+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 41
Windows Thread, Flat Networks in Technical; I must admit I am rather surprised with some of the responses. Nick Jones: "Anyhoo - as others have said, ...
  1. #16

    Join Date
    Oct 2007
    Location
    UK
    Posts
    63
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    15

    Re: Flat Networks

    I must admit I am rather surprised with some of the responses.

    Nick Jones: "Anyhoo - as others have said, a well-secured single network is not a security risk. A poorly-secured one is, but then so is a poorly-secured two network system since, as Tony points out, teachers have all sorts of stuff in their home areas anyway."

    'Single network' & 'secure' are two that go only very limited way if applications on admin server require SQL or port 80 to be open to curriculum network. A hacker in a remote classroom will have a field day listening to the network traffic in a 'man middle attack'.


    Nick Jones:"As with all network security, the biggest hole is your users - the ones who share passwords, write passwords in their planners, leave computers logged in over break/lunch ..."

    This is precisely the point of keeping two networks isloated and 'not' to rely on teachers across the school keeping PC's logged in to SIMS or their password sahred/written in their planners.

    If even Inland Revenue can not rely on well trained staff with data security what chance shcools have?

    A visiting Australian network manager in a school from Melbourne kindly pointed out to me a document by Victoria Education Department which clearly states that schools must keep networks isolated. Data security/data protection act and civil liberties appear to be a high profile issue across Australia.

    Pls drop me PM for a copy of the document.

  2. #17

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841

    Re: Flat Networks

    Quote Originally Posted by Tiger
    'Single network' & 'secure' are two that go only very limited way if applications on admin server require SQL or port 80 to be open to curriculum network. A hacker in a remote classroom will have a field day listening to the network traffic in a 'man middle attack'.
    How exactly would they manage that? For example, SIMS.net uses SQL as its backend. A user on a random machine on our (well, how it used to be) network could not sniff those packets. The only way of doing that would be spoofing addresses and complex techniques - most of which can be handled by having your switches set up right.

    This is precisely the point of keeping two networks isloated and 'not' to rely on teachers across the school keeping PC's logged in to SIMS or their password sahred/written in their planners.
    yes, but those admin machines will still be classrooms, else how will the staff use sims? It doesn't matter what network it is on if the user is a muppet.

    A visiting Australian network manager in a school from Melbourne kindly pointed out to me a document by Victoria Education Department which clearly states that schools must keep networks isolated. Data security/data protection act and civil liberties appear to be a high profile issue across Australia.
    Whereas here, I am pretty sure that either the DfES (or whatever it is called) or Becta has called on schools to consolidate into single network infrastructures - this being one of the reasons Somerset has changed most of its schools to single domain networks.

  3. #18

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841

    Re: Flat Networks

    Quote Originally Posted by Geoff
    VLANs are not an effective security measure.
    Unless they're tied in with something like 802.1x...

  4. #19
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30

    Re: Flat Networks

    or just air-gapped...

  5. #20

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841

    Re: Flat Networks

    Quote Originally Posted by TeddyKGB
    or just air-gapped...
    Huh?

  6. #21
    JohnCondon's Avatar
    Join Date
    Apr 2007
    Location
    Bromcom
    Posts
    283
    Thank Post
    47
    Thanked 64 Times in 41 Posts
    Rep Power
    27

    Re: Flat Networks

    It is a fact that current direction of BECTA and DCSF policy is encouraging the use of Flat network design, which is in direct opposition to "popular expert opinion". We have recently enountered the same antipodean amazement that Tiger experienced, when we recently had some comms with an Australian VLE manufacturer. There reaction to the UK school situation of even having seperate networks "connected" across any means, let only a truly flat netowrk, was simple disbelief..
    anyway...
    This is the precise reason why we have endeavoured to develop non-standard/secure comms methods.
    Where we do use standard network Comms we now advocate the addition of hardware based route blocking on the server to prevent unexpected attacks on common ports.
    Attendance registration pretty much functions on the basis that your collection occurs in the Curriculum environment but your reporting occurs on the admin side, they need "A" link to be truly effective.
    Our clients therefore run on a variety of comms - 802.11, Radio signal, even the browser based registration has a software solution in place to prevent direct connection to notorious SQL ports.. But we avoid anything running on the usual port suspects.
    Very soon a Java version of the attendance interface is beingt released to run on any Linux PCs/Laptops or iMACs. Much more secure as far as netowrks are concerned.
    On tht last point contact me if you want to know more (not the right forum to disucss that )

