Antony Rappai

Tech Director & DPO in Education | EdTech Solutions Architect | AI/API & Low-Code Integrationist | Investing Enthusiast

Tag: Network Administration

  • The cyber security plan every school needs

    The cyber security plan every school needs

    Not many schools in today’s world take cybersecurity seriously.Over the last couple of years, we faced some significant security breaches in our school, one instance where our school information system got hacked with the strut vulnerability, and another case was when we had a lot of email accounts hacked as a result of being phished.

    After analyzing for days, we noticed that we were a constant target for bots and hackers for any of our public facing sites, Even if you have a firewall to keep you away from threats you are still susceptible, especially zero-day vulnerabilities and another thing to keep in mind is over 90 % of the attacks are due to human errors ( like submitting your credentials over a phishing link) or users going to the wrong sites.

    To keep up with the ever-growing threat of cyber attacks I came up with a four-pronged approach to keep our school safe from cyber threats

    Four-pronged approach?

    I classified them as

    1. Servers Security
    2. Network Security
    3. Client Computer Security
    4. Cyber Security Awareness / End User Traning 

    1.Server Security

    1.1 Server Software Updates and Patches:In order to protect the servers, we made installed the latest patches and updates on all severe, quite often server administrators think installing patches and updates are not necessary or not very important, but we learned it the hard way when one of our systems got affected with the Apache Strut vulnerability, always schedule a weekly or monthly downtime for your servers to be updated

    1.2 IPS / IDS and Firewall on all servers: We used the ever-reliable Symantec endpoint protection, although it said endpoint protection it worked for our servers too.We left the IPS and IDS at its default setting and configured the firewall to allow traffic to only the required ports.From the logs, it was clear that it was blocking IP address trying to exploit the vulnerabilities

    1.3 CloudFlare (WAF & DDOS): We set up CloudFlare as additional security for any visitors trying to get to our public facing websites like school website or school information system.What CloudFlare does is it creates a barrier between the public cloud and our servers, cloud flare scans the visitor traffic to see if they are genuine or some bots trying to hack. Additionally, it also caches certain aspects of your website.This is basically a WAF (web application firewall), CDN ( Content delivery network ) and DNS server and all this for free , After few weeks of the free version we decided to switch to the 20$/month plan which includes an advanced WAF and a predefined set of rules against vulnerabilities for HTML, PHP, MySQL, WordPress, additionally it consists of a set predefined signature rules. This worked really well for us because we were able to prevent a lot of attacks on our public facing sites being blocked

    Additionally, the free version provides basic DDOS, Ability to block or challenge malicious or blacklisted IP address, apart from that since CloudFlare acted as s DNS server for we no longer required to host additional public-facing DNS servers anymore thereby saving valuable resource on your server infrastructure

    2.Network Security: 

    Every organization has a firewall, right? But have you configured it correctly? Well, check again

    2.1 Layer 3 security: We allowed only incoming traffic to few of our services from the public that we restricted them to specific ports ( like your School information system, websites and Learning management system) the requirements can vary from org to org. It might be beneficial to keep track of the ports and public NAT assignments on a Google Sheet or Excel sheet.

    What about outgoing traffic?

    Generally, it is ok to allow all, we restricted dangerous ports and specific blacklisted IP’s

    since we had the cloud-based Meraki MX 600, we were able to do the following

    2.2 Layer 7 firewall: this gave us the ability to control traffic based on applications like Windows updates, YouTube, AV updates, etc

    2.3 IPS & IDS: this is very important for schools especially when you have 1:1 laptop environment and since the Meraki MX 600 comes with IPS & IDS from Sourcefire and Snort it did a pretty good job of blocking malicious files being downloaded into the school network (ever wondered how to mackeeper at bay 🙂

    2.4 Core Network Switch / Router security enhancements: It would be good practice to have Access Control list to disallow traffic between VLANs, for, e.g., Allowing your guest VLAN to access only the Internet and not any of the internal resources like servers and such

    additionally security on the network switches

    -port security based on sticky Mac to allow only designated IP phones to connect to that particular port

    -shutting down unused ports to prevent unauthorized computers from accessing the school network

    2.4 Wifi network security: Since we had the cloud-based Meraki access points, we could detect and block rogue access points and DHCP servers. Additionally, we could restrict and control traffic based on SSID for, e.g., We could limit traffic like YouTube and updates on per SSID basis. You don’t necessarily need Meraki to implement these changes most if the enterprise wireless systems have these abilities.

