What would be the best architecture for a small school network?
I work for a language school with one internet connection.
The school has wireless, but it’s only available for the staff. I’d like to give students internet access in class so that we can write wikis and use the internet for research, etc.
The management are concerned about the security of their data.
Of course, I appreciate that the best way to keep data secure on a network is to disconnect it from the network, but that’s not an option.
I was considering a router operating on a different LAN-side IP address range – 192.168.2.1, with it’s WAN-side connection going straight to the router that connects to the internet, but as I’ve never done it before, I don’t know how effective that will be at keeping students away from sensitive personal, business and financial data.
Am I wrong? Is there a more appropriate way to do this?
Observing members:
0
Composing members:
0
6 Answers
First- how large is the physical area the network must cover- whether wired or wireless?
Second- have you considered IPv6 with IPSec for the local secured (teachers’) network, with perhaps a 6in4 tunnel to outside?
Is the “management” sufficiently network-savvy to understand the value of different encryption options, or are they likely to insist on multiple layers of easily-crackable (i.e., self-signed https over WEP) but familiar technologies?
Response moderated (Spam)
It’s not a large area at all – maybe 2–300 square metres.
The management know bugger-all about networking and security; I’m the most educated in such things in the school, but I still have to ask questions here!
They’re using WEP encryption for the local network because that’s what the router defaulted to.
I was basically thinking about encouraging them to switch wireless off and have about 10 wired connections breaking out from switching hubs, which are as cheap as chips here.
If you will only ever need 10 or so connections then that’s probably the best way to go. If there were 50 or so, or you expected the network to grow much larger later, then I’d advise against it (unless you’d be gone by then and don’t care what happens later) just because of the extra complexity and expense of running all that cable around.
If I understand you correctly, you intend to add a separate nested subnet for student use, such that the staff network (call it 10.0.0.0/24) connects to the LAN ports of the external router and the student network (192.168.2.0/24) connects to another router, which also connects to one of the external router’s LAN ports via it’s WAN port such that the student router gets an IP address in the 10.0.0.0/24 block and serves addresses in 192.168.2.0/24 to its LAN (assuming here that both routers have built-in DHCP.)
This will more or less work for isolation, but remember that you need to add a firewall rule to the external router to drop packets coming from 192.168.2.0/24 going to 10.0.0.0/24. That should be the only rule you need to add, but it’s possible you’ll also need to add one instructing the external router to forward packets coming from 10.0.0.0/24 to the Internet and ones going to 10.0.0.0/24 to the other router. Also you’ll need to make sure that the external router has a static route set such that packets intended for 10.0.0.0/24 go to the correct interface / switch port.
A lot of off-the-shelf routers for the residential or SOHO markets won’t be sophisticated enough to do this out of the box. Also these devices don’t implement a proper stateful firewall solution, so you might think about running a firewall device at the edge of the network. On my network I’ve taken a cheap thin client and installed Debian on it, using dnsmasq to provide DHCP and iptables for setting up the firewall. If you try this or something similar make sure you get something with more than one ethernet port!
Response moderated (Spam)
you should look into wifi routers that have a guest access mode that actually keeps clients from accessing network shared folders/files, they are limited to internet access only.
Cradlepoint, Cisco, Netgear are among the brands that offer this feature.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.