Network Security – Draft

DfES
Network Services Project

Network Security

Draft v3.1

Copyright © 2004 The JNT Association 

NDD/NSP/RS/NS/3.1 2 June 2004 Page 1 of 33

 Network Security – Draft

UKERNA manages the networking programme on behalf of the higher and further education and
research community in the United Kingdom. JANET, the United Kingdom's education and re-
search network, is funded by the Joint Information Systems Committee (JISC).
For further information please contact:
JANET Customer Service
UKERNA Tel: 0870 850 2212
Atlas Centre, Chilton, Didcot +44 1235 822 212
Oxfordshire, OX11 0QS Fax: 0870 850 2213
+44 1235 822 397
E-mail: service@janet.ac.uk
Copyright:
This document is copyright The JNT Association trading as UKERNA. Parts of it, as appropri-
ate, may be freely copied and incorporated unaltered into another document unless produced for
commercial gain, subject to the source being appropriately acknowledged and the copyright pre-
served. The reproduction of logos without permission is expressly forbidden. Permission should
be sought from JANET Customer Service.
Trademarks:
JANET®, SuperJANET® and UKERNA® are registered trademarks of the Higher Education
Funding Councils for England, Scotland and Wales. The JNT Association is the registered user
of these trademarks.
Disclaimer:
The information contained herein is believed to be correct at the time of issue, but no liability
can be accepted for any inaccuracies.
The reader is reminded that changes may have taken place since issue, particularly in rapidly
changing areas such as internet addressing, and consequently URLs and e-mail addresses should
be used with caution.
The JNT Association cannot accept any responsibility for any loss or damage resulting from the
use of the material contained herein.
Availability:
Further copies of this document may be obtained from JANET Customer Service at the above
address.

© The JNT Association 2004 NDD/NSP/RS/NS

NDD/NSP/RS/NS/3.1 2 June 2004 Page 2 of 33

 Network Security – Draft

Network Security

1 Purpose...............................................................................................................4
1.1 Scope.....................................................................................................4
1.2 Target Audience.....................................................................................5
1.3 Strategic Issues......................................................................................5
1.4 Summary of Responsibilities..................................................................5
1.5 National Education Network...................................................................7
1.6 Interoperability and Standards...............................................................8
2 Management Framework...................................................................................8
2.1 Policies...................................................................................................8
2.2 Resources............................................................................................10
2.3 Chain of Responsibility........................................................................10
3 Network Design................................................................................................11
3.1 Partitioning the Network.......................................................................11
3.2 Firewalls...............................................................................................11
3.3 Measures to Protect Data, Communications and Systems.................13
3.4 Mobile and Remote Working................................................................13
3.5 Wireless Networks...............................................................................14
4 System Protection ..........................................................................................14
4.1 Responsibilities....................................................................................15
4.2 Privileges .............................................................................................15
4.3 Configuration and Maintenance...........................................................15
4.4 Access Control.....................................................................................15
5 Content Protection...........................................................................................16
5.1 Virus Scanning.....................................................................................16
5.2 Content Filtering...................................................................................17
6 User Education.................................................................................................17
6.1 Awareness and Good Practice.............................................................18
6.2 Terms and Conditions..........................................................................18
6.3 Training and Updating..........................................................................18
6.4 User Support........................................................................................18
7 Security Incident Response............................................................................18
7.1 Reporting Process...............................................................................19
7.2 External Interference with the School’s Network.................................19
7.3 Abuse by Internal Users ......................................................................19
7.4 Content and Privacy Incidents.............................................................20
7.5 Network Monitoring..............................................................................20
7.6 Information Dissemination...................................................................20
8 References.......................................................................................................22
Appendix A: Glossary .......................................................................................24
Appendix B: Internet Services in a School Network......................................32

NDD/NSP/RS/NS/3.1 2 June 2004 Page 3 of 33

 Network Security – Draft

1 Purpose
School networks are complex and serve a rapidly developing set of educational
requirements, some of which challenge the technology and its security, implemented
within limited budgets. Many agencies are involved in providing the end-to-end network
service. There are networks on school premises, regional networks, Internet connectivity
and the National Interconnect via JANET. The whole forms the National Education
Network. At least three layers of educational management are involved: schools, local
authorities and national oversight. Suppliers include commercial network suppliers and
Internet service providers, Local Authorities (LA), Regional Broadband Consortia (RBC)
and national agencies such as UKERNA. These agencies must work together to produce
a consistent, functional and secure IP network across the various management domains.

This document sets out a number of policies, activities and controls that are needed to
give a reasonable level of technical security to the educational network. It does not
consider the detailed location or operation of controls, specific details of policy or
technical systems configurations, though these are essential to match the security of the
network to its intended use. The document only lightly treats issues of information
security or other aspects of content.

A number of other existing documents are referenced. Some of these are examples of
policy or technical design; others are papers on how to prepare these. Where possible,
examples of best practice in the schools sector have been referenced supplemented by
examples from other sources.

1.1 Scope
To be effective, security must be built in at all stages of the procurement, configuration
and management of a network. This document therefore contains recommendations that
will need to be taken into account at all these stages.

The main beneficiaries of a secure network will be schools and their pupils. The
recommendations therefore apply directly to computers and networks within schools.
However, security must also be considered in all procurements of products and services
related to the network, including software, computers and network connections, whether
bought by individual schools or on a regional or national basis. The recommendations are
therefore directly relevant to suppliers to schools, including LAs, RBCs and commercial
network suppliers and service providers.
Security decisions can have a very wide impact across the Internet. The nature of a
school’s network and the services it delivers may affect the behaviour of upstream and
other networks and services, and vice versa. Decisions affecting security should therefore
involve wide consultation and an informed appreciation of their impact both locally and
on a wider scale. If this is not done then it is highly likely that mismatched expectations
will result in a network that is both less functional and less secure than it could have
been.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 4 of 33

 Network Security – Draft

1.2 Target Audience

This document should be of interest to four principal audiences:

• Staff in schools involved with their school's internal network;

• LA or RBC staff designing, building or operating their wide area network; also
those coordinating the networking activities of schools;
• Suppliers and service providers involved in the provision and management of
local or regional schools' networks;
• Content providers who are making bodies of media-rich materials available to
schools online.

1.3 Strategic Issues

Building and managing a secure network service is a collaborative effort, so anyone with
management responsibility for any part of the service should be aware of most of the
contents of this document. Schools take ultimate responsibility for the security of their
pupils and networks, so will need to take the leading role in ensuring that there is a
management framework for security (Section 2), that systems within schools are
configured and maintained to protect them against security problems (Section 4), and that
all those using and operating the network are aware of and competent to discharge their
responsibilities for security (Section 6). Those schools that wish to use remote or mobile
access, or wireless networks, will need to be concerned with Sections 3.4 and 3.5
respectively.

In the areas covered by the remaining sections of this document – Network Design
(Section 3), Content Protection (Section 5) and Incident Response (Section 7) – schools
and Local Authorities will need to work together to determine the most effective way to
deliver a secure service that meets the ICT requirements of education. A recurring theme
is the need for adequate resourcing of recurrent costs in technical and support staff, in
management involvement and in regular updates to software and hardware.

It should be noted that some information will have multiple target audiences (e.g. pupils,
parents, technical and management staff) so may need to be presented with different form
and content for each group.

1.4 Summary of Responsibilities

This document sets out a number of activities that will be required to ensure an
acceptable level of security on the educational network. Some of these are primarily the
responsibility of schools, others the responsibility of the managers of regional networks.
The most likely division of these responsibilities is summarised here, based on
information from a number of regional schools networks. Details of these activities are
set out in the following sections.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 5 of 33

 Network Security – Draft

1.4.1 Schools
School managers will normally be responsible for ensuring that:

• Risk assessments are made of their school’s use of ICT. (Section 2.1.2)
• They have an appropriate security policy to address the identified risks. (2.1.1)
• There is a process for regular review and periodic updating of the policy. (2.1.3)
• There are sufficient resources and skills to maintain all ICT systems in a secure
fashion. (2.2 & 4.1)
• Security responsibilities are clearly defined. (2.3)
• Appropriate policies exist and are implemented to cover remote and mobile
working, where this is enabled. (3.4)
• Wireless networks are used in a secure manner. (3.5)
• Access to networked computers, and especially privileged access, is controlled.
(4.2)
• All systems are configured securely before being connected to the school network
and that there is a maintenance plan to ensure that security measures are kept up
to date. (4.3)
• Appropriate records are kept of computer use by individuals. (4.4, 7.3)
• All networked systems run anti-virus software with an up-to-date configuration.
(5.1)
• All users of ICT equipment receive appropriate training and updating in safety,
security and good practice in ICT use. (6.1 & 6.3)
• All users of ICT equipment agree to be bound by an Acceptable Use Policy. (6.2)
• Support is available to all users of networked computers. (6.4)
• Users are encouraged to report security problems and there is a process for
handling such reports. (7.1.1)
• Processes, agreements and systems to handle external attacks on the network are
in place. (7.2)
• Sufficient records of use are kept to allow internal misuse to be traced to an
individual. (7.3)
• Appropriate policies are in place to report and deal with inappropriate content or
misuse of personal data. (7.4)
• Network use is measured and monitored to enable faults and security incidents to
be identified and dealt with. (7.5)

1.4.2 Local Authorities/RBCs

Local Authority/RBC managers are normally responsible for ensuring that:

• Central facilities are provided to support the core network applications required
for education, as defined in the security policy. (Section 2.1 and, for example,
Appendix B)

NDD/NSP/RS/NS/3.1 2 June 2004 Page 6 of 33

 Network Security – Draft

• Networks are appropriately partitioned with routers and/or firewalls so that

effective controls can be applied. (3.1)
• An appropriate policy (usually default-deny) is implemented on those control
points to support educational use in accordance with the agreed security policy.
(3.2)
• Appropriate proxy servers are provided for necessary services that cannot
effectively be protected using simple controls. (3.2)
• Encrypted protocols are available and enforced for sensitive traffic, in particular
remote management of ICT systems. (3.3, 4.3)
• Electronic mail messages are checked for viruses on mail servers. (5.1)
• Appropriate content filtering systems are implemented to support educational use
in accordance with the agreed policy. (5.2)
• There is an advertised process for external parties to report security incidents
involving the network. (7.1.2)
• Sufficient records of use are kept to allow internal misuse to be traced to an
individual. (7.3)
• Procedures exist to deal with misuse of the network involving inappropriate
material or contact with pupils: this may require cooperation with the police and
other external agencies. (7.4)
• Appropriate advice and assistance and training are available to school managers
to help them fulfil their responsibilities. (2.2, 7.6)

1.5 National Education Network

The National Education Network, connecting schools to each other and to the Internet,
comprises a number of different management domains, shown in the following diagram.
At the ends of the network are the computers and networks on school premises, for which
schools themselves are responsible. Connecting schools in a geographic area are systems
and networks controlled by a Local Authority (LA) network, which may be combined
with, or a client of, a more general-purpose Regional Network. Connecting these regional
networks together is the National Interconnect via JANET.

Connection to the Internet should be provided at the LA/RBC or higher level; Internet
connections lower down the network are likely to cause serious operational, management
and security problems. Internet connection aggregation has clear benefits and it is
recommended that this be considered by Local Authorities.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 7 of 33

 Network Security – Draft

This structure reflects the management domains within the network: identifying who is
responsible for systems and networks at each level. It is likely that the physical network
will have the same organisation, though the locations of the boundaries may vary
between different regions and schools depending, for instance, on networking technology
and management arrangements.

1.6 Interoperability and Standards

As described above, the National Education Network consists of a number of different
domains, managed by different organisations. For a functional and secure network to be
achieved, the policies and technologies used in the different domains must be consistent
and interoperate. This will only be achieved by all parties working to agreed standards,
either formal international standards or local agreements. In networking, an arbitrary
decision in one management domain can affect the operation and security of all others.

Where they exist, international standards are to be preferred as they are better understood
and more likely to be supported by easily available products. In these documents, such
standards will therefore be highlighted when appropriate. However, it is important to note
that many standards, particularly more recent ones, may still provide some flexibility of
interpretation. Apparently standards-compliant products may not always work together as
well as might be hoped, and prior testing to ensure compatibility is always advisable.

The UK Government’s e-Government Interoperability Framework (e-GIF) makes

recommendations with respect to the adoption of appropriate standards:
http://www.govtalk.gov.uk/interoperability/egif.asp.
The Government Strategy Framework and guidelines on Security:
http://www.e-envoy.gov.uk/Resources/FrameworksAndPolicy/fs/en

There will also be a need for local agreements, within the overall security standards,
particularly regarding the management and configuration of the network. For example, if
a school does not allocate IP addresses to computers in a way agreed with the authority
that runs the regional routers, then the network is unlikely to be able to transfer packets as
intended. In the area of security, these local agreements are likely to dominate, covering
topics such as the types of traffic allowed on the Internet, how services such as mail and
web browsing are provided and how use and misuse of the network are to be accounted
for.

2 Management Framework
2.1 Policies
Policy on the purpose of the education network is beyond the scope of this document.
However, that policy will determine the services and facilities required and will affect the
acceptable use policy for the network, which in turn has an impact on the security policy.
To permit some concrete proposals to be presented, a sample set of network applications
and services is set out in Appendix B, together with recommendations as to how they can
most easily be provided in a secure fashion. It is believed that these are sufficient to meet

NDD/NSP/RS/NS/3.1 2 June 2004 Page 8 of 33

 Network Security – Draft

most of the needs of school staff and of daytime and other students, mainly while they are
on school premises.

2.1.1 Security Policy

A clear overall policy sponsored and endorsed by top-level management must set out the
need for security, what it is intended to protect, the methods used and the responsibilities
of those involved. This high level policy will be supplemented by many other documents
setting out:

• security requirements;
• responsibilities;
• procedures for administration including monitoring;
• measures and processes for individual areas of concern such as viruses and
content filtering.
References:
http://www.kent.gov.uk/eis/ - follow ‘broadband’ link to ICT security policy
http://www.sln.org.uk/teacher/p1131.htm
http://www.jisc.ac.uk/index.cfm?name=jcas_papers_security.

2.1.2 Risk Assessment and Management

All decisions on security must be based on a consistent risk assessment. Risk assessment
highlights those areas where security is most important and where the greatest benefits
can be obtained. Without risk assessment it is easy to waste resources on ineffective
solutions to minor problems. Risk assessment must be an ongoing process to take account
of changes to the network’s requirements and in the surrounding environment. Risk can
never be removed, but by taking informed decisions it can be kept at an acceptably low
level.
Major classes of threat include but are not limited to:
• Interference with the proper running of a school network, either from outside the
network through network attacks and worm programs or from inside when
software and hardware are introduced by authorised or other users (perhaps on
CDs or on portable computers which have been compromised while outside the
school);
• Abuse by authorised users which results in potential interference with networks
elsewhere, such as the sending of inappropriate messages;
• Exposure of users to inappropriate content or to Data Protection violations.
Reference: http://www.ja.net/conferences/SJ4/manage_risks/prog.html.

2.1.3 Review and Updating

There must be a regular review of all the security policies, measures and processes to
ensure that security is continually kept in step with developments in the school's network
and with changes in known threats. Without this vigilance security will inevitably
deteriorate.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 9 of 33

 Network Security – Draft

2.1.4 Change Management

There must also be a process whereby changes may be requested to the security policy
and detailed implementation to meet changing educational needs. All changes must be
assessed before they are implemented to determine whether any increased risk is
justified. If approved changes require additional resources then these must be provided. If
a request is refused then this must be discussed with the person requesting it, and
alternative ways to achieve the same ends considered, so that security is not seen as
preventing educational innovation. Security implementation should be discussed at the
earliest possible stage of any new development or procurement by authorities or schools.

2.2 Resources
Sufficient resources must be made available on a continuing basis to safely develop,
maintain and manage the network and services provided. Schools must ensure that they
are able to make informed decisions on the safety and educational issues presented by
computers and networks. School managers must therefore ensure they have access to
sufficient advice and assistance for all aspects of network operation, security and use. It is
likely that in most cases Local Authorities or Regional Broadband Consortia will be the
main source of support.
In most school environments the resource most likely to be scarce is staff effort dedicated
to the network; it may be possible to delegate or outsource much technical effort to
commercial or local government suppliers at reasonable cost, but there is no alternative to
informed oversight by local management of safety and educational matters. Planned,
regular and ongoing investment in user awareness, system administration and security
monitoring reduces both the likelihood that a security incident will occur and the
disruptive impact of any such event.

2.3 Chain of Responsibility

Where some or all network services are outsourced, it is essential to establish as part of
the agreement how security issues are to be resolved. One fundamental process is to
identify and maintain contacts in the parties to the agreement who are to cooperate as
necessary. These contacts will need to cooperate on security matters to discuss and agree
policies and processes and to disseminate information on new security threats and actions
to be taken.
Beyond that it is desirable (but more difficult) to set out specific undertakings; an RBC or
Service Provider may expect a school to trace abuse to an individual user and to
discipline them appropriately, a school may expect an RBC or Service Provider to block
traffic to or from a particular external network, a school approached by the police may
expect an RBC or Service Provider to provide certain information on a confidential basis,
and so on. Good working relationships, established through frequent and open contact,
are the best way to achieve responsible and effective processes.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 10 of 33

 Network Security – Draft

3 Network Design
The design of the networks concerned must:
• support the services and applications that schools need, and
• make it possible to implement the above security and use policies.

The following sections cover aspects of network design from a security standpoint. A
more detailed discussion of network design is set out in the Network Design document.

3.1 Partitioning the Network

All except the smallest networks will be divided by a combination of network devices
(such as routers, switches and firewalls) and administrative procedures into distinct parts.
The intention is to separate the network into areas in such a way that systems, users and
information within any one area have a similar level of trust and risk.
In many schools, for instance, staff computers will be considered less likely to be the
source of abuse than those available to students. Staff computers may therefore have a
more open policy on acceptable content and may be allowed access to local services, Web
sites or other Internet services not available to students.
If a school network includes Web servers or other systems intended to be reached from
the Internet, the risk that they will be interfered with is significant. Part of the benefit to a
school of outsourcing the operation of such servers is to transfer risk to the provider
concerned. If such systems are implemented at all, they should normally be placed in
their own part of the school network and trusted very little by the rest of the network.

For schools connected to the same LA or RBC network, it may be technically possible to
configure regional and school network devices so that their networks behave as one. It
might seem attractive to allow computers in different schools to exchange or share
information just as they can within a school. Unfortunately there are serious risks in
weakening the partitioning of the network in this way, and these are very hard to manage
and control. Without an effective partition, security problems such as virus infections in
one school can very quickly spread to others. Even if there are no technical security
problems, private information can also leak very easily across an unpartitioned network.
It will almost always be better to arrange cooperation using well-known services and
applications such as e-mail and Web pages, probably on secure servers located outside the
schools’ LANs, where an application gateway can manage the transfer of information
through firewalls.

3.2 Firewalls
All host systems (client or server computers) on the network must be protected against
hostile traffic from the Internet and from other parts of the network by at least one
firewall or other network control device implementing a default-deny policy (see below).
The location of these devices should be chosen to implement the partitioning mentioned
above.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 11 of 33

 Network Security – Draft

In most cases it should not be necessary for a school to partition their network by
deploying an internal firewall. It should be possible for the LA or other provider to
operate the firewall function separating the school network from the Internet.
All network traffic represents a risk. The services permitted through each firewall and the
systems to which traffic is allowed to flow must therefore be agreed using a risk
assessment and change management process (see sections 2.1.2 and 2.1.4), with all
changes approved and recorded so that they can be reversed if required.
Management of firewalls and similar devices requires high-level skills and should only be
undertaken by suitably experienced staff. The implementation by schools of their own
firewalls independently of the RBC/LA central firewall service is likely to lead to
complications. Therefore, most of the schools that have firewalls will outsource their
management to the network suppliers or RBC/LA staff.
All schools considering implementing their own firewalls should first understand the
implications for IP videoconferencing and content delivery. In order to enable IP
videoconferencing it is recommended that each local authority, rather than each school,
deploys either an H.323-aware firewall, or a proxy server alongside an existing firewall.
Issues relating to IP videoconferencing and firewalls are discussed in the associated
Videoconferencing document.
Firewalls need to be adequately sized for the traffic they handle and also, in the case of
firewalls within LA/RBC networks, for the very large number of simultaneous network
connections made over the network. Firewall rule-sets will need to be reviewed to ensure
consistency and efficiency.
Where firewalls are implemented at school level as well as RBC/LA level, care is
required to ensure reasonable agreement on the rule set. LAs should provide guidance to
their schools on how to achieve this.
Reference:
http://safety.ngfl.gov.uk/schools/document.php3?D=d68

3.2.1 Default Deny

Firewalls acting at network level sit between parts of a LA/school's network (they are
network devices which may also act as routers or switches) and are configured with sets
of rules specifying what network traffic can pass between the parts. “Default-deny” is an
approach in which these devices are thought of as broadly keeping the parts of the
network separate and will have a rule to this effect, overridden only where specific
exceptions are needed. Only traffic that is explicitly permitted by policy will be allowed
to pass: all other traffic will be blocked by the default rule.
Servers can also be configured to respond only to certain parts of the network, with a
similar effect. Again, default-deny is the aim and servers should be unavailable to parts of
the network for which no explicit exception has been made.
A finite number of services or classes of service must be identified which the network is
to provide and these services must be explicitly and specifically permitted, with all other
services and facilities disabled at firewalls and other control devices, and at servers in the
network.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 12 of 33

 Network Security – Draft

Some applications (such as video) use the network in ways that make the rules in a
default-deny firewall impracticable. These may need local servers supporting the
applications concerned, acting as proxies or gateways to simplify the demands on
firewalls.
The default-deny strategy will inevitably restrict access to new on-line services where
these do not use configurations already available. All additional routes into a network
reduce security to some degree and this must be balanced with the educational benefits of
the new service. Worm attacks that use open ports to scan IP address ranges for
vulnerabilities are likely to continue to increase; to reduce exposure to these it may be
necessary to open some ports only at the specific times when their services are required
and close them afterwards. Flexibility in network use will then depend on the provision
of flexible and easily-managed firewalls.

Content and service providers and product vendors must ensure that precise information
is available to firewall managers and that the number of additional ports to be opened is
kept to a minimum. Schools intending to use new products or services must identify and
agree well in advance any changes to their own firewalls and those of the LA/RBC within
the relevant security policies and guidance on firewall management (see 3.2).

3.2.2 National Interconnect

Although regulated by Acceptable Use and Security policies and subject to the usual
statutory obligations, JANET is a very large network with no policing of the nature of the
content which it transports. For practical purposes operators and managers of LA and
RBC networks should treat the National Interconnect as posing a similar level of threat as
is present from the Internet as a whole.

For this reason traffic from the Interconnect Service should be filtered through any
firewall that the RBC operates towards the external world.

Reference: National Interconnect Technical Specifications

http://www.ja.net/schoolsbroadband/technical_specs.pdf

3.3 Measures to Protect Data, Communications and Systems

Additional technical and policy measures must be used to protect sensitive information,
communications and systems. Depending on the type of information this may involve, for
example, encryption, virtual private networks or manual processes for transferring data
from systems that cannot safely be connected to the network. Web services that require
users to enter passwords or other sensitive information must use SSL. If systems are
managed or maintained remotely across a shared wide-area network this communication
should be regarded as sensitive (see section 4.3).

3.4 Mobile and Remote Working

Providing facilities for access from other networks, for example through remote working
options, represents a serious risk, as security will then depend on factors such as home
computers and public networks, that are outside the control of the school or its service
providers.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 13 of 33

 Network Security – Draft

3.4.1 Policy
If a school perceives the need for some or all of its users to reach some or all of its
network facilities from elsewhere in the Internet (for instance while working from home),
it must prepare a policy statement indicating what is required and the responsibilities of
the user, the school and the network provider to ensure that security is not put at risk.

3.4.2 Systems
If remote access facilities are to be provided then a risk assessment must be performed
and appropriate technical and procedural controls put in place. Typically there will be an
enhanced need for users to authenticate themselves, possibly with an additional
authentication step and separate cryptographic tokens or certificates. If systems need to
be accessed remotely, they should normally be outsourced and located outside the
school's local area network.

Reference: NAACE laptops for teachers

http://www.naace.org/resourceView.asp?menuItemId=2&resourceId=451

3.5 Wireless Networks

Wireless networks offer great flexibility in use, but also many opportunities for misuse.
They should not be viewed as a simple extension of a wired network, in either
performance or security terms. Wireless access points, if required, must be connected to a
dedicated network segment, separated from the rest of the school network and Internet by
a firewall configured only to allow essential traffic. Additional authentication measures
are required to ensure that only known users and computers can connect to the wireless
network, and encryption must be used to protect the authentication process and any other
sensitive data that may pass over the network. Current wireless encryption standards have
problems – WEP encryption can be relatively easily broken and the WPA/802.11i
approach is not yet standardised across different manufacturers – so these should not be
relied upon as the only form of protection. Schools that use wireless networks must make
their users aware of these additional issues and train them in good practice for using such
networks safely. More details of the security issues in installing and using wireless
networks can be found in UKERNA’s Factsheet.
References:
http://www.bgfl.org/services/editsupp/wireless.htm
http://www.ja.net/documents/factsheets/wireless-security.pdf
http://www.securityfocus.com/infocus/1732
http://www.securityfocus.com/infocus/1735

4 System Protection
A “system” here means a computer, which may be a server, a desktop system for single or
shared use, a portable computer (laptop, tablet, handheld etc) or a network device such as
a switch, router or firewall.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 14 of 33

 Network Security – Draft

4.1 Responsibilities
Every system connected to the network must have a designated owner whom the school
holds responsible for its security. The owner must be given appropriate resources, skills,
and information to fulfil this responsibility; clearly the level appropriate will depend on
the nature of the system and the part of the network to which it is or can be connected.

4.2 Privileges
Users of any system must be separated at least into those who are authorised to maintain
the system and those who are not. Technical and procedural measures must be in place to
ensure that each group only has those privileges they need.

4.3 Configuration and Maintenance

All systems must be configured securely before they are connected to the school network;
this should be explicitly stated in any agreements for supply or for outsourced
management and maintenance. Particular care must be taken when updating or
reinstalling applications or operating systems, to ensure that earlier security measures are
not undone.
All systems must have a maintenance plan to ensure that they are kept appropriately
secure. For systems that are exposed to external networks this must involve keeping them
up to date with security patches and anti-virus protection; other systems should be
updated regularly. Again if maintenance is outsourced, such updating should be made
explicit in the agreement with the supplier.
Particular care is needed on remotely located hosting services where privileged traffic
(e.g. system maintenance) and unprivileged (service use) pass over the same network,
making network-level protection less effective. Where systems are managed remotely
across a shared wide-area network, encrypted tunnels or virtual private networks should
normally be used to protect sensitive information against deliberate or accidental
eavesdropping.
Technical reference: http://www.ja.net/CERT/JANET-CERT/prevention/machines.html.

4.4 Access Control

4.4.1 Users
Users should be required to prove their identity before gaining access to computers or
networks. Schools should discourage the sharing of personal identities by issuing advice,
and possibly by preventing more than one simultaneous instance of use of a single
account. Shared accounts may be appropriate in circumstances where use can be
monitored and managed in other ways.
Privileged accounts must have at least username-password protection; all use of these
accounts must be logged. Schools must be able to account for all use of networked
computers, typically by keeping logs of access to all sessions.

Reference: http://wp.netscape.com/security/basics/passwords.html

NDD/NSP/RS/NS/3.1 2 June 2004 Page 15 of 33

 Network Security – Draft

4.4.2 Central and local authentication

It is technically feasible for an LA to authorise access to services it operates directly with

some authentication scheme, and to make the same scheme available for use in its
schools. An individual user might then have the same user name, password or other au-
thentication tokens for all services whether operated by LA or school; they may be able to
access many services seamlessly with a single sign-on. Indeed, it is possible to envisage
an authentication scheme managed and operated at national level.

Drawbacks to this approach in practice include:

• It sets up a single point of failure or compromise;

• It introduces a dependence on remote LA facilities even for users who at the time
only require services local to their school;
• User management becomes more distant from end users in schools;
• End users and support staff experience confusion when some but not all services
use central authentication.

Although the impact of most of the above problems can be limited with care and vigil-
ance by all concerned, authentication at LA level is not at present appropriate for most
services in schools.

4.4.3 Systems
Policies and technical controls must be in place if laptop or similar systems are to be
connected to the network when these have also been connected to other networks.
Laptops are now one of the most common infection vectors for computer viruses.

5 Content Protection
5.1 Virus Scanning
Security policies at LA/RBC and school level must make clear the requirement for virus
scanning.
All end-user systems must run anti-virus software, with definition files regularly updated,
automatically if possible. Disabling this protection should be seen as a serious
disciplinary matter. External e-mail both entering and leaving the network should be
checked by up-to-date anti-virus software, preferably at the mail server. Internal mail
should be checked in transit. Mail servers, fileservers and other application servers must
be scanned regularly to find infected files or messages that may have arrived by other
routes.
School management must recognise that maintaining anti-virus measures requires
considerable resource and determination. Frequently ICT support staff are overwhelmed
by the magnitude of the task or their efforts are defeated by systems that move around the
school and are taken home. Scanning tools that detect vulnerabilities across the network
should be used on a regular basis.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 16 of 33

 Network Security – Draft

References:
http://safety.ngfl.gov.uk/schools/document.php3?D=d52
http://www.ja.net/CERT/JANET-CERT/prevention/antivirus.html.

5.2 Content Filtering

Security policies at LA/RBC and school level must make clear the requirements for
content filtering. Schools will need to distinguish carefully between the educational
policy for content filtering, decided by management, and the configuration of software to
implement the policy, undertaken by technical staff.
It should be noted that there is a considerable responsibility placed on both management
and technical staff in ensuring pupil safety and security. Management of filtering systems
takes time and requires appropriate procedures in the security policy to ensure that
breaches of policy can be effectively dealt with.
Two major areas in which the content of network traffic presents a specific risk and
should normally be filtered are Web browsing and e-mail. It may be practicable locally to
identify and suppress some Unsolicited Bulk E-mail (a common source of undesirable
content) but much effective suppression is on the basis only of the source of the
messages. Commercial products and services are available for filtering e-mail and
selectively blocking access to Web locations; these are more appropriate to Local
Authorities and service providers and many schools will outsource the activity. Note that
if filters are to be effective, other routes of access by users to content must be blocked, for
example it must not be possible to view an external web page without passing through the
filter.
Where user activity is monitored, care is required to ensure human rights are not
breached. One essential action is to ensure all users are aware of any monitoring
processes in place (see also section 6.2).
Reference: http://safety.ngfl.gov.uk/schools/document.php3?D=d55

6 User Education
Many users of school networks will be young or will have limited interest in or
understanding of networking. The material referred to in the following paragraphs must
be designed and presented so that it is likely to convey its message effectively to all users
concerned.
In particular, schools may need to remind users of their responsibilities in appropriate
network/Internet use at the point of access, rather than assuming that staff or pupils
accept a general abstract rule.
Reference: http://www.kented.org.uk/ngfl/policy.html

NDD/NSP/RS/NS/3.1 2 June 2004 Page 17 of 33

 Network Security – Draft

6.1 Awareness and Good Practice

All users must be made aware of their responsibilities for security, and must be educated
in and encouraged to follow good security practice. The dangers of Internet use have been
widely publicised, and awareness of the associated advice on safe Internet use should be
encouraged.
References:
http://www.thinkuknow.co.uk/
http://www.scotland.gov.uk/clickthinking/default.htm
http://www.bykidsforkids.org/

6.2 Terms and Conditions

All users must agree to appropriate Terms and Conditions for their use of computers and
networks. Where appropriate, informed consent should also be obtained from parents,
guardians or carers before children are given access to networks or the Internet in
particular. Breach of the Terms and Conditions of use must be regarded as a serious
matter, destroying trust in the network and harming its usefulness for everyone.

Terms and Conditions should include:

• Purpose and principles of use of ICT;
• Types of use explicitly permitted;
• Types of use explicitly prohibited;
• Responsibilities of schools, staff, pupils and parents;
• What monitoring of use is done, and what data retained;
• What level of service is provided.

6.3 Training and Updating

All users, teachers and support staff must be trained to use computers and networks
safely. The level of training should be appropriate to the user’s level of responsibility for
security. Appropriate opportunities to update training (e.g. training courses, conferences,
on-line or printed materials) must be provided.

6.4 User Support

Support in the use of computers and networks must be readily available to staff and
pupils. This must at least provide assistance in how to use computers and networks safely.

7 Security Incident Response

Classes of security incidents include (among others):
• External interference with the proper running of a school network;
• Abuse by internal users affecting the school network or other networks;
• Exposure of users to inappropriate content or to Data Protection violations.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 18 of 33

 Network Security – Draft

Incidents may be identified by users within the school, by other Internet users or by
network staff (either in the school or in one of its Local Authority or commercial service
providers).
Some incidents may involve Law Enforcement agencies, and schools should have a
policy for handling interactions with them. In many cases it will be appropriate for the
Local Authority to take some part.

7.1 Reporting Process

7.1.1 Internal Users
There should be clear guidelines for all users on how to recognise a security incident and
how and where to report it. No blame must attach to making a report, even if it turns out
to be incorrect. Many reports include personal data, and a confidential method for
reporting may be necessary. The school must decide to what extent it will handle reports
locally and under what circumstances the incident will be passed to the Local Authority
or other service provider.

