Internet in Russian schools: work on the bugs
Hello to all! Today I want to talk about my experience in organizing Internet access at school and providing information security.
Not so long ago, there was Cyber ​​Security Forum 2015, where at the section “Information Security in Education” I was fascinated by the report of Yuri Kantemirov from Roskomnadzor. He spoke about the rigor of the checks carried out under his administration and complained about the negligence of some schools, which are not particularly protected by protection from network and information threats. After the report from the forum member, an interesting and rather simple question arrived: “Where are the standards that we are called upon to observe?” After a short discussion, it turned out: “There are checks, but there are no standards ...”.
')
Returning from the forum, I decided to discuss the issue of standards in the information security of schools with my team. We were faced with the question: “Will we be able to meet the standards of school internetization”? This is how the new pilot project Traffic Inspector School Edition appeared ; (positioned by us as a solution for providing integrated secure access to the Internet in educational institutions).
Then we faced the challenge - where to implement our idea. We came with a proposal to the city of Kolomna and we were offered a city gymnasium â„–8 as a platform.
In working with a school in the Russian Federation, we gained experience in informatization of educational institutions in accordance with the laws of the Russian Federation (FZ-436 "On protecting children from information harmful to their health and development" and FZ-139 "On Amending the Federal Law" On Protection children from information harmful to their health and development "and certain legislative acts of the Russian Federation on the issue of restricting access to illegal information on the Internet").
As a result, we developed a standard and instructions for informatization of educational institutions in accordance with the laws of the Russian Federation (Federal Law wrote above).
Now I’ll go over to the stuffing and tell you about the shoals of Russian schools, my “bumps” and share my experience on such projects.
To implement the project, the following plan was drawn up:
The cost of such a project was approximately 380 thousand rubles. It is worth noting that for each school this cost may vary depending on: the total area of ​​the school, commissioning and the amount of equipment purchased.
There were no problems in terms of time: the organization of the network infrastructure in the school itself took a week.
Now point by point (I decided to go through each of them in detail, my description is an instruction for schools and can help professionals easily do the same in their educational institutions and not only):
The situation with the network infrastructure in the school was not simple and had to puff to figure out and make the right decision.
For 10 years, 3 local providers went to the gymnasium at once with their plans for “internetization”, but for some unknown reason, all the implemented solutions did not differ in their completeness or logical completeness.
The first provider limited itself to installing an ADSL modem and organizing an Internet connection in a computer lab.
The second went further - let down the fiber and even implemented the filtering mechanism on the white list. True, such filtering was bypassed by an elementary change of DNS servers, and it was implemented in such a way that the school at first could not access its own school website.
The advent of the third provider was “marked” by almost complete “internetization” - part of the school network was built using wired Ethernet, the other using Wi-Fi. Only here it was not without the annoying overlays - very quickly the Wi-Fi segment began to resemble a “courtyard” - the children quickly calculated the non-password points and “sat” where they wanted. During the USE, half of the school network "died" because of the functioning of the necessary white noise generators. The network infrastructure, in the full sense of the word, did not appear - but there appeared a lot of semi-isolated network “islands”, using heterogeneous network equipment, connected via different access channels, with completely different levels of security and network control. The administrators of the school tried to reverse the situation. But a comprehensive solution was not found.
According to the results of the analysis of the state of the computer network in the gymnasium, we, together with our colleagues, in close cooperation with the administration of the gymnasium, identified the main points that required some intervention:
Our team decided that the new infrastructure should have become technologically uniform, i.e. get rid of the errors of the “half-hearted” solutions approved earlier. We decided to abandon wireless access in favor of ubiquitous wiring.
Due to the economic feasibility and prevalence, we chose wired Gigabit Ethernet as the local network technology.
Then they decided to use the hierarchical network topology as arising from the features of the Ethernet technology itself, as well as the building plan and the nature of the placement of the premises. On each of the three floors, special cabinets were installed and managed switches were placed there. From each such switch, wired Ethernet was divorced into all classes and classrooms of the school. Each classroom was equipped with a neat computer outlet. The Internet has finally come to every classroom. And this time, no longer in words. A secure and well-ventilated server room was also allocated to accommodate school servers and the security gateway.