    3.Client computer security 

    3.1 Endpoint Security: First and foremost it is absolutely necessary to implement endpoint security, and we opted for the ever-reliable Symantec endpoint security which comes with IPS and IDS. We also took advantage of Symantec Endpoint Security Manager, it is basically a server that communicates with all the clients and is also used to push virus updates to your clients. The dashboard present within the SEPM also gives you a bird’s eye view of the clients that are infected and that have not been updated and also gives you the ability to push firewall policies to all your clients. In short, I can’t stress how important it is to have an anti-virus software for your clients that can be managed by a server and one that provides you a dashboard

    3.2 OpenDNS: How do you protect your student and teacher computers once they are out doing the school network? , I know your answer is probably endpoint security, But I beg to differ, endpoint security or anti-virus software is always a reactive measure, we wanted something more proactive in nature, to be able to prevent the staff from going to the malicious sites and blocking phishing links while they were away from our school network. Last year we had about hundreds of Gmail accounts hacked because a phishing link went viral and if we had the Open DNS we would have been able to block them from being accessed even if they were off campus.

    How does it Work ?: So basically OpenDNS has a roaming client that is installed on the client computers, which means that once installed all the DNS queries are routed through OpenDNS servers, then through the dashboard we can can block website categories like porn, social networks, gambling, this is especially good if you have a 1:1 school network where students take their computers home. It also gives the ability to block malicious website, phishing links, bot network websites, site that contain the virus, download links and URL’s that include viruses, etc. The dashboard gives a good understanding of the clients that have a high number of traffic hitting the malicious websites and which sites and categories were blocked.I used to think this was not necessary,  but in today’s world especially in schools of our size where over two thousand user accounts are susceptible to being hacked, I would highly recommend some kind of cloud-based DNS protection

    4.Cyber Security Awareness / Traning

    Last but not least, user awareness and training are of paramount importance. The schools should have a process where they update the Acceptable / Responsible use policy on a regular basis, set up cyber security awareness weeks where the tech dept along with tech integrators conduct workshops for teachers and students on how to stay safe in cyberspace.

    Check out my Cyber Security google slide presentation ( feel free to use it as a reference )

    Cyber Security Awareness Google Slide

  • Our Recent Network Overhaul.

    Our Recent Network Overhaul.

    Last year I convinced the School to go for a complete network overhaul keeping the long-term technological requirements of our school in mind.

    What were the upgrade requirements?

    • Gigabit switches with ten-gigabit uplinks
    • Core Cisco(Cat 6500) network switches had to be upgraded with the newer Supervisory module that supported 10 G fiber modules.
    • Wireless access points with AC technology
    • A firewall that can support over 10000 concurrent connections, IPS, IDS, Malware Prevention & packet shaping.

    The reason: Our network infrastructure was aging, reached their end of life. With the existing 1g uplinks, we were facing bandwidth bottlenecks, loss of instructional time for the teachers and students due to wireless and network troubleshooting plus we were not equipped to upgrade our server infrastructure in the future to support 10g or 40g uplinks.

    What did we decide on ?: We did some extensive research on Cisco, HP, and Meraki and decided to go for cloud-based Meraki solution. The management of the access points and switches seemed simple and did not require a ton of technical knowledge as compared to the Cisco controller-based wireless and traditional command line based switches, the Meraki provided a simple, intuitive GUI to make magic happen, I was a bit skeptical  about requiring an internet connection for managing the bulk of our network. But we went ahead and decided to go for the Meraki MS350 for our switches, MR 42 for indoor access points, MR 72 for our outdoor access points. Meraki MX 600 for our firewall and upgraded our Cisco Core with Supervisory module VS-S2T-10G, which enabled us to go 10G and future proofed for 40G.This entire investment came to about 1 million $. I was going to miss the traditional command line utility for managing Cisco Network because I invested a lot of my time and energy in learning that plus it made me look too cool :)We went with a trusted partner who had tons of experience with providing network solutions.

    How did it all go? We took the summer break as the perfect opportunity to do all the installation, which went on for roughly a month. We had a few quirks with the technical setup and such, but the availability of support 24/7 via Chat and Phone with Meraki I was a huge benefit.

    Meraki WiFi Pros:

    • Manageability: A Beautiful dashboard with a consolidated view of the current clients, Access points status and switch status was a blessing in disguise, this helped us identify faults and be proactive.Easy to set up and configure the Access points, it was easy to create SSID’S, VLAN, change the radio settings &Channel width, monitor channel interference, monitor the clients on the AP, restart them etc.. One really cool feature was the ability to tag access points for, e.g., you could tag the access points on the 7thgrade with anything, and you could search for access points with a particular tag and monitor just them and make bulk changes.
    • Security: Meraki AP provides Layer 3 & 7 firewall on an SSID level, which enables us to block certain applications, ports, IPs and sites for the student SSID while keeping them open for the staff SSID, Air Marshal feature from Meraki can be set up in such a way that all rogue SSIDs connected to the School network is contained. 
    • Traffic Shaping: it is even possible to set traffic shaping rules on an SSID level for e.g. We can set up rules in such a way that a single client in a particular SSID cannot cross over 1 MB per second.
    • Access Control: You can setup SSID authentication via Radius server or login VIA splash page & LDAP, additional parameters include checking your computer for Antivirus before letting you use the network, etc. For using Radius server there is documentation on setting up a Windows server 2012 as a Radius server, I would recommend it and setting it up in such a way that only machines in a particular group in active directory can connect to the SSID – of course, you can’t use it on the mobile devices 
    • Additional features: There is a Packet capturing tool(you can capture the traffic to and from the client and AP) for some advanced troubleshooting.Cable testing from the AP to the switch port. Supports 80 MHz on the 5GHz band to take advantage of the Wireless AC to utilize bandwidth between the clients up to 700 Mb per second.