7.1.2 External Bodies

The school must decide together with its Local Authority and other service providers the
route by which a person outside the school should report abuse or other security events
they believe are attributable to the school. There are several mechanisms in common use
for deciding where to send such reports, and all parties need to agree who will respond
and how those who may receive the reports should forward them to the designated places.

7.2 External Interference with the School’s Network

In reporting an incident to whoever is responsible or will be asked to resolve it, it is
important to provide suitable details; typically time and time zone, IP address and the
nature and scale of the activity. In some cases a school or its service provider will need to
characterise hostile traffic quickly and take steps to mitigate its impact on the network.
Each of these requires technical systems to collect and correlate information from
multiple sources, as well as effective procedures and working agreements. In some cases
it will be necessary for the school, local authority or service provider to disable a
computer, service or organisation to contain the impact of the incident; policies,
agreements and technical constraints must make this possible.
Reference: http://www.cert.org/csirts/.

7.3 Abuse by Internal Users

Given reasonable information (for example time and time zone, IP address and nature of
activity) in a report about an incident originating from within the school's network, it
must be possible to quickly identify the computer and person responsible for the incident
and to prevent any further damage. This requires technical systems to collect and
correlate information from multiple sources, as well as effective procedures and working
agreements. In some cases it will be necessary to disable a computer, service or
organisation to contain the impact of the incident until its source can be removed; policies
and agreements must permit this.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 19 of 33

 Network Security – Draft

Reference: http://www.linx.net/noncore/bcp/traceability-bcp.html.

7.4 Content and Privacy Incidents

Schools must encourage staff and pupils to report when there has been inappropriate use
of the network, for example accessing inappropriate material, or where personal data is
being misused, perhaps in e-mail or chat room exchanges. The appropriate response will
depend on the nature of each report, but is likely to involve school and local authority
working together. Service providers may also be involved to trace the origin of material
or communications. In most cases it will be appropriate for the local authority to lead the
investigation, with schools dealing with any local effects. Schools must be prepared to
cooperate to preserve information from their systems (whether or not it is likely to be
used as formal evidence) and must have procedures in place and agreed with their local
authority.

7.5 Network Monitoring

Systems and policies must be in place to permit routine monitoring of the quantity and
type of traffic on the network. This information may indicate security incidents, which
should be handled as described above, as well as other operational issues. The policy
must make clear what information is to be gathered, who should have full or limited
access to it, how it will be protected against loss or damage and when and how it will be
disposed of. Much of the information will be subject to Data Protection and other
legislation so users should be made aware that monitoring is occurring.
Monitoring should also include logging of anomalous events such as packets from
unexpected sources, failed attempts to authenticate or attempts to view a Web page that is
not meant to be accessible. Intrusion detection systems may help to automate some of this
monitoring and give early warning of problems, but their output still needs time, skill and
judgement to interpret. Legitimate activity and routine events may also be logged. In
general, for this information to be of any use some person or process must examine it and
make a judgement on its significance. It is possible to some extent to automate the
process so that only exceptions and summaries are presented to a person, but these still
need to be interpreted by a skilled person. The monitoring activity may be outsourced, if
confidentiality issues can be resolved, or the information may merely be accumulated so
that it is available if a security event is detected in some other way.
Monitoring is essential to achieve a satisfactory level of security and managers must be
prepared to devote sufficient staff and equipment resources to it.
References: http://www.ja.net/services/netsight/index.html and
http://www.ja.net/documents/factsheets/unusual_traffic.pdf.

7.6 Information Dissemination

As well as reactive procedures to be followed once an incident has occurred, schools and
local authorities need to anticipate new threats and take steps to prevent them causing
incidents. Local Authorities and Regional Broadband Consortia must help schools to
counter new technical and non-technical threats to their network by announcing threats to

NDD/NSP/RS/NS/3.1 2 June 2004 Page 20 of 33

 Network Security – Draft

responsible contacts within each school, and recommending actions to be taken by school
managers and their technicians.

The information disseminated may come from commercial or other professional security
services and response teams, from vendors, from Internet bulletins and similar sources, or
from local knowledge. Information from some of these sources may need additional
interpretation or explanation to make it directly useful to schools.

In some cases it may be appropriate to require schools to acknowledge that they have
received and acted upon the information or advice received, to prevent insecure schools
posing a threat to their users and the rest of the network.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 21 of 33

 Network Security – Draft

8 References
DfES Standards Fund Guidance
ICT in Schools Standards Fund Grant 2004-05
Guidance for Schools and LEAs
http://www.dfes.gov.uk/ictinschools/funding/

UK Government’s e-Government Interoperability Framework (e-GIF)

http://www.govtalk.gov.uk/interoperability/egif.asp.

Government Strategy Framework and guidelines on Security

http://www.e-envoy.gov.uk/Resources/FrameworksAndPolicy/fs/en

Security Policy
http://www.kent.gov.uk/eis/ - follow ‘broadband’ link to ICT security policy
http://www.sln.org.uk/teacher/p1131.htm
http://www.jisc.ac.uk/index.cfm?name=jcas_papers_security

Risk Management
http://www.ja.net/conferences/SJ4/manage_risks/prog.html

Firewalls
http://safety.ngfl.gov.uk/schools/document.php3?D=d68
http://www.ja.net/CERT/JANET-CERT/prevention/networks.html

Laptops for teachers

http://www.naace.org/resourceView.asp?menuItemId=2&resourceId=451

Wireless Networks
http://www.bgfl.org/services/editsupp/wireless.htm
http://www.ja.net/documents/factsheets/wireless-security.pdf
http://www.securityfocus.com/infocus/1732
http://www.securityfocus.com/infocus/1735

System Protection
http://www.ja.net/CERT/JANET-CERT/prevention/machines.html

Passwords
http://wp.netscape.com/security/basics/passwords.html

User education and acceptable use policies

http://www.kented.org.uk/ngfl/policy.html

Safe Internet Use

http://www.thinkuknow.co.uk/
http://www.scotland.gov.uk/clickthinking/default.htm

NDD/NSP/RS/NS/3.1 2 June 2004 Page 22 of 33

 Network Security – Draft

Virus Scanning
http://safety.ngfl.gov.uk/schools/document.php3?D=d52
http://www.ja.net/CERT/JANET-CERT/prevention/antivirus.html

Content filtering
http://safety.ngfl.gov.uk/schools/document.php3?D=d55

External Attacks
http://www.cert.org/csirts/

Internal Attacks
http://www.linx.net/noncore/bcp/traceability-bcp.html

Network Monitoring
http://www.ja.net/services/netsight/index.html and
http://www.ja.net/documents/factsheets/unusual_traffic.pdf

General information
http://safety.ngfl.gov.uk/schools/

National Interconnect Technical Specifications

http://www.ja.net/schoolsbroadband/technical_specs.pdf

Regional broadband Consortia (RBC)

http://buildingthegrid.becta.org.uk/index.php?locId=143

Network Design
DfES ICT in Schools Network Services Project
UKERNA, March 2004

Videoconferencing
DfES ICT in Schools Network Services Project
UKERNA, March 2004

NDD/NSP/RS/NS/3.1 2 June 2004 Page 23 of 33

 Network Security – Draft

Appendix A: Glossary
This glossary explains the terms used in this document. An extensive general networking
glossary can be found at the JANET National User Group Web site:
http://www.jnug.ac.uk/netglossary.html.