  7. #22
    JohnCondon's Avatar
    Join Date
    Apr 2007
    Location
    Bromcom
    Posts
    283
    Thank Post
    47
    Thanked 64 Times in 41 Posts
    Rep Power
    27

    Re: Flat Networks

    Quote Originally Posted by localzuk
    Quote Originally Posted by TeddyKGB
    or just air-gapped...
    Huh?
    I assume he means not physically connected at all.. My own term would be "whirlwind proof", a term from the Sci-Fi works of William Gibson.

  8. #23
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: Flat Networks

    What I meant to indicate was we use different networks for students to staff.. E.g Students are 10.6.X.X and Staff are 10.4.X.X for example.

  9. #24

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,967
    Thank Post
    1,352
    Thanked 1,814 Times in 1,126 Posts
    Blog Entries
    19
    Rep Power
    600

    Re: Flat Networks

    Ok ... are we looking for the ultimate design in security for MIS information or sensitive data on a network?

    Firstly, too much is of what is being discussed is based on the MIS being the only store of sensitive data in a school. Too much is based around a single DB storing *all* information. I am afraid it does not work like that and the costs involved in changing that are generally prohibitive in schools (in software, in hardware and in retraining of support staff ... and this is before we even get to training the staff!)

    Secondly, the move to hosting data in a central location is now having another hole opened to it, web access. More MIS are going to have some form of two-way conversation with a web front-end. Whether that is via web-parts into Sharepoint or the company's own web interface. These *have* to be over HTTPS to the browser before we even go into the other problems.

    Finally ... this talk about creating a separate network for admin machines because we can't trust staff not to leave machines logged in ... what makes you think they will not just write done the password for the second domain? What makes you think that they won't just let a student onto their laptop because they are a machine short in their classroom? IT is sustainable in schools as it is ... as much as I want to make systems as secure as possible I don't want to make it so expensive that it becomes unusable.

    Remember ... whatever we do in a school has to show that there is a demonstrable impact on the school, either across T&L or Leadership & Management.

    @JohnCondon
    Can you produce documentation or articles about flat networks (whether a single domain in a single forest, a single domain with child domains in a single forest or multiple domains in a single forest) that say they are against 'popular expert opinion'?

  10. #25
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: Flat Networks

    Quote Originally Posted by Tiger
    A visiting Australian network manager in a school from Melbourne kindly pointed out to me a document by Victoria Education Department which clearly states that schools must keep networks isolated. Data security/data protection act and civil liberties appear to be a high profile issue across Australia.
    This is exactly what we have set up. Yes. I am in Australia.

  11. #26
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,475
    Thank Post
    10
    Thanked 500 Times in 440 Posts
    Rep Power
    114

    Re: Flat Networks

    It really depends on what you mean by flat network. I have a single domain, but its not really a flat network.

    All network devices (well, apart from 2 and servers) are assigned their vlan from radius with 802.1x. If they don't authenticate then they are placed in a guest vlan.

    Most vlans are routed, the servers are split into two subnets and vlans. Admin and restricted on one, general access on the other. ACLs on my core switch stops traffic from going to the restricted vlan from all others except from staff machines. The file server is the only one that needs to be split in the future.

    Same domain, same groups, different access. Flat or not?