    Firewall pros:

    • Firewall settings: layer 3 & 7 firewall rules can be set up at the firewall level, adding them to the firewall and SSID is what I would recommend because we want to try and contain the threat at the first point of contact (which is the AP ), so the valuable processing power of the firewall can be utilized for IPS, IDS, and NAT, PAT, etc.
    • Security Center Dashboard: Perhaps one of the top features of the MX 600 is the security center ( comes at a price by buying the Firewall Enterprise Advanced license ), the Security dashboard gives you a nice view of the malware and IPS threats coming in from around the world plotted on a world map. It also tells you the clients on your network with possible malware infections and contains them ( this is cool ) until we had the Meraki we had no clue on how many hackers and bots were trying to infiltrate into the network.
    • Access Control: You can set up Internet access Policy via LDAP groups, for e.g. You can say only members of the staff group in the AD can access certain applications and websites.
    • Setting up NAT and PAT is a breeze 
    • Load balancing: Dual WAN ports, so it essentially becomes a load balancer, this was a huge plus because we have to pay a serious amount of cash for a 100 Mb IP VPN internet connection (we are paying about 15000$ per month 😦 – but with the MX 600 we had the dual wan ports so we could buy a cheaper 100 Mb business fiber and double our bandwidth using the second WAN. It even has a backup 4g dongle provision in case both the WANs fail.you can also set up flow preference to have certain traffic go through WAN 1 or 2 

     

    MS 350 Switches pros:

    • VLANS: Easy to setup VLANs and trunk ports on the GUI, assigning access VLAN ports and voice VLAN ports is a breeze. 
    • Routing: L3 routing ( only on the MS 350) is possible too for advanced network topology, we don’t have much use with because of the way our network is set up.
    • Stacking: The MS 350 is capable of physical and virtual stacking
    • Security: Mac filtering is easy, and LDAP authentication is a breeze on an individual port level.
    • Advanced troubleshooting: Cable testing to see if all the pairs are crimped correctly, Ability to see which client is connected to which port & a Packet capture utility to analyze traffic between a switch port and wired clients.

     

    Wireless Cons

    • There is not much really, one thing I wished it had was the ability to set up the packet shaping for an entire SSID rather than an individual client on a per-AP level, this might be a bit hard to explain, for, e.g., our wireless is comprised of different SSIDs and each SSID is tagged with a particular VLAN, so it would have been beneficial for us if we could set it up to assign a certain amount of bandwidth for the entire SSID, meaning we don’t want the whole student SSID to cross more than 30 Mb in total which is not possible, you would need something like a blue coat packet shaper to achieve this. 
    • Weird issues with AP’s not accepting clients 
    • Some settings take a few seconds maybe even like a minute to get pushed to the APs because they are cloud managed the settings take a while to travel all the way from the internet to our local AP, even things like restarting the AP’s take longer than expected in some cases.
    • Noticed Some channel interference with Apple TV and Mac clients 
    • Some of the clients show up with the wrong names – looks like the reporting is taking time to update on the dashboard ( again this is the disadvantage of moving to a complete cloud solution )
    • The AC & 5 GHz capable Clients always seem to connect to the 2.4 GHz in spite of having excellent 5GHz strength. BTW the signal interface is much less on the 5GHz band, which is why I want them to connect to them in the first place 
    • The band steering feature in the Wireless SSIDs to try and move the 5GHz clients to the 5GHz band does not work as well as accepted and is flaky  

    Switch cons:

    • The wired clients show up with the wrong MAC address, sometimes the port where the wired clients are connected shows up wrong too, noticed this is an issue mainly with Apple TVs and Mac wired clients 
    • There is not a way to bulk restart all the switches at once; this would have been a good way to restart all the AP’s at once too.

     

    Firewall Cons:

    • Again the inability to set up the packet shaping for an entire VLAN rather than an individual client on a per-VLAN level is a major drawback.
    • Pricing on the advanced license is very steep.

    Other pros:

    • Easy to manage dashboard, accessible from anywhere 
    • Good for a school environment, because it is easy to maintain and you can free up some of your time to involve yourself in other cool projects.

    Other cons: 

    • Your entire network seizes to function if your support license has expired ( sounds pretty scary – don’t worry when they are close to expiry they do a good job of reminding you, you just need to find the $$) 
    • You need to factor in the price of the licensing over a long-term meaning ing you need to work out a Network keep alive cost projection for the lifetime of the equipment and that could be expensive for smaller organizations.

    I am sure I missed out a lot of points, but I will keep updating this post on a regular basis, so check back or contact me to know more if you plan on investing in Meraki, I can show you how we have it all set up.