+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Pupil Access in Schools in Technical; OK first off let me say that I work for a boarding shcool and I am well aware that the ...
  1. #1

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,678
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    46

    Pupil Access in Schools

    OK first off let me say that I work for a boarding shcool and I am well aware that the answer the sensible answer to my question is "don't even think about" however pressing on...

    Does anyone allow students to connect their laptops to their network? Either Wirelessly or cabled? If so what have you done to secure it and prevent them from spending most of their time looking for adult material on the internet, spreading virus and generally being pains in the backside?

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,247
    Thank Post
    882
    Thanked 2,745 Times in 2,319 Posts
    Blog Entries
    11
    Rep Power
    785
    Use a seporate routed, filtered and restricted VLAN to isolate them and only give them access to filtered net and those services that you can provide securely, it is almost like setting the network up for external access. You lock them off the primary network with something like packetfence or MAC based dynamic VLANs if your switches support this and you are away.

  3. #3
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,891
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    60
    Personally I wouldnt allow the kids to connect there laptops, full stop!

    If it was a member of staff I would check it over first for virus, spyware etc etc

    Ian

  4. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    When john used to work at a boarding school one of the little blights plugged in a wireless router. This gave everyone different IP address.

    se a seporate routed, filtered and restricted VLAN to isolate them and only give them access to filtered net and those services that you can provide securely, it is almost like setting the network up for external access. You lock them off the primary network with something like packetfence or MAC based dynamic VLANs if your switches support this and you are away.
    I would do all that put also in the DHCP give all laptops reserved IP's so you can trace back to a user more easier.

  5. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,247
    Thank Post
    882
    Thanked 2,745 Times in 2,319 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by FN-GM View Post
    When john used to work at a boarding school one of the little blights plugged in a wireless router. This gave everyone different IP address.
    Thats where a combo of packetfence and dynamic VLANS come in, it is trivial to clone the MAC of an existing pc to get past this but it is an extra layer of protection that would probably have stopped this form of bypass.

    Implementing the NAP protection avalible in Server 2008 would also have rendered this pointless as they would not have been able to make contact with anything useful anyway.

  6. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by Stuart_C View Post
    Does anyone allow students to connect their laptops to their network?
    Yes, anyone can wander in and use our network. I guess decent switches that can block unknown bits of hardware would be nice, but we can't afford those. I vaguely intend to get around to splitting the wireless network off onto its own separate VLAN at some point (although that wouldn't stop people simply plugging stuff into a wired port). We have a transparently filtered Internet connection, of course, and we secure our servers (er, I hope).

    --
    David Hicks

  7. #7


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,699
    Thank Post
    352
    Thanked 804 Times in 719 Posts
    Rep Power
    348
    We're similar to David here except our router will only allow access to the internet via the proxy so we're covered on that angle.

    A seperate vlan for wireless would be nice, and maybe for Christmas Santa'll give me it.

  8. #8

    Sylv3r's Avatar
    Join Date
    Jul 2005
    Location
    Co. Durham
    Posts
    3,242
    Thank Post
    376
    Thanked 381 Times in 339 Posts
    Rep Power
    148
    Quote Originally Posted by SYNACK View Post
    Use a seporate routed, filtered and restricted VLAN to isolate them and only give them access to filtered net and those services that you can provide securely, it is almost like setting the network up for external access. You lock them off the primary network with something like packetfence or MAC based dynamic VLANs if your switches support this and you are away.
    We do pretty much that here. We freely give the WEP key out to all who want it and I think this way the plugging laptops directly into the network will be avoided.

  9. #9
    steve's Avatar
    Join Date
    Oct 2005
    Location
    West Yorkshire
    Posts
    1,044
    Thank Post
    22
    Thanked 177 Times in 123 Posts
    Rep Power
    52
    I'm currently working on this for our school.

    We've just updated our cisco wireless system. We can now have multiple SSIDs on any of our APs. Each SSID can have a different authentication method and will assign you to a pre defined VLAN.

    We have an SSID with no security, that puts the users onto a separate VLAN where our smoothwall box sits.

    When users attempt to access the internet it can be set to ask for a username / password or just an email address.

    It was an expensive upgrade but it now gives us a great deal of flexibility. We intend to provide SSIDs for our conference centre, fitness centre and for pupils / trainee teachers.



SHARE:
+ Post New Thread

Similar Threads

  1. Pupil Import
    By thom in forum ICT KS3 SATS Tests
    Replies: 9
    Last Post: 20th May 2009, 04:27 PM
  2. Pupil Questionnaire?
    By Butuz in forum How do you do....it?
    Replies: 5
    Last Post: 22nd April 2008, 11:13 AM
  3. Pupil Discipline
    By laserblazer in forum General Chat
    Replies: 33
    Last Post: 29th February 2008, 01:51 PM
  4. Netlinc Schools - Web access subtly broken?
    By pete in forum Wireless Networks
    Replies: 2
    Last Post: 1st February 2008, 02:46 PM
  5. Pupil Access to 'Previous Versions'
    By mortstar in forum Windows
    Replies: 4
    Last Post: 25th January 2008, 04:22 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •