seperation of student and staff networks ???

["Shaun Moran" <Shaun () TheMorans Com>]

Hi,

I'm looking at the security for a large number of schools - like most
places - there are a mixture of staff and students in the one physical
location.

Traditional we would typically deploy some form of access control device and
deploy two seperate ethernet networks - staff and student and then use an
access control poilicy to dictate who can go where.

Lately though - I have been more and more concerned about this approach
because of the lack of physical security at the schools - not only with the
access control device but also with staff people plugging in dual homed
servers to get access to a server from both networks and even worse - people
plugging student machines into the staff LAN 'beacuase it was easier'.

So I dont really know where to go - should I forget about traditional
network security and put all my eggs into application security (big job) -
maybe use IPSEC to create personal encrypted tunnels from staff members
desktops to the staff servers with staff and students all on the same
untrusted LAN.

What happens if a staff members desktop gets a trojan (say subseven)
installed on it - then the student has a nice little connection to the
'secure' staff server ??? Does this dicate the choice of VPN client (one
that disables the LAN when the tunnel is up)...

I'm sure other people have been in this boat for educations/schools - what
have you done ?

Shaun


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards