In many instances, the school network is the bottleneck for access to external resources. In this article, we present some best practices from our experience. In computing, as in life, the best solutions are often the simplest. Of course, this topic can get very complex when dealing with large school districts, so please feel free to reach out for a pro-bono brainstorm (we love a good challenge).
Let's start with some good design. A school network can have the following separations (also called subnets):
- A private network for admin and staff equipment (printers, staff computers, district links etc.)
- A public network for use within the classrooms
- Potentially a guest network for visitors
Often, the classroom network is the one that needs the most hardening, as the first one (internal private network) is likely a wired one (i.e. computers connected via cables), while the last one (guest) is a Wi-Fi network straight to the outside world (i.e. does not see the school networks).
Service level refers to the quality of the connection. As resources are increasingly off-campus, the time it takes to load a resource can be critical for smooth class operation. The tighter the needs, the more expensive your setup is (in fact, it can get exponential quickly -- law of diminishing returns anyone?)
There are two common metrics for network service-level.
1. Network Throughput
Throughput is essentially the speed at which data is downloaded.
We can set a typical page load max at 2 - 3 seconds and have a great user experience. Students should not expect the same service level as their home network.
So let's do some math. Let's assume a typical page load is 50kB and that we have 1000 users in our school, with 10% at the most concurrent users at any given time.
Concurrent users refers to users currently downloading a web page. Remember that once the page is loaded, there is little traffic generated. In other words, the whole school is not all loading a web page at the same time, they take turns. We call this, designing for peak
To get a service level of 3s we need a bandwidth of:
100 x 50kB / 2.5s = 2 MB/s
Your network providers measure the speed they provide in bits per second (the formula above is in Bytes, 1 Byte = 8 bits).
Based on this calculation, you would need a throughput of 18 Mbits/s
Which is very affordable and acceptable. Remember that this number is for the classrooms, you should add a bit more to server.
Let's now measure how much bandwidth you need. Bandwidth is the total amount of data you can download, usually measured monthly.
While throughout measures the speed at which the data has come to your browser, bandwidth measures how much total data you have requested (and received).
A crude calculation is to assume a student will download 20 pages in a given day:
20 pages x 1000 students x 50 kB x 25 school days = 25 GB / month
In this analysis, we have excluded videos. We would expect the teacher to project the video on the screen, or for the school to use a caching server (see next point).
So far so good. Yet, we have an opportunity to improve further. In a typical digital classroom, the teacher often asks students to access the same resource. Students will then download the same resource almost 25 times (assuming this number of students in the classroom).
Case in point: The way ClassroomAPP works, is that it transmits the webpage to download. It does not physically send all the page contents, it would be a waste of bandwidth and would take a long time to send to all students from the teacher's device.
You should consult your IT team to see if they can setup a caching server, such that it saves pages for say 30 mins. This would tremendously speed up content access in the classroom and reduce your cost, and it's perfectly legal (caching goes on online more than you would think).
If we assume that just 20% of your pages are cached, your figures change dramatically.
80 x 50kB / 2.5s * 8 = 12.8 MB/s
16 pages x 1000 students x 50 kB x 25 school days = 20GB / month
(Note: Math simplifed -- we ignored first cached load, but results are within margin of error for our case)
Firewall / Whitelist
A firewall is essentially a separation between your network and the rest of the Internet. It's not an option, it's a must. You would be surprised at the number of hacking attempts you are exposed to without knowing.
While this may annoy some people, here is some transparency for you: our servers used to get hit hundreds of times per day from servers located in China. Attempts to log in, guess passwords, pretend to be search engines .. you name it. We setup a firewall that monitors what activity each server is attempting. If the activity looks strange, it permanently blocks any access by that third-party server. Only an administrator (with executive sign-off) can remove this block, and only after documenting why we falsely detected malicious action. Our block list today contains hundreds of server addresses! Cyberspace is not as safe as we thought.
- Block ALL outbound ports except the web (port 80) -- this will prevent downloading / hacking programs from being run by your students.
- Prevents ALL inbound-initiated traffic -- this prevents external network from sniffing in your network (like discovering who is connected etc.) In other words, you and your students initiate all requests outbound
- Automatically and permanently block any server attempting to access your network (we call this denyhosts). You probably will never need to access theirs anyway, might as well say Sionara!
- Prevent access from your users to any server or website not listed in your whitelist -- this is an active filtering approach. The other way around is to monitor what happens and 'learn' what is acceptable, and adjust. We don't like the latter as it is prone to errors, and requires active management.
- Prevent emails to students by people outside of your network -- which has the positive effect of forcing students to use school email to communicate with each other. The school email becomes their only means of instructional communication.
- Prevent executable files (including JS) and MS-Word files from being attached to emails (you should use online editors with your students).
Follow these simple steps and the New York Times won't call you to comment on recent breaches to your network.
Setup Rules & Guidelines
This includes your technology suppliers who have to pledge to respect your Digital Rules & Guidelines.
Be sure to publish and make your guidelines easily publicly accessible. Promote these guidelines so everyone knows you are serious about them.
- Never provide (or ask for) passwords via email
- Never share your password with anyone (even the IT administrator -- )
- Never share your computing device (and accessories) without your teacher or IT admin's permission
- Never use the computer (if provided by school / district) for unapproved activity -- including at home (or away from school)
- Only access secured resources if you have to log in (i.e. with https:// before the address)
- Never try to hack the school network or the computing device provided to you or install non permitted Apps and malwares (e.g. viruses)
- Only approved devices can connect to school network
This short article was meant to provide an overview of how to setup and secure school networks. We will be adding more articles on this important topic (check the menu on the side for all related articles).