  12. #27

    Join Date
    Oct 2007
    Location
    UK
    Posts
    63
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    15

    Re: Flat Networks

    GrumbleDook " Can you produce documentation or articles about flat networks (whether a single domain in a single forest, a single domain with child domains in a single forest or multiple domains in a single forest) that say they are against 'popular expert opinion'? "

    Yes, actually I just found just what you are asking for - it a UK source too: "UCISA - Information Security Toolkit - Edition 3.0 by JISC"

    http://www.ucisa.ac.uk/ist/agree/

    Please take a look at Section L: "Network management " and note repeated key word 'segragated' - meaning ZERO access between the groups eg students, staff and third parties etc...

    There are also plenty references to BS7799. I would have thought to comply with the Data Protection Act a school needs to meet BS7799 as the Data Security standard. I hardly think a system vulnerable to 'man in the middle'' attack for children sensitive information or if central data security relies on every teacher keeping his/her password safe will meet BS7799 or compliance to Data Protection Act.

    Any comments?

  13. #28

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Flat Networks

    Quote Originally Posted by GrumbleDook
    the use of virtual machines on staff laptops could be an option.
    Wait for 2K8, run a Remote Application or two with RDP over TLS (SSL) through that tiny hole in some ACL to the box with the crown jewels on it... maybe even splash out for smartcards to help authenticate them. Still doesn't really solve whose fingers are on the keyboard though.

    Quote Originally Posted by Tiger
    note repeated key word 'segragated' - meaning ZERO access
    It's overwhelmingly ancient/run-of-the-mill talk about router ACLs/firewalls on a joined up network though i.e. not "isolated" networks.

  14. #29
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30

    Re: Flat Networks

    lol @ the 16 vlans comment

  15. #30

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,966
    Thank Post
    519
    Thanked 2,502 Times in 1,942 Posts
    Blog Entries
    24
    Rep Power
    841

    Re: Flat Networks

    Quote Originally Posted by Tiger
    There are also plenty references to BS7799. I would have thought to comply with the Data Protection Act a school needs to meet BS7799 as the Data Security standard. I hardly think a system vulnerable to 'man in the middle'' attack for children sensitive information or if central data security relies on every teacher keeping his/her password safe will meet BS7799 or compliance to Data Protection Act.

    Any comments?
    Can you explain how these man in the middle attacks could occur? Also, segregation does not mean 'completely individual networks with their own seperate hardware' - it can mean vlans, ACL's, 802.1x etc...

    Put it this way - which is more secure:

    1. A flat network (ie one with shared hardware) where VLAN's, ACL's and 802.1x and IPSec are in place or
    2. 2 completely split networks with no form of authentication other than domain level logins?

    A flat network can be more secure - and is a lot more afforable and within reach of schools.

    Yes, schools have a legal duty to protect data, but only upto the point where it is affordable to them. Maintaining a split network in our school would require roughly £25,000 minimum investment in terms of fibres and switches. It would also require an extra 2 servers to act as file server/AD server/DHCP/DNS and backup server. Plus it would require a second firewall and either a router to allow access to the internet or a second connection. So, roughly another £10,000 or so minimum. Add UPS's, the fact that we'd need another cabinet as our current one is full, and as such our server room is also full so we'd need a second server room, which would also need A/C and you're talking another £10,000 + the roughly £4k that would be required in running costs for electricity. How can a school our size afford all that? We can't!

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Flat networks and DPA when accessing MIS
    By Tiger in forum MIS Systems
    Replies: 4
    Last Post: 13th December 2007, 06:55 PM
  2. Routed or Flat Network?
    By towen in forum Wireless Networks
    Replies: 19
    Last Post: 9th November 2007, 05:27 PM
  3. SMART Board for Flat Panel Displays
    By markwilliamson2001 in forum Windows
    Replies: 6
    Last Post: 7th November 2007, 04:44 PM
  4. PHP flat file database script
    By ajbritton in forum Web Development
    Replies: 3
    Last Post: 26th October 2006, 08:51 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •