80

I'm a teacher and IT person at a small K-12 school.

The students are not supposed to have phones, laptops or access to the network. However, students being students they will try to find a way around the rules.

The students manage to acquire the Wi-Fi passwords pretty much as soon as we change them. It becomes a game to them. Although they are not supposed to, they will bring their laptops and phones in and use the network. One of them will get the password, and it travels like wildfire throughout the school. It is sometimes as simple as writing it on a wall where the rest of the students can get the updated password.

What can we do to keep them out of the network? I'm considering entering MAC addresses, but that's very labourious, and still not a guarantee of success if they spoof the address.

Do any of you have any suggestions?

Some background:

There are four routers in a 50-year-old building (plenty of concrete walls). One router downstairs, and three upstairs. They are different brands and models (Netgear, Asus, Acer, D-Link) so no central administration.

The school has about 30 Chromebooks and a similar number of iPads. Teachers will use their own laptops (a mix of Windows Vista, Windows 7, and Windows 8 as well as a number of Mac OS X).

Some of the teachers are not at all comfortable with technology and will leave the room with their machines accessible to the students. The teachers will often leave their password off or even give it to the students when they need help. They will ask for help from the students when setting up a projector for example and leave them to it, there goes the security once again. No sooner that the teacher is out of the room than they'll go to the taskbar and look at the properties of the Wi-Fi router to get the password.

Dave McQueen
  • 817
  • 1
  • 6
  • 4
  • 93
    Here is a non-technical idea: This is a school, right? So educate them. Teach them the importance of consequences, acceptable use, the illegality of hacking... and yes, proper use of the internet. I mean, *give* them access, to a separate filtered network if need be, and create some curriculum around that. Classes, internet safety, strict compliance with whatever AUP, etc... Give them access to the network, and use it to teach them to be good internet citizens. And, how to use the internet productively, to assist in their education. – AviD Jun 18 '15 at 23:29
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/25061/discussion-on-question-by-dave-mcqueen-trying-to-keep-high-school-students-out-o). – Rory Alsop Jun 22 '15 at 10:52
  • 5
    They cannot get the passwords simply looking at the WiFi configuration as this only shows a series of ●. They could get it from the router if they know it's IP and administrator password (or if there is no password). Someone's probably giving them the password ;-) – algiogia Jun 22 '15 at 12:50
  • 7
    @algiogia That depends on what software the machine is running. On some systems it is as simple as just clicking on a checkbox to make the password visible. Even if no such checkbox is immediately available, the password or key must be stored somewhere on the machine - otherwise it wouldn't be able to connect to the network. So the question just is how much work it is to find it. – kasperd Jun 22 '15 at 14:26
  • 6
    Consider that the teachers likely have even more sensitive data on their machines than the WiFi password. Focus on keeping students out of the teachers' machines. And possibly give each teacher different WiFi credentials such that revoking those credentials after a leak will only affect one teacher rather than everybody. – kasperd Jun 22 '15 at 14:31
  • That depends on what your security hole. Are you using antiquated WiFi security, that can be cracked in minutes with a generic consumer laptop? Do you have teachers giving out passwords? Do the students simply watch as the teachers enter the password the first time/does a teacher or two write it on stickynote? I would have teachers registers all devices they want to use. They bring them in, and you enter the password. They do not even get to know it, and the OS probably does not even store a text version of it. You could also do MAC ad filtering with this method, or use unique pws – Jonathon Jun 22 '15 at 15:50
  • 1
    If you install cain and abel on a windows box, you can have it dump your wireless keys, even if using strong security. If its one key for the entire network, and teachers are leaving their computer open, this is a trivial way to get the latest key. Futhermore, even if the computer is locked, using something like "the rubber ducky usb" can compromise a system the minute a teacher turns their back on it. You have to assume the teachers systems are comprimised. Most of them probably are. Whatever you do, build your plan with that in mind, because you DO have compromised machines on your network. – n00b Jun 22 '15 at 16:50
  • Do note that preventing Wi-Fi access does not fundamentally solve the underlying problem of students having internet access: they can still use a mobile data plan. So on that front it's a lost battle, and should perhaps not even be a goal of this exercise. – RomanSt Jun 22 '15 at 20:25
  • 6
    There seems to be a theme of misunderstanding here that high school kids are generally of average technical skills so therefore a solution that can stop generally skilled people is acceptable. I can tell you from my own experience that out of over 1000 kids at my high school, there was just myself and a friend that were responsible for constantly compromising the network for everyone. Just FYI because this "they're just high school kids" is being used to set a false bar for "good enough" security. –  Jun 22 '15 at 23:19
  • WPA2-Enterprise was made for this, just so you know. – Andrew Hoffman Jun 24 '15 at 01:37
  • 1
    I think Technik Empire hit the nail on the head. Most of us are assuming these kids are running around with USB hack sticks, installing spyware on the teacher's computer, etc. What it sounds like, though, is that: 1. teacher leaves the room without locking laptop 2. student goes to (Windows) laptop, right clicks on the wi-fi icon, goes to properties, and checks the box to show password. 3. password is distributed. If this is the case, holding teachers responsible for passwords using one of the other "individual password" methods, and holding the students responsible for use, should do it. – Rick Chatham Jun 25 '15 at 23:38

17 Answers17

93

Enforce Consequences for Students Found on the Network

The first thing you need to do is ensure you have a written policy outlining what devices are allowed on the network. However, if you are not consistent in the enforcement of your policy, it is useless.

This should also cover the usage policies for the Teachers, including locking their computers when they are not present at the machine. You can also use Group Policy to prevent users from being able to view the WiFi password.

Technical Measures

The following consists of various options for limiting the use of student devices on the school network. The most effective is WPA2-Enterprise. The others are included because they may be effective enough in limiting unauthorized access by students and, depending on you particular network, may be easier to implement.

However, the question suggests that the students are on the main network for the organization. Only WPA2-Enterprise is going to adequately protect your network from an attack of an unauthorized device. Once a PSK is known, a student has the ability to sniff teacher web traffic, and possibly capture email and windows hashes. Additionally, a malicious user could start attacking other machines directly.

WPA2-Enterprise

The best solution would be to implement WPA2-Enterprise, instead of using a pre shared key (WPA2-PSK). This allows individual credentials to be issued. This is implemented by installing client certificates on each machine. This requires a good bit of engineering and is not trivial to set up in larger environments. This page has some good pointers on how to deploy WPA2-Enterprise.

Captive Portal

As @Steve Sether mentioned, the Chillispot captive portal can be used to authenticate users once they have connected to the network. Although I don't have evidence to point to, I suspect such a portal can be bypassed by spoofing MAC and IP addresses. However, it does raise the difficulty and will be easier to manage than MAC Filtering on multiple devices.

MAC Address Filtering

As you mentioned, MAC addresses can be spoofed, so the effectiveness of MAC address filtering is limited. However, many phones prevent spoofing the MAC address, so this will address some of the problematic users. The iPhone for instance, needs to be jailbroken before the MAC address can be changed. The hardest part of using MAC address filtering is going to be managing the list of allowed MAC addresses especially across multiple devices from various vendors.

I would also argue that there is 'legal' benefit of using MAC Address Filtering or a Captive Portal. It can be hard to claim a user was unauthorized to access a network when the password is written on a whiteboard. However, if a user has to explicitly bypass a security restriction, you have a stronger case against the activity.

Using an Internet Proxy to Prevent Unauthorized Uses of HTTPS

Implement a HTTPS solution that uses your own private key. You can install the corresponding certificate to the organization's machines and they won't notice anything different (though the organization should still tell the staff that HTTPS interception is occurring). However, unauthorized devices without the certificate will get a nasty message about HTTPS being invalid whenever they try to browse a secure page. Additionally, since you are decrypting the HTTPS traffic, you will be able to monitor the traffic. For instance, seeing which students log into Facebook will allow you to address those students directly.

Many Content Control implementations offer the ability to decrypt HTTPS traffic. If the school already has a Content Control mechanism in place (such as Bluecoat or Net Nanny), talk to your vendor about how to implement this feature.

amccormack
  • 3,971
  • 1
  • 15
  • 23
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/25062/discussion-on-answer-by-amccormack-trying-to-keep-high-school-students-out-of-th). – Rory Alsop Jun 22 '15 at 10:55
  • 1
    Depending on the applicable law decrypting the https traffic could cost your job or bring you to jail. – Daniel Jour Jun 22 '15 at 16:58
  • 6
    @DanielJour Thanks for your input. If you have any specific references as to why using HTTPS Interception on a network you administer is illegal, I'd be happy to include it. – amccormack Jun 22 '15 at 17:15
  • 2
    One of the best things about using per-user credentials is the fact that if (or likely "when") the students get online again, you can figure out how they got the password. This could be helpful in determining how to improve your approach (as you can target a specific teacher that might not be following protocol or identify if a machine has a keylogger, etc). – Kat Jun 23 '15 at 22:22
  • As a bonus feature (?), WPA-Enterprise lets you use [eduroam](https://www.eduroam.us/). – user1686 Jun 24 '15 at 11:26
  • 2
    +1 for WPA2-Enterprise. That's what we're switching to at the schools I support. – Moshe Katz Jun 24 '15 at 13:41
51

You are trying to solve the wrong problem.

They are thousands and you are one. Since you are not a security expert (as far as I understand, sorry if I'm mistaken) and they aren't either but they are a horde, you are just bound to lose if you fight a conventional war.

@AviD gave a great answer in a comment:

Here is a non-technical idea: This is a school, right? So educate them. Teach them the importance of consequences, acceptable use, the illegality of hacking... and yes, proper use of the internet. I mean, give them access, to a separate filtered network if need be, and create some curriculum around that. Classes, internet safety, strict compliance with whatever AUP, etc... Give them access to the network, and use it to teach them to be good internet citizens. And, how to use the internet productively, to assist in their education.

Not only can you not win the war of preventing them from getting access, but even if you do, you'll have accomplished nothing: they still have their devices, they will still get distracted, just in different ways.

Plus, hacking you will teach them valuable lessons, in "problem-solving", we might say. If this is not the kind of problem you want them to be solving, find better, more entertaining or useful, problems.

Please notice that, even if it was feasible (I guess it isn't), barring them from bringing the devices at all isn't a good solution either: they need to learn to have devices at hand and not use them, following the lesson instead. If they don't learn this lesson, in future they'll have the same problem both socially and at work.

Finally, if they can manage not to follow your lessons and still get good grades, then the problem might lie here. Are your tests too easy or too cheatable? Are your lessons useless? This is the point. On the other hand, if they fail the tests, they might/should realise that maybe following the lessons will help them succeed…


As DDPWNAGE correctly points out:

This is 2015, right? In my opinion, students should be allowed limited access to the Internet. If you're a high school teacher, ask the school if you can teach a class about using the Internet, and teach some basic computing classes. A growing number of kids are taking interest in these subjects, and a programming language learned in high school can later save a kid thousands in college. I'm graduating from HS this coming Friday, and I'm coming out with an iOS game using Objective-C as logic. Just have kids stay on-topic, and they can do great things.

psmears
  • 900
  • 7
  • 9
o0'.
  • 736
  • 1
  • 8
  • 13
  • 3
    I like @AviD's comment as well, but this isn't really an answer to the question. I interpret the question to suggest that the problem isn't that students are using their devices, but accessing the same wireless infrastructure used by teachers. Thus, the school network is at risk by allowing these users on the network. – amccormack Jun 19 '15 at 14:33
  • 8
    @amccormack usually "the question is wrong" is a perfectly valid answer. As long as, you know, the question is wrong. Obviously IMHO that's the case here ;) – o0'. Jun 19 '15 at 14:34
  • 2
    haha, I think that can be a valid answer too. But the problem the user is facing isn't the actual use of the devices, but that they are on the school's network. – amccormack Jun 19 '15 at 14:36
  • @amccormack that's what he _states_, and I think he's wrong ;) – o0'. Jun 19 '15 at 14:37
  • 2
    "The question should be about teaching and not security" is arguable, but that means this answer belongs on *a different site*. – Matthew Read Jun 19 '15 at 20:33
  • Arbitrarily adding curriculum is also not the easiest thing to do in public schools. While possible, the OP of the question might have a hard time convincing the school board to fund additional classes. – Dryden Long Jun 19 '15 at 23:09
  • 1
    +1 to Lohoris and amccormack ; both technical and non technical approaches are needed. – makerofthings7 Jun 20 '15 at 13:24
  • 3
    This is 2015, right? In my opinion, students should be allowed limited access to the Internet. If you're a high school teacher, ask the school if you can teach a class about using the Internet, and teach some basic computing classes. A growing number of kids are taking interest in these subjects, and a programming language learned in high school can later save a kid thousands in college. I'm graduating from HS this coming Friday, and I'm coming out with an iOS game using Objective-C as logic. Just have kids stay on-topic, and they can do great things. – DDPWNAGE Jun 21 '15 at 09:41
  • 1
    @DDPWNAGE I'm considering adding your comment to my answer, if you don't mind. – o0'. Jun 21 '15 at 09:42
  • @Lohoris I don't mind at all! :D – DDPWNAGE Jun 21 '15 at 09:43
  • 1
    @Lohoris : about the last paragraph there are cases were the exams are deigned by the state so there is no control over it. *(in my case we have both private and public systems)* – user2284570 Jun 21 '15 at 11:14
  • 2
    @MatthewRead wrong. The topic of the site is related to the _question_. If the correct answer happens to be of a different area, there's nothing we can do about it. Unless you are suggesting to refrain to give the correct answer, just because it's not the answer you would expect? – o0'. Jun 21 '15 at 11:53
  • 3
    As a high school student myself, the biggest issue with having a separate network for students is that it **must** be as reliable and as fast as the teacher network, or else they will continue to use the teacher network. In my school, the student wifi is consistently slow and is down at least once a week; most students just use the teacher wifi (even though they are not supposed to). – erdekhayser Jun 22 '15 at 16:54
20

Ethernet

Before I get flamed by everyone who says iPads don't have ethernet ports, this is simply a single layer of "security".

In most cases teachers should be able to use their laptops with a physical ethernet BASE-100TX CAT5+ plain old physical cable.

You will have reduced the attack surface area (as the keys won't be on the teacher's laptops anymore).

Additionally should the students gain access to the physical CAT5, it would be harder to exploit (you can see a physical device attached to a cable and most phones lack a RJ45 socket).

Aron
  • 763
  • 4
  • 13
  • 11
    This is a great workaround though I think the "50 year old building" part indicates it may be a significant burden. Its great to keep in mind though. – amccormack Jun 19 '15 at 14:28
  • 1
    @amccormak Try power line adaptors. – Aron Jun 19 '15 at 15:01
  • 6
    And students will try wifi APs, heck, you can even get battery powered ones, just plug into ethernet port :) – domen Jun 19 '15 at 15:04
  • @domen add a physical lock and key on the socket... – Aron Jun 19 '15 at 15:15
  • 9
    @Aron a physical lock to an Ethernet socket? I'd say this is far over the limit… – o0'. Jun 19 '15 at 19:49
  • 1
    @Lohoris fine...confiscate any mobile APs you find. Should be easy enough. Kids aren't made of money... – Aron Jun 21 '15 at 08:20
  • Physical locks for CAT5/6 ports are super cheap - I buy them by the dozens. – schroeder Jun 23 '15 at 02:49
  • @schroeder and do you think they wouldn't just "unlock" (wink wink) them? Plus, if the teachers just give away the passwords, they would do the same with the lock keys, so you would be solving nothing. Confiscating APs, however, might be a valid strategy. – o0'. Jun 24 '15 at 13:20
19

If passwords are leaking like that, you may have a bigger problem than restricting Wifi access. It sounds as if the kids could do almost anything a teacher can do (including manipulate exam results?) and are routinely doing so at your location.

It sounds as if a little bit of teacher education would solve this, after some detective work to narrow down the source of the leak. It might be a hacked computer or router rather than human error so I'm not advocating anything draconian. I would install some logging, or give teachers individual passwords (temporarily).

Perhaps also make it easier for teachers to get help from an adult, or to use guest accounts if a kid is helping?

  • 6
    yeah, why do they get to know the password in the first place? – Agent_L Jun 19 '15 at 16:57
  • 1
    The default wireless security methods are easily cracked with consumer grade laptops in a matter of minutes. I would not be too quick to blame it on the teachers. – Jonathon Jun 22 '15 at 16:00
  • @JonathonWisnoski WPA2 easily cracked? It's not 1999, WEP is no more. – Agent_L Jun 22 '15 at 18:44
  • 5
    @JonathonWisnoski I'm seconding the previous comment. WPA2 is not yet broken, WEP should not be used at all. I suspect that you either have old access points that don't support WPA/WPA2, or you are picking very weak, predictable passwords, or you have one or more teachers who are either sharing the passwords or are writing them down somewhere obvious. – Craig Tullis Jun 23 '15 at 02:01
  • @Agent_L, it's possible that despite WEP having long since fallen out of favour, the school could still be using it since OP makes it a point to mention the age of the school and inconsistency of technology. WEP was officially depreciated in 2004. As far as school hardware goes, that's not *that* long ago. All that said, I would expect that students get it simply by inspecting it in Windows (which is possible by default) or some form of social engineering. – Kat Jun 23 '15 at 22:27
  • 1
    @Mike Jonathon made an arbitrary statement about "default" - as you've stated WEP was deprecated 10 years ago. I do agree it's possible that some particular cases still use archaic hardware - but by no means this can be considered "default" in 2015. – Agent_L Jun 24 '15 at 07:12
14

Consider an equipment upgrade

I know you're looking for a no-budget solution, but a matching set of enterprise-grade WAPs and central controller could make securing the network easier. Weigh it against the cost of defending against a lawsuit for cyber-bullying, or harassment of an employee, or facilitating the falsification of test scores...

Use MAC filtering

Gathering the MAC addresses gives you a change to talk to each staff member about your expectations for securing their account and equipment. A list of MAC addresses, hardware serial numbers, and other information about school-owned equipment is also important for proving you haven't been subject to theft.

Make DHCP a honeypot

Assign staff-member devices static IP addresses from a manageable range, and allow them whatever access to the Internet is appropriate. Configure DHCP to give out addresses from a different range for unrecognized MAC addresses, and set up a DNAT redirect so that the only thing a user sees when coming from that IP address range is a static webpage with instructions to talk to you:

"This network is operated by XXX school and is for authorized academic use only. If you believe you are seeing this page in error, please see Mr. McQueen in room XXX."

Enforce consequences

If students aren't supposed to have phones and laptops, enforce that. First offense, confiscate the device immeditely, make a parent come pick it up. Second offense, same drill, suspend the student, same as if a student was caught with drugs or a weapon. For those students who have to carry a phone to/from school (if it's a high school, maybe they need a phone for work or their commute to it), make them check it in to the secretary before the school-day starts and check it out afterward.

Peter Mortensen
  • 877
  • 5
  • 10
david
  • 711
  • 3
  • 11
  • 8
    I like the honeypot DHCP suggestion, though It may be a bit complicated to implement across 4 different APs. I was going to vote up your answer but I have a hard time endorsing "same as if a student was caught with drugs or a weapon". I'm sorry, but the two just aren't the same. Bringing drugs and weapons onto school property is usually a felony, whereas bringing a phone to school is just against the rules. – amccormack Jun 19 '15 at 14:25
  • 5
    You shouldn't be having the individual APs each handle DHCP. Get a DHCP server stood up, or failing that centralize your admin and configure all but one AP into a wireless bridge mode by turning off DHCP service and connecting them to the network via their switch ports. They shouldn't all be NATting traffic and handling their own subnets. – Oesor Jun 19 '15 at 15:18
  • 1
    Then you need someone to administer the IPs every time you need to add a device. Furthermore, even if will certainly make it harder to connect it is just "security through obscurity". Someone may figure it out and then all the work will be lost. – borjab Jun 19 '15 at 15:44
13
  • Give each authorised user their own individual password. Then you'll be in a position to judge where the leaks are coming from (assuming they're being leaked as opposed to cracked). (eg You may find that need to educate one of your teaching staff not to leave the password written down on his desk).

  • Set up harsh firewall rules that block access to most of the internet. Only leave the bare minimum of accessible sites. The students may give up trying to connect if it doesn't give them access to Facebook (for example). Authorised users could easily request a site get unblocked if they need it. The block could also be configured to only apply for wireless connections, that way it won't inconvenience your admin staff who are at their computer on their desk the whole day on a wired connection.

Simba
  • 301
  • 1
  • 6
  • 12
    Point #1? Good idea. Point #2? Wtf. If I was a teacher there I'd make a program that automatically fires off emails to whitelist every DNS request my system does until this annoying shit is gotten rid of. – Luc Jun 19 '15 at 10:57
11

You need to tighten human security, not technical security. WiFi password is good enough, the real questions are "Who is leaking passwords to students?" and "How to stop them?". You can't have any security if privileged persons (staff) share their credentials with the ones you're trying to block.

Setting up different passwords for every single person would only help as such that you'll be able to lock out those who reveal their passwords. And then gradually teach them to be more careful by employing long and troublesome access restoration procedure : D

//edit: After re-reading your question, I realize you've already said how passwords are leaked.

Some of the teachers are not at all comfortable with technology 

So, I can propose extreme means to you: joker knows the solution

Then change the technology! Wi-Fi is complicated and confusing. Replace it with cables. Cables are simple and easy to understand: one plugs it in, the lights start blinking and the internet works. Please understand than I don't urge you to physically shut down your Wi-Fi. I merely suggest that most teachers should not use it directly thus have no need of knowing the password.

If you can't get a cable somewhere, a simple access point in client mode will provide Ethernet jack. Password on the admin panel will make it very hard to learn how this AP authorizes to your "backbone" Wi-Fi.

For chromebooks and ipads, set a dedicated Wi-Fi in the room where they're used. You can change it's password after every class and announce the new one when next class starts.

Agent_L
  • 1,921
  • 14
  • 13
8

I would use WPA2-Enterprise, so everyone would use own name and password, not just a password, which is same for everyone. To setup WPA2-Enterprise, you just need to have RADIUS server. The cheapest opinion, I think is to buy a NAS server. It supports multiple things and RADIUS sometimes too (I recommend Synology for this).

Alternative is to use some hotspot system to require login, but not all routers supports this and it is quite expensive.

Mentioned MAC filter and DHCP traps are not the main security. It needs to have registered all addresses in router(s), so there is no option to bring your own device. The next thing is, that MAC filter and DHCP traps are crackable in about 5-15 minutes.

To the last paragraph: somebody should tell the teachers that this wrong. Although you can setup device locking after some time of inactivity and many other things, there is no effective way you can stop telling the password to people that should not have the password. Also, they should periodically change passwords.

But I see the whole thing this way: There is no way to stop the hacker (students), you can only make them the hacking harder.

Vilican
  • 2,703
  • 8
  • 21
  • 35
  • 2
    This is the only real solution to the problem of students stealing the Wifi password -- if a teacher's password leaks, then lock out their account and have a talk with the teacher about securing their password. – Johnny Jun 20 '15 at 00:27
  • 3
    I agree that this is the best technical solution but don't forget social engineering works both ways. When I was at uni, after a lengthy war of the sort described in the question, they found the two worst (ie most capable) offenders, gave them admin level access and held them responsible for up-time on the Vax. – Peter Wone Jun 21 '15 at 10:26
  • 1
    @PeterWone that is the most creative and useful solution. Don't make it a war, make them your allies! – Davidmh Jun 22 '15 at 09:45
7

Set up a captive portal that uses RFC 6238 like Google Authenticator (GA) (https://github.com/google/google-authenticator). GA has a PAM module. Have each employee, install the app, then come to your IT office, in person, to set up (sync) their account with the app.