Address
In this document refers to an IP address.  An IP address is the unique layer 
identifier for a host on the local IP network.

Authentication
The process or processes which enable one party in an electronic communication
(typically a user or a client) to say to another party (a server or provider) who they
are in a way satisfactory to that second party. Examples include supplying a user or
account name and a password, presenting a smart card and entering a PIN, having a
thumbprint recognised, sending a cryptographic certificate which matches one held
by the other party or responding to a challenge in the correct way. Note that in some
situations it may not be obvious which way round the roles are; when connecting to
a 'secure' Web site using SSL it is the Web site that seeks to convince the human
user's Web browser of its identity.
The purpose of authentication is usually to support authorisation, the granting or
denial of access to some resources.

Broadband
A transmission medium capable of supporting a wide range of frequencies. It can 
carry multiple signals by dividing the total capacity of the medium into multiple, 
independent bandwidth channels, where each channel operates only on a specific 
range of frequencies. [Source: RFC1392]

In a networking context the term means ‘at least 2Mbps in both directions’.

The term has been adopted in common usage to refer to connections to the
Internet at speeds of 128Kbps or greater. These may be asymmetric.

The OECD definition is an Internet connection at a speed greater than 256Kbps.

The UK Broadband Stakeholder Group definition of broadband is: ‘Always on

access, at work, at home or on the move provided by a range of fixed line,
wireless and satellite technologies to progressively higher bandwidths capable of
supporting genuinely new and innovative interactive content, applications and
services, and the delivery of enhanced public services.’

CA

NDD/NSP/RS/NS/3.1 2 June 2004 Page 24 of 33

 Network Security – Draft

Certificate Authority. (see 'Encryption')

NDD/NSP/RS/NS/3.1 2 June 2004 Page 25 of 33

 Network Security – Draft

CERT
Computer Emergency Response Team (also known as CSIRT, Computer Security
Incident Response Team, or IRT) Coordinates responses to computer security
threats and incidents on behalf of some community or network. Where the
constituency for a CERT is identified with an Internet domain name such as 'ja.net',
the team can usually be reached through a corresponding e-mail address beginning
'abuse@' or 'security@', such as 'abuse@ja.net' or 'security@ja.net'. A CERT will
accept reports of suspected security events from its own constituency and will
engage with the CERTs of other providers or communities to resolve external
threats; it will also deal with relevant complaints about its own customers from
outside. It will issue advisory material from time to time. It is essential that the
CERT function in an organisation has the support of senior management, as security
response is sometimes disruptive to other activities. CERTs cooperate regionally
and globally through organisations such as CERT/CC and FIRST in the US:
http://www.cert.org/
http://www.first.org/
and TF-CSIRT in Europe:
http://www.terena.nl/tech/task-forces/tf-csirt/

Certificate
A collection of data which indicates entitlement to some resources. A certificate is
typically unintelligible to a human reader and is produced and read using
cryptographic software. It may include the identity of the person or object to whom
it refers, some details of the resources to be made available (such as a time limit),
and some indication of a chain of trust. Certificates are of value to persons or
computers controlling resources because those controllers can confirm that they
were issued with the authority of a party they have arranged to trust for that purpose
(a 'Certificate Authority'). X.509 is the most widely accepted standard for
cryptographic certificates.

Data Protection
Legislation and guidance on the use of information about individual people
('personal data'). UK legislation is harmonised with EU Directives; practice in the
United States has far less emphasis on the care to be taken with personal data, and
the international nature of the Internet makes this a complex issue. The UK lays
down Data Protection Principles and requires people and organisations handling
personal data to register with the Information Commissioner:
http://www.informationcommissioner.gov.uk/

Default-deny
A style of management and configuration for control devices in networks (such as
routers, firewalls, proxies and servers) in which no access is permitted by default,
and every item of access needed (port, protocol, service, network etc) must be
explicitly enabled.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 26 of 33

 Network Security – Draft

DHCP
Dynamic Host Configuration Protocol. Computers in a TCP/IP network can obtain
much of the configuration information they need to connect to that network from a
DHCP server if one is provided. In most simple environments this enables client
computers to be connected with minimal preparation on the server and none on the
client. 'Dynamic' refers in part to the allocation of IP addresses from a pool to
clients when they connect; the same client may receive different addresses on
separate occasions, and only the DHCP server will have records of the transient
allocations. Specified in RFC 2131:
http://www.ietf.org/rfc/rfc2131.txt

DNS
See Domain Name System.

Domain Name System

The basic name-to-address translation mechanism used in the IP environment.
Used to translate between human-friendly names such as www.ja.net and the
numeric IP addresses that computers themselves use to communicate. DNS
information can also be used to direct the operation of some Internet services,
notably electronic mail. UK schools can have domain names ending in 'sch.uk'.
DNS is specified in:
RFC 1034 (STD 13) http://www.ietf.org/rfc/rfc1034.txt
RFC 1035 http://www.ietf.org/rfc/rfc1035.txt

Encryption
Changing information into a form where it has particular properties of privacy and
integrity; and recovering the original information when appropriate. Typically,
encryption software combines the real data with one or more items of artificial
information, called keys by analogy with the processes for securing physical
objects. The results of encryption look very much like random sequences of letters
and other characters; software with access to suitable keys (which may or may not
be the same ones as before) can relatively easily recover the original information
but it is intended to be impracticable to do so without such keys. It is possible to
make some or all network traffic private or secret, and to digitally sign information
so that a recipient can confirm its integrity and its origin. The costs of doing so are
increased processing by encryption software, reduced efficiency in network traffic,
and substantial complications in the management of keys and the associated levels
of trust; encryption is the answer to some problems but not to all.

FE
Further Education.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 27 of 33

 Network Security – Draft

Firewall
Router or access server, designated as a buffer between any connected public
networks and a private network. A firewall router uses access lists and other
methods to ensure the security of the private network.

Can also refer to software on a portable, desktop or server computer which

restricts access from the network to services on the computer itself.

Gateway
1. A computer which exchanges information between two networks in two
different forms, rather like an idealised language translator. For instance, an e-
mail gateway might accept e-mail in some proprietary form inside a network
and change it to Internet e-mail form for transmission elsewhere.
2. A router at the boundary of an organisational network, passing network traffic
to and from a service provider and the Internet. Computers in the network
need to be configured to send their Internet traffic to such a gateway router.

HE
Higher Education.

Internet
The global public network comprising many interconnected, but independently
operated, service provider networks.

Internet Protocol
The communications standard used on the Internet.

IP
See Internet Protocol.

JANET
See Joint Academic Network.

