Trying to keep high school students out of the Wi-Fi network

Question

I'm a teacher and IT person at a small K-12 school.

The students are not supposed to have phones, laptops or access to the network. However, students being students they will try to find a way around the rules.

The students manage to acquire the Wi-Fi passwords pretty much as soon as we change them. It becomes a game to them. Although they are not supposed to, they will bring their laptops and phones in and use the network. One of them will get the password, and it travels like wildfire throughout the school. It is sometimes as simple as writing it on a wall where the rest of the students can get the updated password.

What can we do to keep them out of the network? I'm considering entering MAC addresses, but that's very labourious, and still not a guarantee of success if they spoof the address.

Do any of you have any suggestions?

Some background:

There are four routers in a 50-year-old building (plenty of concrete walls). One router downstairs, and three upstairs. They are different brands and models (Netgear, Asus, Acer, D-Link) so no central administration.

The school has about 30 Chromebooks and a similar number of iPads. Teachers will use their own laptops (a mix of Windows Vista, Windows 7, and Windows 8 as well as a number of Mac OS X).

Some of the teachers are not at all comfortable with technology and will leave the room with their machines accessible to the students. The teachers will often leave their password off or even give it to the students when they need help. They will ask for help from the students when setting up a projector for example and leave them to it, there goes the security once again. No sooner that the teacher is out of the room than they'll go to the taskbar and look at the properties of the Wi-Fi router to get the password.

Answer 1

Enforce Consequences for Students Found on the Network

The first thing you need to do is ensure you have a written policy outlining what devices are allowed on the network. However, if you are not consistent in the enforcement of your policy, it is useless.

This should also cover the usage policies for the Teachers, including locking their computers when they are not present at the machine. You can also use Group Policy to prevent users from being able to view the WiFi password.

Technical Measures

The following consists of various options for limiting the use of student devices on the school network. The most effective is WPA2-Enterprise. The others are included because they may be effective enough in limiting unauthorized access by students and, depending on you particular network, may be easier to implement.

However, the question suggests that the students are on the main network for the organization. Only WPA2-Enterprise is going to adequately protect your network from an attack of an unauthorized device. Once a PSK is known, a student has the ability to sniff teacher web traffic, and possibly capture email and windows hashes. Additionally, a malicious user could start attacking other machines directly.

WPA2-Enterprise

The best solution would be to implement WPA2-Enterprise, instead of using a pre shared key (WPA2-PSK). This allows individual credentials to be issued. This is implemented by installing client certificates on each machine. This requires a good bit of engineering and is not trivial to set up in larger environments. This page has some good pointers on how to deploy WPA2-Enterprise.

Captive Portal

As @Steve Sether mentioned, the Chillispot captive portal can be used to authenticate users once they have connected to the network. Although I don't have evidence to point to, I suspect such a portal can be bypassed by spoofing MAC and IP addresses. However, it does raise the difficulty and will be easier to manage than MAC Filtering on multiple devices.

MAC Address Filtering

As you mentioned, MAC addresses can be spoofed, so the effectiveness of MAC address filtering is limited. However, many phones prevent spoofing the MAC address, so this will address some of the problematic users. The iPhone for instance, needs to be jailbroken before the MAC address can be changed. The hardest part of using MAC address filtering is going to be managing the list of allowed MAC addresses especially across multiple devices from various vendors.

I would also argue that there is 'legal' benefit of using MAC Address Filtering or a Captive Portal. It can be hard to claim a user was unauthorized to access a network when the password is written on a whiteboard. However, if a user has to explicitly bypass a security restriction, you have a stronger case against the activity.

Using an Internet Proxy to Prevent Unauthorized Uses of HTTPS

Implement a HTTPS solution that uses your own private key. You can install the corresponding certificate to the organization's machines and they won't notice anything different (though the organization should still tell the staff that HTTPS interception is occurring). However, unauthorized devices without the certificate will get a nasty message about HTTPS being invalid whenever they try to browse a secure page. Additionally, since you are decrypting the HTTPS traffic, you will be able to monitor the traffic. For instance, seeing which students log into Facebook will allow you to address those students directly.

Many Content Control implementations offer the ability to decrypt HTTPS traffic. If the school already has a Content Control mechanism in place (such as Bluecoat or Net Nanny), talk to your vendor about how to implement this feature.

Answer 2

You are trying to solve the wrong problem.

They are thousands and you are one. Since you are not a security expert (as far as I understand, sorry if I'm mistaken) and they aren't either but they are a horde, you are just bound to lose if you fight a conventional war.

@AviD gave a great answer in a comment:

Here is a non-technical idea: This is a school, right? So educate them. Teach them the importance of consequences, acceptable use, the illegality of hacking... and yes, proper use of the internet. I mean, give them access, to a separate filtered network if need be, and create some curriculum around that. Classes, internet safety, strict compliance with whatever AUP, etc... Give them access to the network, and use it to teach them to be good internet citizens. And, how to use the internet productively, to assist in their education.

Not only can you not win the war of preventing them from getting access, but even if you do, you'll have accomplished nothing: they still have their devices, they will still get distracted, just in different ways.

Plus, hacking you will teach them valuable lessons, in "problem-solving", we might say. If this is not the kind of problem you want them to be solving, find better, more entertaining or useful, problems.

Please notice that, even if it was feasible (I guess it isn't), barring them from bringing the devices at all isn't a good solution either: they need to learn to have devices at hand and not use them, following the lesson instead. If they don't learn this lesson, in future they'll have the same problem both socially and at work.

Finally, if they can manage not to follow your lessons and still get good grades, then the problem might lie here. Are your tests too easy or too cheatable? Are your lessons useless? This is the point. On the other hand, if they fail the tests, they might/should realise that maybe following the lessons will help them succeed…

---

As DDPWNAGE correctly points out:

This is 2015, right? In my opinion, students should be allowed limited access to the Internet. If you're a high school teacher, ask the school if you can teach a class about using the Internet, and teach some basic computing classes. A growing number of kids are taking interest in these subjects, and a programming language learned in high school can later save a kid thousands in college. I'm graduating from HS this coming Friday, and I'm coming out with an iOS game using Objective-C as logic. Just have kids stay on-topic, and they can do great things.

Answer 3

Ethernet

Before I get flamed by everyone who says iPads don't have ethernet ports, this is simply a single layer of "security".

In most cases teachers should be able to use their laptops with a physical ethernet BASE-100TX CAT5+ plain old physical cable.

You will have reduced the attack surface area (as the keys won't be on the teacher's laptops anymore).

Additionally should the students gain access to the physical CAT5, it would be harder to exploit (you can see a physical device attached to a cable and most phones lack a RJ45 socket).

Answer 4

If passwords are leaking like that, you may have a bigger problem than restricting Wifi access. It sounds as if the kids could do almost anything a teacher can do (including manipulate exam results?) and are routinely doing so at your location.

It sounds as if a little bit of teacher education would solve this, after some detective work to narrow down the source of the leak. It might be a hacked computer or router rather than human error so I'm not advocating anything draconian. I would install some logging, or give teachers individual passwords (temporarily).

Perhaps also make it easier for teachers to get help from an adult, or to use guest accounts if a kid is helping?

Answer 5

Consider an equipment upgrade

I know you're looking for a no-budget solution, but a matching set of enterprise-grade WAPs and central controller could make securing the network easier. Weigh it against the cost of defending against a lawsuit for cyber-bullying, or harassment of an employee, or facilitating the falsification of test scores...

Use MAC filtering

Gathering the MAC addresses gives you a change to talk to each staff member about your expectations for securing their account and equipment. A list of MAC addresses, hardware serial numbers, and other information about school-owned equipment is also important for proving you haven't been subject to theft.

Make DHCP a honeypot

Assign staff-member devices static IP addresses from a manageable range, and allow them whatever access to the Internet is appropriate. Configure DHCP to give out addresses from a different range for unrecognized MAC addresses, and set up a DNAT redirect so that the only thing a user sees when coming from that IP address range is a static webpage with instructions to talk to you:

"This network is operated by XXX school and is for authorized academic use only. If you believe you are seeing this page in error, please see Mr. McQueen in room XXX."

Enforce consequences

If students aren't supposed to have phones and laptops, enforce that. First offense, confiscate the device immeditely, make a parent come pick it up. Second offense, same drill, suspend the student, same as if a student was caught with drugs or a weapon. For those students who have to carry a phone to/from school (if it's a high school, maybe they need a phone for work or their commute to it), make them check it in to the secretary before the school-day starts and check it out afterward.

Answer 6

• Give each authorised user their own individual password. Then you'll be in a position to judge where the leaks are coming from (assuming they're being leaked as opposed to cracked). (eg You may find that need to educate one of your teaching staff not to leave the password written down on his desk).

• Set up harsh firewall rules that block access to most of the internet. Only leave the bare minimum of accessible sites. The students may give up trying to connect if it doesn't give them access to Facebook (for example). Authorised users could easily request a site get unblocked if they need it. The block could also be configured to only apply for wireless connections, that way it won't inconvenience your admin staff who are at their computer on their desk the whole day on a wired connection.

Answer 7

You need to tighten human security, not technical security. WiFi password is good enough, the real questions are "Who is leaking passwords to students?" and "How to stop them?". You can't have any security if privileged persons (staff) share their credentials with the ones you're trying to block.

Setting up different passwords for every single person would only help as such that you'll be able to lock out those who reveal their passwords. And then gradually teach them to be more careful by employing long and troublesome access restoration procedure : D

//edit: After re-reading your question, I realize you've already said how passwords are leaked.

Some of the teachers are not at all comfortable with technology 

So, I can propose extreme means to you:

Then change the technology! Wi-Fi is complicated and confusing. Replace it with cables. Cables are simple and easy to understand: one plugs it in, the lights start blinking and the internet works. Please understand than I don't urge you to physically shut down your Wi-Fi. I merely suggest that most teachers should not use it directly thus have no need of knowing the password.

If you can't get a cable somewhere, a simple access point in client mode will provide Ethernet jack. Password on the admin panel will make it very hard to learn how this AP authorizes to your "backbone" Wi-Fi.

For chromebooks and ipads, set a dedicated Wi-Fi in the room where they're used. You can change it's password after every class and announce the new one when next class starts.

Answer 8

I would use WPA2-Enterprise, so everyone would use own name and password, not just a password, which is same for everyone. To setup WPA2-Enterprise, you just need to have RADIUS server. The cheapest opinion, I think is to buy a NAS server. It supports multiple things and RADIUS sometimes too (I recommend Synology for this).

Alternative is to use some hotspot system to require login, but not all routers supports this and it is quite expensive.

Mentioned MAC filter and DHCP traps are not the main security. It needs to have registered all addresses in router(s), so there is no option to bring your own device. The next thing is, that MAC filter and DHCP traps are crackable in about 5-15 minutes.

To the last paragraph: somebody should tell the teachers that this wrong. Although you can setup device locking after some time of inactivity and many other things, there is no effective way you can stop telling the password to people that should not have the password. Also, they should periodically change passwords.

But I see the whole thing this way: There is no way to stop the hacker (students), you can only make them the hacking harder.

Answer 9

Set up a captive portal that uses RFC 6238 like Google Authenticator (GA) (https://github.com/google/google-authenticator). GA has a PAM module. Have each employee, install the app, then come to your IT office, in person, to set up (sync) their account with the app.

Use the auth token as either the only, or second factor. If the QR codes or secrets get leaked, you're back to chaos, but you should be able to contain that.

You could also use urQui (http://urqui.com/web/) instead of Google Authenticator

Answer 10

I'm going to recommend doing what most public Wi-Fi sources do, and require authentication through a website with individual usernames and passwords. Use a WPA password as well if you want will provide some protection from casual sniffing.

This is available through the free DD-WRT router, specifically through software called ChiliSpot. You can then use a third-party provider to handle the authentication of users.

ChilliSpot is an open source Captive_Portal wireless or LAN access point controller. It is used for authenticating users. It supports web based login which is today's standard for public HotSpots. Authentication, authorization and accounting (AAA) is handled by an on-line provider, or a local radius service you provide.

Each teacher would then have an individual login. While passwords might still "leak", you could easily change any password for one user since the service also offers accounting, and you'd find which person was responsible for leaking the password. Right now I'm sure it's a major pain the change the pre-shared key since it needs to be communicated to so many people, so I'm guessing you don't do it very often. Also, typing in a username and password "feels" more like hacking than just sharing a WPA password (which people do all the time). So even this one change will likely cut down on abuse even if an individual login is leaked.

I'm going to recommend against MAC address filtering because it's a maintenance nightmare every time a teacher wants to connect a new device to the network. It could be done of course, but seems more trouble than it's worth. Also MAC address spoofing is relatively trivial, and once discovered it would just be a matter of time before everyone knew how to do it.

I'm assuming you've already thought of the "enforcement" option and have rejected it for your own reasons. Good. I hope schools don't go further down the road of being more like prisons than places to learn.

Answer 11

Find a way to not give out the password. I don't have experience with this tool, but SpiceWorks has a free Mobile Device Management program at http://www.spiceworks.com/free-mobile-device-management-mdm-software/. Use that to distribute the WPA2 password to all of the computers that are authorized to connect. If a student gets their hands on the installer, that won't help them because you can set it up so the device has to be approved before it gets the password.

Answer 12

802.1X

IEEE 802.1X is a Standard for Port-based Network Access Control (PNAC) - it provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

There are different ways it can be setup so you'll have to look into what your equipment and needs are, but a typical use-case is if you have an MS ActiveDirectory with all your users (staff) having AD accounts. You can then setup a RADIUS server and users can then authenticate with their normal domain credentials to gain access to the network.

Answer 13

Here's a different strategy. Let's start by assuming the following:

1. Any password you give teachers will leak so long as the teachers have no motivation not to share their passwords
2. Once a password leaks it travels widely via word of mouth
3. Enforcement / action against students for using borrowed passwords is hard
4. We are trying to stop the average student and not a really motivated hacker
5. Having a static list of MACs is too restrictive and can be spoofed anyways
6. Having any sort of dynamic MAC list makes it a lot of day to day work having to add devices and besides that can be spoofed anyways.
7. You don't really care about the odd guy or too logging in illegitimately so long as not so many guys log in to swamp your bandwidth

Now given all this, the only solution I think fits the use case is a frequently changing password. Now admittedly, that might be a little tricky to implement but not impossible.

Let's first think about what might work for your use-case and then we can worry how to implement it. What you need is a system that generates a password with an expiry. Say, every day when someone tries to log in you send them a pass code that works for 8 hours via an off channel medium that would work. e.g. use an SMS / text message to send them the pass code. Cellphones are ubiquitous. Almost all your staff will have them. On the plus side, the password doesn't have to be very long and hard now. A 4 digit or 6 digit number code should be sufficient for most purposes.

In this system, even if a teacher gives away a password, accidentally or intentionally, the damage is minimal because the number of illegitimate users that can get the password in 8 hours is limited. And the password is no good after that.

Basically, make life harder for the bad guys.

If you wanted to make things worse, you could also make it so that any one pass code was only valid for one device.

Implementation: I'm not sure what the systems are called but I've seen this at airports (especially outside the US) and other public places before. I have to enter my Cellphone number and agree to the terms on the Login Page that I am presented when I try to log in to a WiFi network and then the system sends me a text message on my cellphone with the pass code needed for login.

Sending the Text Messages: With something like Twilio or the dozens of other SMS API's online sending the actual message out shouldn't be that hard. At less than a cent per message sent it shouldn't overwhelm your budget.

Alternative to Text Messaging: Use an time based pin code generator like one of those RSA fobs or even Googles own authenticator. But programming this sort of solution and integrating it into your solution might not be trivial.

Answer 14

You are approaching the problem the wrong way, and in the process making yourself (and the institution in general) the enemy. The student body is, collectively, smarter and has more resources. Also don't forget who you work for (them).

If I was in your place I would take the simple route - a completely open student wifi network. Yes, you read that right - no restrictions at all.

The way you "control" it is letting it be well known that the network is monitored. And any "unusual" traffic will be posted on the school website for all to see.

You are including information-age classes, yes? How networks operate, password cracking, information security, scam-of-the-month analysis etc? If not, you are failing at your job as an educator. We are well into the 21st century, this is required knowledge and rather more important than long division or the French Revolution. Their phones already do division.