Use the auth token as either the only, or second factor. If the QR codes or secrets get leaked, you're back to chaos, but you should be able to contain that.

You could also use urQui (http://urqui.com/web/) instead of Google Authenticator

Rondo
  • 217
  • 1
  • 4
  • How does the captive portal get enforced? – Aron Jun 19 '15 at 08:49
  • Different wifi setups have different mechanisms to require captive portal logins. So I think that is orthogonal: unless, and even if, you are making a point about weaknesses in that mechanism. The OP is trying to find the mother of all solutions, of which there are none anyway. – Rondo Jun 20 '15 at 04:22
4

I'm going to recommend doing what most public Wi-Fi sources do, and require authentication through a website with individual usernames and passwords. Use a WPA password as well if you want will provide some protection from casual sniffing.

This is available through the free DD-WRT router, specifically through software called ChiliSpot. You can then use a third-party provider to handle the authentication of users.

ChilliSpot is an open source Captive_Portal wireless or LAN access point controller. It is used for authenticating users. It supports web based login which is today's standard for public HotSpots. Authentication, authorization and accounting (AAA) is handled by an on-line provider, or a local radius service you provide.

Each teacher would then have an individual login. While passwords might still "leak", you could easily change any password for one user since the service also offers accounting, and you'd find which person was responsible for leaking the password. Right now I'm sure it's a major pain the change the pre-shared key since it needs to be communicated to so many people, so I'm guessing you don't do it very often. Also, typing in a username and password "feels" more like hacking than just sharing a WPA password (which people do all the time). So even this one change will likely cut down on abuse even if an individual login is leaked.

I'm going to recommend against MAC address filtering because it's a maintenance nightmare every time a teacher wants to connect a new device to the network. It could be done of course, but seems more trouble than it's worth. Also MAC address spoofing is relatively trivial, and once discovered it would just be a matter of time before everyone knew how to do it.

I'm assuming you've already thought of the "enforcement" option and have rejected it for your own reasons. Good. I hope schools don't go further down the road of being more like prisons than places to learn.

Peter Mortensen
  • 877
  • 5
  • 10
Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • This "solution" is technically and cryptographically the same as using WPA-2 PSK. The same vulnerabilities are on a captive portal as WPA-PSK, in fact its worse in more ways than I can count, from MITM attack to MAC spoof attack to Rubber Hose/Post-it attack. – Aron Jun 19 '15 at 08:48
  • 1
    But you can figure out who the "leak" is in a rubber hose / Post-it attack, sternly warn them, and change their password. If they keep leaking, you can just disable their account until they stop letting students get their credentials. – Michael Jun 19 '15 at 14:30
  • 3
    @aron No, it's not the same at all. It's trivial to change an individuals password if it leaks. It's much more difficult to change the PSK. The administrative functions matter a great deal here. Also, the active attacks you're mentioning are far more sophisticated than some kid writing the password on a wall. "Threat model" matters here. No system is perfectly secure, and the attacks here are below script kiddie level, so even a modest increase in the sophistication of the required attack will likely solve the problem. – Steve Sether Jun 19 '15 at 18:08
  • 5
    @Aron: if high-school kids are using rubberhose attacks on teachers, then I think the problem has escalated beyond where a part-time IT person should be the one addressing it ;-) Ofc since teachers are leaving their laptops unlocked and unattended, possibly it should be the IT person applying the hose in a corrective manner. – Steve Jessop Jun 19 '15 at 20:04
3

Find a way to not give out the password. I don't have experience with this tool, but SpiceWorks has a free Mobile Device Management program at http://www.spiceworks.com/free-mobile-device-management-mdm-software/. Use that to distribute the WPA2 password to all of the computers that are authorized to connect. If a student gets their hands on the installer, that won't help them because you can set it up so the device has to be approved before it gets the password.

longneck
  • 273
  • 1
  • 8
3

802.1X

IEEE 802.1X is a Standard for Port-based Network Access Control (PNAC) - it provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

There are different ways it can be setup so you'll have to look into what your equipment and needs are, but a typical use-case is if you have an MS ActiveDirectory with all your users (staff) having AD accounts. You can then setup a RADIUS server and users can then authenticate with their normal domain credentials to gain access to the network.

Eborbob
  • 226
  • 1
  • 9
3

Here's a different strategy. Let's start by assuming the following:

  1. Any password you give teachers will leak so long as the teachers have no motivation not to share their passwords
  2. Once a password leaks it travels widely via word of mouth
  3. Enforcement / action against students for using borrowed passwords is hard
  4. We are trying to stop the average student and not a really motivated hacker
  5. Having a static list of MACs is too restrictive and can be spoofed anyways
  6. Having any sort of dynamic MAC list makes it a lot of day to day work having to add devices and besides that can be spoofed anyways.
  7. You don't really care about the odd guy or too logging in illegitimately so long as not so many guys log in to swamp your bandwidth

Now given all this, the only solution I think fits the use case is a frequently changing password. Now admittedly, that might be a little tricky to implement but not impossible.

Let's first think about what might work for your use-case and then we can worry how to implement it. What you need is a system that generates a password with an expiry. Say, every day when someone tries to log in you send them a pass code that works for 8 hours via an off channel medium that would work. e.g. use an SMS / text message to send them the pass code. Cellphones are ubiquitous. Almost all your staff will have them. On the plus side, the password doesn't have to be very long and hard now. A 4 digit or 6 digit number code should be sufficient for most purposes.

In this system, even if a teacher gives away a password, accidentally or intentionally, the damage is minimal because the number of illegitimate users that can get the password in 8 hours is limited. And the password is no good after that.

Basically, make life harder for the bad guys.

If you wanted to make things worse, you could also make it so that any one pass code was only valid for one device.

Implementation: I'm not sure what the systems are called but I've seen this at airports (especially outside the US) and other public places before. I have to enter my Cellphone number and agree to the terms on the Login Page that I am presented when I try to log in to a WiFi network and then the system sends me a text message on my cellphone with the pass code needed for login.

Sending the Text Messages: With something like Twilio or the dozens of other SMS API's online sending the actual message out shouldn't be that hard. At less than a cent per message sent it shouldn't overwhelm your budget.

Alternative to Text Messaging: Use an time based pin code generator like one of those RSA fobs or even Googles own authenticator. But programming this sort of solution and integrating it into your solution might not be trivial.

curious_cat
  • 1,013
  • 1
  • 11
  • 18
  • Those systems at airports are based in captive portals, but here the cellphones will be provided when enrolling the teachers, so it isn't really needed. Also, a 4-digit key would be memorizable by any student passing-by. – Ángel Jun 20 '15 at 23:12
  • You can keep track of known MAC addresses and additionally perform a key rotation when discovering new devices: «Unauthorized iphone connected to the network on second floor. Today wifi password has been changed to K}ikN%htPY» – Ángel Jun 20 '15 at 23:16
  • @Ángel Even if a kid memorized a key it would only help him for a few hours. If the key keeps changing. – curious_cat Jun 21 '15 at 03:27
2

You are approaching the problem the wrong way, and in the process making yourself (and the institution in general) the enemy. The student body is, collectively, smarter and has more resources. Also don't forget who you work for (them).

If I was in your place I would take the simple route - a completely open student wifi network. Yes, you read that right - no restrictions at all.

The way you "control" it is letting it be well known that the network is monitored. And any "unusual" traffic will be posted on the school website for all to see.

You are including information-age classes, yes? How networks operate, password cracking, information security, scam-of-the-month analysis etc? If not, you are failing at your job as an educator. We are well into the 21st century, this is required knowledge and rather more important than long division or the French Revolution. Their phones already do division.

paul
  • 195
  • 1
  • 2
  • Right, so they set up the second wifi network. How do they keep them off of the teacher's network? You haven't addressed the issue at hand. – schroeder Jun 23 '15 at 02:54
  • @schroeder I don't see that as an issue - teachers would no longer need to give students the password, as they can use the other network, students would have much less incentive for "hacking" the teacher network - instead, I would say that the schools work for the tax-paying parents, not the teenagers who would rather stay at home and watch cat videos on their phones all day long. Also not sure how posting "unusual" traffic would do any good, anyone who cares enough would just encrypt whatever they are doing. – user2813274 Jun 23 '15 at 15:03
  • @user2813274 one of the scenarios the OP listed was the teachers giving out the wifi password so the students can perform in-class troubleshooting on school/teacher equipment, so there would still be that. As to your other point, schools do not *work for* parents. Grow up. – schroeder Jun 23 '15 at 15:19
  • @schroeder more so than the schools working for the students themselves at any rate.. – user2813274 Jun 23 '15 at 15:21
1

The Human Problem (Social Engineering)

You have teachers casually handing passwords out to students. The first group you need to educate about the use of the network is your teachers. Otherwise, further security measures are pointless.

Presuming you are using a strong password for the WiFi key and using WPA2 (not WEP or even WPA, but WPA2), the wireless network is not particularly easy to break into.

Which means your teachers are giving the password to your students, either directly and intentionally, or through a lax treatment of security (writing the password down, leaving computers unlocked, etc.)

There are plenty of other answers addressing things like MAC address filtering (pointless), establishing clear consequences for misuse of the network, etc.

Some answers also address the possibility of giving students their own network to use.

The Technical Solution

A few answers have suggested variations of setting up a secure network. This can be done with a relatively minimal investment, and can be easily extended to provide multiple networks for different uses (teacher's/admin network for sensitive stuff, student network for classroom Chromebooks and maybe even limited use of students' own devices).

If you have Active Directory (a Windows server) or a Linux SAMBA server, you can set up WPA-Enterprise authentication on your wireless network.

Further, you can deploy relatively affordable access points that communicate with each other and enable you to serve multiple SSID's (more than one wireless network), each on a separate VLAN. Each VLAN is a separate network and cannot communicate with other VLANs except through a router, so the router is where you establish firewall rules to control what can communicate with what. And one network can use WPA-Enterprise while another uses WPA2, or is open but forces authentication via a captive guest portal, and a firewall preventing connections into the admin network.

Just granting the students a network-connected domain of their own may reduce the number of them who are interested in breaching policy and risking their grades or their summers to break into the sensitive administration network.

I'm not trying to sell any particular gear, but as just one example you can get Ubiquiti Unifi AP's for under $70 each. They can serve up to four SSID's, and the controller software is "free" and runs on Windows or Linux and includes a guest portal enabling you to require visitors (aka "students") to log on individually in order to access the network. You can deploy as many of these as you need in order to get adequate wireless coverage, and devices/laptops will roam seamlessly among all of the AP's. They're PoE devices, so all they need in order to function is an Ethernet cable. http://www.amazon.com/Ubiquiti-Networks-UniFi-Enterprise-System/dp/B004XXMUCQ

You can get a real router for $100 that'll push close to a Gigabit per second through the routing engine (actually, for $50 with somewhat lesser throughput if you get the "little brother" version, and yes I'm thinking of a particular brand). Either of these little routers would give you a single Internet connection (or redundant connections if you prefer) and the ability to segment the network into multiple VLANs and control communications between those segments, and present a different DHCP server to each network segment. So you could direct all the student connections through a proxy server that logs activity and watches for sneaky/inappropriate stuff if that's what you want to do.

You can get an 8 port managed ("smart") Gigabit Ethernet switch with fully adequate VLAN support for $30, or a 24 port version of the switch for $80. For the scale and budget you're dealing with, you don't have to spend thousands of dollars per device to use top-shelf HP Procurve or Cisco switches and super-expensive wireless devices with dedicated hardware controllers. Those are great, don't misunderstand, but if it isn't in the budget, then it isn't in the budget.

For a few hundred dollars, somebody with a little bit of networking knowledge and access to online documentation and forums could set up a robust network.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Craig Tullis
  • 1,483
  • 10
  • 13
1

You should say to the teachers about this, so they would not give passwords to students and then apply WPA2-Enterprise scheme.

Vilican
  • 2,703
  • 8
  • 21
  • 35
0

There have been many good answers about using WPA Enterprise which is the proper way to secure a multiple user Wifi networks. Captive portals would work too, and I doubt more than a couple students would be bothered trying to spoof MAC addresses and cookies to try to get around that.

Switching to wired Ethernet is my favorite answer. Being in the presence of Wifi is known to have ill effects on people's health. The answers about disciplining students are good too.

The question is how to keep students off of the WiFi network. My answer is make them not want to be on it. This is a school. It is for education. Filter all non educational content on the whole network during school hours. This would prevent both teachers and students from goofing off during school times. It could be done with a white list of educational services, blocking all known non educational content possibly including all non white listed SSL/TLS traffic, and throttling everything that is unknown to 1KB/sec. Multimedia content seems to be what many students are using. 1KB/sec would put an end to that. Teachers could email in advance requesting sites to be unblocked. After a while a nice collection of educational sites would be allowed. Teachers will probably be upset that youtube.com doesn't work. Explain to the teachers that videos must be downloaded in advance using one of the several video downloaders.

If a limited number of teachers need full unfiltered access then an HTTP / HTTPS proxy with a password (or a different password per teacher) could be set up for those teachers. Actually, setting up the entire network to require a proxy to go out is an alternative to securing the wifi.

I realize that this idea goes against what companies like Google want, where their products (like Chromebooks) won't work at all in a filtered network unless you unblock youtube (which is practically everything entertainment wise). Do you want school to be for education, or for big companies to come in and try to bypass teachers and deliver content directly to students?

Another way to filter things is to partially allow it but break it in some way. Youtube does this when they want to censor something. They won't remove it from Youtube, but they'll make it not show up in the related videos. This prevents people from switching away from Youtube where things are as censored, while preventing most people from seeing it. You could randomly assign all MAC addresses belonging to Apple products (like iPhones) to the throttled to 5KB/sec list, assuming the teachers' computers aren't Apple. You could request all teachers to turn off their devices. Then monitor all MAC addresses that are in use and assign those to the filter or block list, or throttle to 5KB/sec. Some student devices will still work and it'll take them a long time to figure out what's going on.

You could monitor sites that you know only students are going on and then block based on MAC addresses. Most of the student & device combinations will prevent MAC address changing. Eventually someone will probably figure out jail breaking and such and so network wide filtering, wired Ethernet, or WPA Enterprise will need to be deployed.

Alex Cannon
  • 402
  • 2
  • 7