Introducing segmentation to a school’s network
During the first school visit your assigned IT partner will work with you to build a personalised design for your Wi-Fi network using input from the Technical Survey alongside standard templates. By default, this would look something like “Staff, Student, Guest” segmentation. This can be adjusted to fit the school’s needs.
What is network segmentation?
Think of a school as a large building with many different classrooms (the segments). Each classroom is dedicated to a specific subject, like math or science.
Network access control: devices in one segment of a network can only interact with specific other devices or segments if they have permission. For example, students will not be able to access school administration resources that are part of the Staff network. Similarly, a computer in one segment of a network can’t access another segment without the proper permissions.
Safety and focus: this setup helps keep each classroom focused on its specific subject and prevents overcrowding and confusion. In a network, segmentation enhances security by limiting access.
Containment of issues: if a student in one classroom is disruptive, it doesn’t directly affect the other classrooms. Similarly, if there’s a security issue or a computer problem in one segment of the network, it can be contained and dealt with without impacting the other segments.
Providing port-based authentication to schools
Port-based authentication is a security mechanism used to control access to a network by requiring devices to authenticate themselves before they can communicate with other devices on the network. It is often implemented using a protocol like IEEE 802.1X.
What is port-based authentication?
Imagine you have a secure office building, and within this building, there are many different rooms (which represent the ports in a network). Before anyone can enter a room, they must show their ID card and get verified.
Showing the ID: when a device tries to connect to a network through a specific port (think of it as trying to enter a room), it must first prove its identity. This is like showing an ID card.
Verification: the network then checks the credentials provided by the device to see if it should be allowed access. This process involves communicating with an authentication server, which acts like a security guard checking the ID against a list of authorised personnel.
Granted or denied access: if the credentials are valid (the ID is on the list), the port is opened, and the device can communicate freely with other devices on the network. If the credentials are invalid (the ID is not recognised), access is denied, and the device cannot communicate through that port.
Identity-based authorisation required to join a segmented network
“Identity-based authorisation required to join a segmented network” refers to a security measure that ensures only authorised individuals or devices can access certain parts of the school’s network.
What is identity-based authorisation?
Identity-based authorisation: before anyone (be it a student, teacher, or staff member) can access the school’s network, they need to prove who they are. This is usually done through a login process, where they enter their username and password. Their identity is then checked against a list of authorised users.
Segmented network: the school’s network is divided into different sections or segments, each designed for specific groups or types of use. For example, there might be one segment for students, another for teachers, and yet another for administrative staff.
Joining the network: when an individual tries to connect to the network, the system determines which segment of the network they should have access to, based on their identity and authorisation level.
In practical terms for a school:
Students: when a student tries to connect to the school’s Wi-Fi with their device, the system then checks to make sure they are a current student and determines which resources and parts of the network they can access.
Teachers: teachers logging in might have access to a wider range of resources, including administrative tools and student records, based on their higher level of authorisation.
Guests: guests will be placed on a separate network segment with restricted access, ensuring they can use the internet, cast and print, without accessing sensitive school data.
Using N4L’s Secure Access, schools can ensure that their network is both more secure and efficiently organised, providing the right access to the right people, and keeping unauthorised users out.
Who’s setting up Secure Access for my school? Can my IT provider do it?
N4L has appointed a panel of highly-skilled IT companies to set up Secure Access and onboard devices in schools. The work done by your assigned IT partner is funded by the Ministry of Education as part of the Te Mana Tūhono programme, with the exception of connecting third-party devices.
More information on this can be found here: FAQs Secure Access (n4l.co.nz)