Joint Academic Network

The UK academic and research network, interconnecting higher and further
education institutions and providing them with connectivity to the global Internet.
JANET also provides the National Schools Interconnect.

Local Authority
A UK regional body which may operate its own local network providing service
directly to schools.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 28 of 33

 Network Security – Draft

LA
See Local Authority.

Local Area Network (LAN)

A network providing service to a small geographical area, such as a single
building or a campus. LANs are often provisioned using Ethernet technology.

LAN
See Local Area Network.

NAT
See Network Address Translation.

Network Address Translation (NAT)

A technology for translating IP addresses in the IP packet header. It is often used
where the IP addressing in use on a network is not globally unique (for example:
private IP addresses). Using NAT these internal addresses can be automatically
translated into valid public addresses when communication outside the local
network is required.

NTP Network Time Protocol

A standard way for computers connected to the Internet to exchange time
information and synchronise their clocks. Some NTP servers are directly connected
to atomic clocks or similar external references of high accuracy; other Internet users
can run NTP servers which compare the time from several of these to set their own
clocks and which can in turn support internal clients. Specified in RFC 1305:
http://www.ietf.org/rfc/rfc1305.txt

Proxy
Intermediary program that acts as both a server and a client for the purpose of
making requests on behalf of other clients. Requests are serviced internally or by
passing them on, possibly after translation, to other servers. A proxy interprets,
and, if necessary, rewrites a request message before forwarding it.

RBC
See Regional Broadband Consortium.

Regional Broadband Consortium

A body providing network services to schools and local authorities within a defined
region.

Router
Often used as a generic term for an IP router, however the term may be used to
refer to a device that is routing other protocols in addition to IP.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 29 of 33

 Network Security – Draft

Spam
Unsolicited Bulk E-mail. The term 'spam' is used very loosely. It is usually best to
refer to 'UBE' (see below), 'e-mail abuse', 'marketing e-mail' or some other specific
term appropriate to the context. A common form of e-mail abuse is the falsification
of the origin of messages.

SSL Secure Socket Layer

Makes connections between computers with some security features provided by
encryption technology. The best-known application is secure HTTP, usually
indicated by 'https://...' at the start of a Web address. The Web server supplies a
certificate; the browser client has trust information built in so that it recognises the
certificate and assures the user that the Web site is the correct one. Browser and
server then negotiate for the subsequent traffic between them to be encrypted so
that it cannot be intercepted in transit in the Internet.

Switch
Ethernet switch.

Token
A generic term; an encryption token may be a key, a certificate or some other item
of data involved in cryptographic activity.

UBE
Unsolicited Bulk E-mail. E-mail is Unsolicited unless the intended recipient has
chosen in advance to receive it; it is Bulk if it is sent indiscriminately. European
Commission Directive 2002/58/EC:
http://europa.eu.int/eur-
lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf

Virus
A program which changes the way some other program works, and which can
spread from computer to computer by e-mail, by exploiting weaknesses in the
operating system or application software, or by deceiving a computer user so that
they unwittingly take part in the propagation. Popularly refers to any unwanted
program; 'worm' is used to mean almost the same thing. As well as propagating,
some viruses and worms have damaging side effects such as damage to data,
exposure of private data or the establishment of undesirable services on an infected
computer.

VPN
Virtual Private Network.

VLE
Virtual Learning Environment. A set of services to support learning, bundled into a
single product. As well as presenting source material, VLEs have management
elements to cover registration, monitoring of progress and student support. Some
products are Web based; others use proprietary protocols and servers.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 30 of 33

 Network Security – Draft

WEP
Wireless Equivalent Privacy, specified in IEEE 802.11b. An encryption protocol
used with the 802.11 wireless standards and now regarded as providing only
rudimentary security.

Wireless
Wireless networking connects end-user computers (typically laptops, tablets or
handhelds) to wired segments of a LAN. Each computer has its own radio, either
built in or in a PCMCIA or similar card; further radios in one or more 'access
points' are fixed in the room or area where wireless is made available, and they
have the usual wired connections to the rest of the network. Current standards in
widespread use (all from IEEE) include IEEE 802.11b and the faster IEEE 802.11g.

Worm
See 'virus'.

WPA
Wi-Fi Protected Access. Enhancements to WEP providing satisfactory privacy for
wireless LAN use and a user authentication mechanism. An informal standard
expected to be superseded by the IEEE 802.11i standard which will be very
similar.

NDD/NSP/RS/NS/3.1 2 June 2004 Page 31 of 33

 Network Security – Draft

Appendix B: Internet Services in a School Network

The following table lists Internet services likely to be required in schools' networks. It is
by no means definitive or exhaustive, but the requirements of these applications illustrate
the range of technical and management issues in making the network secure.
For most of these services there is a choice between local and outsourced provision. The
second column gives the recommended approach for best security in each case.
Recognising that there may be local or regional circumstances that make this
recommendation inappropriate, the third column suggests possible alternatives; these are,
however, likely to be more difficult to manage securely or give a less effective service.

Service Recommended Alternative

Mail
Filtered web browsing (inc.
FTP)
Web serving (public)
Web serving (internal)
Video/Audio receiver
Video/Audio conferencing
Remote access to filestore
(very hard to do securely, so outsourced service (may be gateway to professionally
ensure that the risk is
justified)
VLE
Conferencing, Messaging
Remote system
monitoring/management
Remote Web mail service Mail system at school
with virus & UBE scanning (scanning may be done on
central relay)
Via remote proxy/filter Via local proxy/filter
Remote Web server Local provision not
recommended. If done, must
be on a separate, untrusted,
network segment
Remote Web server Local Web server
Hierarchical content delivery Direct from Internet servers
service
See separate document -
If needed, use remote VPN through central
external to education maintained server on a
network) separate LAN segment
Remote VLE server (may be Local system
external to education
network)
Remote server Local server
From designated remote -
address range through VPN
tunnel

NDD/NSP/RS/NS/3.1 2 June 2004 Page 32 of 33

 Network Security – Draft

Infrastructure services (not of interest to ordinary users)

Default route (gateway) From remote DHCP Local; static upstream
DHCP Remote (single address) Local server
NAT None (single computer) Local translator
DNS resolver Local resolver Remote resolver
Connection firewall* LA/RBC managed Locally managed
DNS zone serving Remote server, data may be Local server with offsite
locally managed secondary
Synchronise computer clocks Local timeserver slaved to Remote (NTP) server for
remote (NTP) source local clients
Web server certificates (to Centrally issued by authority Self-signed certificate from
support SSL) or commercial CA local server

* The deployment of school firewalls, whilst potentially providing a greater level of

security, can lead to complications if managed independently from a local authority/RBC
central firewall service. It is therefore recommended that firewalls be deployed and
managed either in conjunction with or by local authorities/RBCs (see section 3.2).

NDD/NSP/RS/NS/3.1 2 June 2004 Page 33 of 33