Security Do's and Don'ts

By Lars Kongshem

Lars Kongshem is assistant editor and webmaster of Electronic School.

Most schools are lucky enough to have no need for metal detectors and security guards patrolling the hallways. But you'd be hard-pressed to find a school that doesn't lock its doors at night. Not taking at least some basic precautions to protect school facilities and students from intruders would be foolish.

The Internet is no different. If your school or district is considering hooking up a local area computer network directly to the Internet and providing information services such as a World Wide Web server, you'll want to take a few steps to protect your installation.

Here, then, is a brief discussion of some basic and not-so-basic safeguards your school or school system can employ. Just keep in mind: The only completely foolproof Internet security measure is to unplug your connection altogether.

Use your keys. Poorly chosen passwords are an enormous -- yet preventable -- security risk. Users who pick their log-in ID, their own or someone else's name, or a word that appears in a dictionary for their password are leaving the door wide open for intruders. These passwords can easily be broken using guesswork, intuition, and widely available password cracking programs.

Ideally, passwords should contain a combination of at least six upper and lower case letters and numerals, security experts say. A good strategy for choosing a password is to model it after a memorable phrase. For example, the title of the movie "One Flew Over the Cuckoo's Nest" lends itself to the password "1FOtCN." (But don't use this example!)

Of course, the most deftly constructed password is compromised when it's taped to a computer monitor or the underside of a keyboard. If you must write your password down, don't identify it as such and don't keep it anywhere near your computer.

Your school's computer systems administrator can help enforce a strong password policy by installing software that periodically forces users to change their passwords and that refuses to accept passwords that are easily breakable. Finally, make sure students and staff know that they must never tell anyone their passwords.

Lock the back doors. Internet host computers commonly run Unix, a complex operating system that is prone to security weaknesses unless configured with great care and skill. Many Unix systems ship in their most vulnerable configuration, so your best bet is to make sure your school's server is installed by an experienced Unix guru.

The Computer Emergency Response Team (CERT) Coordination Center, which helps system administrators around the Internet respond to security threats, has in the past warned of security flaws in common Unix software programs that send E-mail and run Web and FTP (File Transfer Protocol) servers. Other programs -- such as the program called finger -- are considered security risks because they provide clues hackers can use to their advantage during break-ins.

Commonsense precautions include upgrading all your software to the most recent versions -- thus incorporating fixes for known security bugs -- and disabling potentially risky services that are not needed by legitimate users. Unless you have a good reason to allow incoming finger and anonymous FTP connections, consider turning them off.

Purchasing a turnkey Internet server is a good way to cut down on the amount of Unix voodoo your school staff has to perform. Several vendors sell bundled hardware and software packages that allow schools to set up a secure Internet site with a minimum of fuss. The BBN Internet Server, for example, hides the complexities of Unix behind a Macintosh or Windows interface and does not require any on-site technical configuration.

Finally, don't overlook the fact that allowing students and staff access to the school's network from home via a modem can be a security risk, too.

"Several times a day our dial-in router is contacted by someone who does not have an account," says Craig Lyndes, computer support technician at Champlain Valley Union High School in Hinesburg, Vt. "If I did not have the maximum security enabled on the router, we would be providing access to the Internet, through our network, to who knows how many kids and hackers in our calling area."

Hire a guard. For industrial-strength security, consider placing a firewall between your school's local area network and the Internet. A firewall is a special-purpose computer that polices the flow of data between the two networks.

"The analogy between a firewall and a controlled entranceway is applicable to schools," says Frederick M. Avolio, network security analyst with Trusted Information Systems, a company that not too long ago helped the White House set up a secure Internet connection.

Like a security guard stationed at the main entrance to a school building, a firewall monitors all inbound and outbound traffic and can deny entry when it detects suspicious activity, Avolio says.

A firewall can be implemented using a router, a device used to connect two networks together. Routers range in price from "a couple of thousand dollars to tens of thousands, depending on your network needs," says Tracy LaQuey Parker, manager of education market development at Cisco Systems Inc., a leading vendor of routers.

In addition to safeguarding the school's internal network from the Internet, firewalls also can be used to keep instructional and administrative areas on your school's network separate, protecting the integrity of student records and payroll information.

Are firewalls strictly necessary? That depends on your school's needs, says Dave Carrel, a Cisco Systems engineer specializing in Internet security.

"High levels of security can hamper usability," Carrel says. "You have to decide what it is you're trying protect, and then take the appropriate level precautions based on that assessment."

Indeed, excessive security could be self-defeating, says Barry Kort, consulting scientist at Bolt, Beranek, and Newman (BBN). "If you're operating in a fort, behind a moat, and with the drawbridge up, you can't conduct business," Kort says.

Finally, try breaking in. To double-check for security holes, you can enlist the aid of SATAN -- the Security Administrator's Tool for Analyzing Networks. SATAN is an easy-to-use Unix program that "recognizes several common networking-related security problems and reports the problems without actually exploiting them," say its authors, security experts Dan Farmer and Wietse Venema. Available for free on the Internet, SATAN is an automated hacker's toolbox that will let you unleash every well-known trick against your system to see how it stacks up.

"I had my students get a copy of SATAN and throw it at my network, and it passed with flying colors," says Craig Lyndes. A local university's network didn't fare as well -- it flunked the test, Lyndes adds with a hint of satisfaction.

Internet security might sound complicated, but Lyndes is quick to point out that the "healthy sense of paranoia" gained by running a school's own network provides a large measure of protection.

"If you start with the school network first, and add the Internet access later, you'll have gone through most of the security issues already," Lyndes says. "If you can protect your internal network from your students, the Internet will be a piece of cake."