Purchased equipment must meet the requirements of durability and reliability and comply with the selected network standard. One of the requirements for switches was support for VLAN technology, since separation of access was planned for different categories of users (school guests, educational computers and administration). We chose the D-Link DES-1210-28 managed switches as providing the best price / performance ratio. It took a total of 5 switches. On each of the three floors mounted special cabinets TECNOSTEEL Tecno 401 (5 copies were purchased). The twisted pair used the following brand Telecom Ultra PRO (3700 meters).
The main software requirement is a license, an FSTEC certificate and technical capabilities that allow compliance with the laws of the Russian Federation. The main component of the new security and control system was the AquaInspector universal hardware and software gateway with the Traffic Inspector FSTEC program and the NetPolice content filtering module on board. The selected software has helped in the organization of flexible content filtering in compliance with FZ-436 and FZ-139.
And, finally, the final touches - gymnasium No. 8 received the opportunity to enjoy priority technical support. We also conducted training for working with software for the system administrator and technical staff.
According to the plan, everything, and in conclusion, I would like to emphasize that we have gained useful experience and understood that it is interesting for us to develop, including in this direction, and to improve the network infrastructure in educational institutions. Together with the gymnasium, we figured out how, in practice, to build a single modern school network and bring it into line with the federal legislation of the Russian Federation.
And the main thing, in my opinion, is to do, and not to wait until they come and force.
PS By the way, according to statistics from last year, 12 thousand violations were revealed among 56 thousand schools.
Who has constructive criticism, tips on how to do better, or someone knows schools where we will be welcome - wellcome :)
Not so long ago, there was Cyber ​​Security Forum 2015, where at the section “Information Security in Education” I was fascinated by the report of Yuri Kantemirov from Roskomnadzor. He spoke about the rigor of the checks carried out under his administration and complained about the negligence of some schools, which are not particularly protected by protection from network and information threats. After the report from the forum member, an interesting and rather simple question arrived: “Where are the standards that we are called upon to observe?” After a short discussion, it turned out: “There are checks, but there are no standards ...”.
')
Returning from the forum, I decided to discuss the issue of standards in the information security of schools with my team. We were faced with the question: “Will we be able to meet the standards of school internetization”? This is how the new pilot project Traffic Inspector School Edition appeared ; (positioned by us as a solution for providing integrated secure access to the Internet in educational institutions).
Then we faced the challenge - where to implement our idea. We came with a proposal to the city of Kolomna and we were offered a city gymnasium â„–8 as a platform.
In working with a school in the Russian Federation, we gained experience in informatization of educational institutions in accordance with the laws of the Russian Federation (FZ-436 "On protecting children from information harmful to their health and development" and FZ-139 "On Amending the Federal Law" On Protection children from information harmful to their health and development "and certain legislative acts of the Russian Federation on the issue of restricting access to illegal information on the Internet").
As a result, we developed a standard and instructions for informatization of educational institutions in accordance with the laws of the Russian Federation (Federal Law wrote above).
Now I’ll go over to the stuffing and tell you about the shoals of Russian schools, my “bumps” and share my experience on such projects.
To implement the project, the following plan was drawn up:
- Analysis of the existing network infrastructure
- Determination of current infrastructure deficiencies
- Schema Organization
- Setting up the necessary hardware and software
- Training school staff to work with software
The cost of such a project was approximately 380 thousand rubles. It is worth noting that for each school this cost may vary depending on: the total area of ​​the school, commissioning and the amount of equipment purchased.
There were no problems in terms of time: the organization of the network infrastructure in the school itself took a week.
Now point by point (I decided to go through each of them in detail, my description is an instruction for schools and can help professionals easily do the same in their educational institutions and not only):
1. Analysis of the existing network infrastructure
The situation with the network infrastructure in the school was not simple and had to puff to figure out and make the right decision.
For 10 years, 3 local providers went to the gymnasium at once with their plans for “internetization”, but for some unknown reason, all the implemented solutions did not differ in their completeness or logical completeness.
The first provider limited itself to installing an ADSL modem and organizing an Internet connection in a computer lab.
The second went further - let down the fiber and even implemented the filtering mechanism on the white list. True, such filtering was bypassed by an elementary change of DNS servers, and it was implemented in such a way that the school at first could not access its own school website.
The advent of the third provider was “marked” by almost complete “internetization” - part of the school network was built using wired Ethernet, the other using Wi-Fi. Only here it was not without the annoying overlays - very quickly the Wi-Fi segment began to resemble a “courtyard” - the children quickly calculated the non-password points and “sat” where they wanted. During the USE, half of the school network "died" because of the functioning of the necessary white noise generators. The network infrastructure, in the full sense of the word, did not appear - but there appeared a lot of semi-isolated network “islands”, using heterogeneous network equipment, connected via different access channels, with completely different levels of security and network control. The administrators of the school tried to reverse the situation. But a comprehensive solution was not found.
2. Identify the weaknesses of the current network infrastructure
According to the results of the analysis of the state of the computer network in the gymnasium, we, together with our colleagues, in close cooperation with the administration of the gymnasium, identified the main points that required some intervention:
- The lack of a single well-designed network infrastructure as such and the ability to maintain a single document flow through a local network.
- Use of old server hardware (some necessary server hardware was completely missing).
- The lack of access control for all sorts of users.
- Filtering by the provider based on the list of allowed resources. In order to open the site for work, it was necessary to contact the provider with a statement about the inclusion of this resource in the list of allowed sites. Consideration of such applications took a lot of time.
3.Organization of new network infrastructure
Our team decided that the new infrastructure should have become technologically uniform, i.e. get rid of the errors of the “half-hearted” solutions approved earlier. We decided to abandon wireless access in favor of ubiquitous wiring.
Due to the economic feasibility and prevalence, we chose wired Gigabit Ethernet as the local network technology.
Then they decided to use the hierarchical network topology as arising from the features of the Ethernet technology itself, as well as the building plan and the nature of the placement of the premises. On each of the three floors, special cabinets were installed and managed switches were placed there. From each such switch, wired Ethernet was divorced into all classes and classrooms of the school. Each classroom was equipped with a neat computer outlet. The Internet has finally come to every classroom. And this time, no longer in words. A secure and well-ventilated server room was also allocated to accommodate school servers and the security gateway.
4. Set up the necessary hardware and software
Purchased equipment must meet the requirements of durability and reliability and comply with the selected network standard. One of the requirements for switches was support for VLAN technology, since separation of access was planned for different categories of users (school guests, educational computers and administration). We chose the D-Link DES-1210-28 managed switches as providing the best price / performance ratio. It took a total of 5 switches. On each of the three floors mounted special cabinets TECNOSTEEL Tecno 401 (5 copies were purchased). The twisted pair used the following brand Telecom Ultra PRO (3700 meters).
The main software requirement is a license, an FSTEC certificate and technical capabilities that allow compliance with the laws of the Russian Federation. The main component of the new security and control system was the AquaInspector universal hardware and software gateway with the Traffic Inspector FSTEC program and the NetPolice content filtering module on board. The selected software has helped in the organization of flexible content filtering in compliance with FZ-436 and FZ-139.
5. School staff training
And, finally, the final touches - gymnasium No. 8 received the opportunity to enjoy priority technical support. We also conducted training for working with software for the system administrator and technical staff.
Conclusion
According to the plan, everything, and in conclusion, I would like to emphasize that we have gained useful experience and understood that it is interesting for us to develop, including in this direction, and to improve the network infrastructure in educational institutions. Together with the gymnasium, we figured out how, in practice, to build a single modern school network and bring it into line with the federal legislation of the Russian Federation.
And the main thing, in my opinion, is to do, and not to wait until they come and force.
PS By the way, according to statistics from last year, 12 thousand violations were revealed among 56 thousand schools.
Who has constructive criticism, tips on how to do better, or someone knows schools where we will be welcome - wellcome :)
Source: https://habr.com/ru/post/256263/
All Articles