IPv6 boosts schools' on-net security

Opaque IPv4 network configurations are causing security issues for both schools and enterprises

Cyberbullying may be more of an operational issue in schools than the outside hacking that enterprises face, but opaque IPv4 network configurations are causing security issues for both groups as organisations struggle to enforce administrative policies by reliably matching IP addresses and user identities.

Such was the experience of StudentNet, a specialist educational IT consultancy that recently worked with two of its school clients and called on groups of students to participate in a World IPv6 Day "torture test" of the successor to the ubiquitous and capacity-challenged protocol upon which the Internet is based.

Waverley College – a year 5-12 school in Waverley in Sydney's eastern suburbs – and Wollondilly Anglican College, on the south-western fringe of metropolitan Sydney, presented two very different network administration environments but had two similar objectives: to improve visibility of and control over their students' online activities.

Differences in their networks, however, made this difficult. Waverley College, in particular, was configured in a dual-NAT (network address translation) configuration in which the college and its ISP were each running separate NAT domains. This provided a double buffer hiding students' IP addresses from the Internet at large, but it also meant the school had no way of easily resolving the identity of a network user who was alleged to be the source of cyber harassment.

Add in the sheer size of schools – typically from 1000 to 1800 students – and demands on the network scale rapidly. With hundreds of students simultaneously using rich media sources that burden the network and create massive volumes of sessions, traditional network architectures can become buried in a sea of anonymity. "Intrusive" proxy servers – which provide Internet filtering and content buffering – don't help either, since they can complicate the logging of user sessions and activities.

"Private schools in particular are very isolated from each other," StudentNet business manager Kevin Karp told attendees at the recent IPv6 Summit in Melbourne. "They have to deal with unexpected complexities and complications because of the community they're dealing with. It's very different to an SMB or large enterprise, because school education has to do with large blocks of data done on a very repetitive basis and done with a large number of students."

Because it does away with NAT and allows addresses to be assigned in meaningful groups, IPv6 offers a significant improvement, Karp said: for example, the protocol would allow a school administrator to give students IP addresses grouped into blocks by year level. These could then be used to enforce year-appropriate content filtering, learning management system access, YouTube access and other policies with a clear correlation between the address and the person logged into the system.

"The advantage of being able to undertake individual IP addresses for each student is that you know the student is in Year 10, say, instead of Year 6. You can protect the Year 6 kids a lot more because with IPv6 they're all on the same IP address range" rather than relying on whichever address the NAT spits out on a particular day."

As well as providing better control and role-based segregation of network users, IPv6 provides visibility that's lacking under current NAT-based IPv4 structures. Such capabilities are invaluable in forensic activities such as tracking down cyber-bullies, but they're also important in helping the network reach out to better manage the influx of mobile devices.

"We've got this mushrooming of mobility, computer usage and network size that introduces complications all through the school's operations," said Karp. "Establishing the identity of the students – especially if they're somewhere else and not at the school – is more difficult because of NAT, which is introducing an identity problem that's very difficult to deal with."

The World IPv6 Day tests got off to a rocky start when a simultaneous ISP failure saw gathered dignitaries faced with no connectivity at all. But once the problem was identified and the ISP came back online, the IPv6 environment worked as expected and Karp said the day was labelled a massive success.

Reinforcing the value of minimising NAT presence, Karp said, administrators at Wollondilly Anglican College had only its own NAT to deal with, and not an additional layer of obfuscation at its ISP as at Waverley. The IPv6 layer worked smoothly during the World IPv6 Day test, with students simply getting online and getting on with things.

"We saw how IPv6 added to their solution set for solving some of the problems they've got," said Karp. "The IT staff are already very overworked and dealing with very challenging environments that are growing extremely rapidly," having grown from 200 networked devices to more than 1200 devices in just a year or two. "It just heightens your ability to manage these things."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecurityipv4schoolscyberbullyingenterpriseipv6

More about etworkIPv6 Summit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place