Controlling What Students Can Access

By: Tony DePrato | Follow me on Twitter @tdeprato

Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.

Physical Access

Physical access can be managed without a great deal of expense. The goals to reach for are:

We allow only the devices we have confirmed and labeled
We can control the number of concurrent devices a user is using on the network
We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
We can remove a user from network access, and restrict their devices, with minimal effort
We have processes and procedures to register devices; users can switch devices through these processes
Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person

These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.

Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.