IPv6 boosts schools' on-net security

• 
• 
• 

Cyberbullying may be more of an operational issue in schools than the outside hacking that enterprises face, but opaque IPv4 network configurations are causing security issues for both groups as organisations struggle to enforce administrative policies by reliably matching IP addresses and user identities.

Such was the experience of StudentNet, a specialist educational IT consultancy that recently worked with two of its school clients and called on groups of students to participate in a World IPv6 Day "torture test" of the successor to the ubiquitous and capacity-challenged protocol upon which the Internet is based.

Waverley College – a year 5-12 school in Waverley in Sydney's eastern suburbs – and Wollondilly Anglican College, on the south-western fringe of metropolitan Sydney, presented two very different network administration environments but had two similar objectives: to improve visibility of and control over their students' online activities.

Differences in their networks, however, made this difficult. Waverley College, in particular, was configured in a dual-NAT (network address translation) configuration in which the college and its ISP were each running separate NAT domains. This provided a double buffer hiding students' IP addresses from the Internet at large, but it also meant the school had no way of easily resolving the identity of a network user who was alleged to be the source of cyber harassment.

Add in the sheer size of schools – typically from 1000 to 1800 students – and demands on the network scale rapidly. With hundreds of students simultaneously using rich media sources that burden the network and create massive volumes of sessions, traditional network architectures can become buried in a sea of anonymity. "Intrusive" proxy servers – which provide Internet filtering and content buffering – don't help either, since they can complicate the logging of user sessions and activities.

"Private schools in particular are very isolated from each other," StudentNet business manager Kevin Karp told attendees at the recent IPv6 Summit in Melbourne. "They have to deal with unexpected complexities and complications because of the community they're dealing with. It's very different to an SMB or large enterprise, because school education has to do with large blocks of data done on a very repetitive basis and done with a large number of students."

Because it does away with NAT and allows addresses to be assigned in meaningful groups, IPv6 offers a significant improvement, Karp said: for example, the protocol would allow a school administrator to give students IP addresses grouped into blocks by year level. These could then be used to enforce year-appropriate content filtering, learning management system access, YouTube access and other policies with a clear correlation between the address and the person logged into the system.

"The advantage of being able to undertake individual IP addresses for each student is that you know the student is in Year 10, say, instead of Year 6. You can protect the Year 6 kids a lot more because with IPv6 they're all on the same IP address range" rather than relying on whichever address the NAT spits out on a particular day."

As well as providing better control and role-based segregation of network users, IPv6 provides visibility that's lacking under current NAT-based IPv4 structures. Such capabilities are invaluable in forensic activities such as tracking down cyber-bullies, but they're also important in helping the network reach out to better manage the influx of mobile devices.

"We've got this mushrooming of mobility, computer usage and network size that introduces complications all through the school's operations," said Karp. "Establishing the identity of the students – especially if they're somewhere else and not at the school – is more difficult because of NAT, which is introducing an identity problem that's very difficult to deal with."

The World IPv6 Day tests got off to a rocky start when a simultaneous ISP failure saw gathered dignitaries faced with no connectivity at all. But once the problem was identified and the ISP came back online, the IPv6 environment worked as expected and Karp said the day was labelled a massive success.

Reinforcing the value of minimising NAT presence, Karp said, administrators at Wollondilly Anglican College had only its own NAT to deal with, and not an additional layer of obfuscation at its ISP as at Waverley. The IPv6 layer worked smoothly during the World IPv6 Day test, with students simply getting online and getting on with things.

"We saw how IPv6 added to their solution set for solving some of the problems they've got," said Karp. "The IT staff are already very overworked and dealing with very challenging environments that are growing extremely rapidly," having grown from 200 networked devices to more than 1200 devices in just a year or two. "It just heightens your ability to manage these things."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet