nudity. A major requirement with Web-blockers is that they are kept up-to-date, as new sites are constantly being added to the Web, creating new dangers. As a WatchGuard user, the college benefits from MicroSystem Software's Cyber Patrol database, which monitors new sites coming onto the Internet and adds undesirable ones to the blocked categories. "We cannot stress how important the Web-blocker is," said Homan. "In the boarding school environment we have a very heavy responsibility to protect the girls from the damaging material that is undoubtedly on the Internet and the blocker does that effectively." The security policy A firewall in itself is not enough when it comes to security, and a proper security policy and other measures are necessary. The college has a very comprehensive policy which is communicated to and understood by administrators, teaching staff, pupils and parents alike. All these groups are informed of the type of sites that are banned and that a record is kept of who accesses what. As an additional safeguard, parents are asked to sign a form on their child’s e-mail and Internet use, before any child can take advantage of the computer facilities. The form confirms that both parent and child have read the college’s conditions of use and accept them. Conditions of use include the acknowledgement that pupils must not try to access banned sites, that no networked computing equipment can be used for playing computer games, that e-mail and Internet facilities will only be used by pupils for purposes connected with their studies and for domestic communications with friends and family, and that nothing created or transmitted will infringe copyright or be of a defamatory nature. Network security As far as protecting the network itself from external dangers is concerned, Homan has made security as tight as possible. "We used the WatchGuard philosophy of automatically blocking all services from passing through the firewall unless they have been specifically authorised. We have a lot of confidence in this philosophy and it makes us feel that the network is as safe as it possibly could be." He also restricts quite tightly the type of files which can be downloaded onto the network, the size of e-mails which can come into the network and the number of recipients who can receive e-mail - which reduces the network load and the possibility of junk e-mails often known as spamming. Additionally, individuals are restricted in terms of network use according to need. Most normal users for example can’t get at the PC floppy disc drive. All network users have a log-on name and password. They are advised how to select a password which will be hard to crack and required to change their password frequently and not reveal it to anyone else. Parents must also acknowledge that the security password given to their child is for her use only. Staff and pupils are made aware that they must not use software from outside and an additional overall security feature for the whole network is the use of a virus checker which is kept up-to-date against the latest virus threats. Guided surfing Now that Internet facilities have been made safely available to pupils, how are they used to assist with various subjects? Robert Homan is a strong advocate of 'guided surfing.' This means that pupils are directed by teachers to the sites or areas of sites which might help them, rather than being given free rein to roam the Web searching for what they need. He points out that all sites aren’t designed for educational use and that there is such a vast amount of information on the Internet it can be very time consuming looking for what you want. For some subjects, he feels, it might actually be quicker to go and look up facts and figures in the school library and he encourages the girls to think logically about the best place to do their research. Where the Web is used, staff will frequently produce worksheets and questions for use with particular sites. "We have found," he said, "that if we don’t give them direction, the pupils will just print out lots of material. What they're actually doing is effectively putting off thinking about the subject, because all they might need is to distil the information down into a couple of paragraphs." Which subjects? The use of the Internet for research and learning materials at the school differs according to the enthusiasm of individual teachers and according to the subject, some subjects lending themselves much more readily to Internet use than others. History is one topic where the Web contains a superabundance of useful material, probably more than is available in books, particularly where historical documents are concerned. Additionally, much of this historical material is laid out from a student's point of view. Geography too, benefits from having many sites containing pertinent information. Language departments can benefit enormously with the availability of numerous sites in foreign languages. Homan quotes one specific instance where A-level students had to prepare a speech for their oral exam and found much current useful material in the vernacular on foreign sites. The science departments also use a number of sites; and the physics department has used the NASA site to link in with curriculum work on the planetary system. The English and drama departments too are beginning to use the Web more often. Future Plans Cheltenham Ladies' College is still at a relatively early stage in using the Internet. As Robert Homan states: "The potential isn't anywhere near being realised yet, but we plan to use it much more in the future." Homan also foresees the college establishing on-line links with other schools over the Internet, for example with French schools which will give excellent language practice. Whatever future use the college makes of the Internet, the solid and thorough preparations already taken to ensure security will stand it in extremely good stead when it comes to protecting the students and the network from harm. ENDS The WatchGuard firewall is available from Wick Hill, specialists in information access, delivery, management and security. Contact 01483 466500, fax 01483 466638, e-mail firstname.lastname@example.org, web site www.wickhill.com This press release was distributed by ResponseSource Press Release Wire on behalf of Annabelle Brown in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit http://pressreleasewire.responsesource.com/about.