Answer 15

The Human Problem (Social Engineering)

You have teachers casually handing passwords out to students. The first group you need to educate about the use of the network is your teachers. Otherwise, further security measures are pointless.

Presuming you are using a strong password for the WiFi key and using WPA2 (not WEP or even WPA, but WPA2), the wireless network is not particularly easy to break into.

Which means your teachers are giving the password to your students, either directly and intentionally, or through a lax treatment of security (writing the password down, leaving computers unlocked, etc.)

There are plenty of other answers addressing things like MAC address filtering (pointless), establishing clear consequences for misuse of the network, etc.

Some answers also address the possibility of giving students their own network to use.

The Technical Solution

A few answers have suggested variations of setting up a secure network. This can be done with a relatively minimal investment, and can be easily extended to provide multiple networks for different uses (teacher's/admin network for sensitive stuff, student network for classroom Chromebooks and maybe even limited use of students' own devices).

If you have Active Directory (a Windows server) or a Linux SAMBA server, you can set up WPA-Enterprise authentication on your wireless network.

Further, you can deploy relatively affordable access points that communicate with each other and enable you to serve multiple SSID's (more than one wireless network), each on a separate VLAN. Each VLAN is a separate network and cannot communicate with other VLANs except through a router, so the router is where you establish firewall rules to control what can communicate with what. And one network can use WPA-Enterprise while another uses WPA2, or is open but forces authentication via a captive guest portal, and a firewall preventing connections into the admin network.

Just granting the students a network-connected domain of their own may reduce the number of them who are interested in breaching policy and risking their grades or their summers to break into the sensitive administration network.

I'm not trying to sell any particular gear, but as just one example you can get Ubiquiti Unifi AP's for under $70 each. They can serve up to four SSID's, and the controller software is "free" and runs on Windows or Linux and includes a guest portal enabling you to require visitors (aka "students") to log on individually in order to access the network. You can deploy as many of these as you need in order to get adequate wireless coverage, and devices/laptops will roam seamlessly among all of the AP's. They're PoE devices, so all they need in order to function is an Ethernet cable. http://www.amazon.com/Ubiquiti-Networks-UniFi-Enterprise-System/dp/B004XXMUCQ

You can get a real router for $100 that'll push close to a Gigabit per second through the routing engine (actually, for $50 with somewhat lesser throughput if you get the "little brother" version, and yes I'm thinking of a particular brand). Either of these little routers would give you a single Internet connection (or redundant connections if you prefer) and the ability to segment the network into multiple VLANs and control communications between those segments, and present a different DHCP server to each network segment. So you could direct all the student connections through a proxy server that logs activity and watches for sneaky/inappropriate stuff if that's what you want to do.

You can get an 8 port managed ("smart") Gigabit Ethernet switch with fully adequate VLAN support for $30, or a 24 port version of the switch for $80. For the scale and budget you're dealing with, you don't have to spend thousands of dollars per device to use top-shelf HP Procurve or Cisco switches and super-expensive wireless devices with dedicated hardware controllers. Those are great, don't misunderstand, but if it isn't in the budget, then it isn't in the budget.

For a few hundred dollars, somebody with a little bit of networking knowledge and access to online documentation and forums could set up a robust network.

Answer 16

You should say to the teachers about this, so they would not give passwords to students and then apply WPA2-Enterprise scheme.

Answer 17

There have been many good answers about using WPA Enterprise which is the proper way to secure a multiple user Wifi networks. Captive portals would work too, and I doubt more than a couple students would be bothered trying to spoof MAC addresses and cookies to try to get around that.

Switching to wired Ethernet is my favorite answer. Being in the presence of Wifi is known to have ill effects on people's health. The answers about disciplining students are good too.

The question is how to keep students off of the WiFi network. My answer is make them not want to be on it. This is a school. It is for education. Filter all non educational content on the whole network during school hours. This would prevent both teachers and students from goofing off during school times. It could be done with a white list of educational services, blocking all known non educational content possibly including all non white listed SSL/TLS traffic, and throttling everything that is unknown to 1KB/sec. Multimedia content seems to be what many students are using. 1KB/sec would put an end to that. Teachers could email in advance requesting sites to be unblocked. After a while a nice collection of educational sites would be allowed. Teachers will probably be upset that youtube.com doesn't work. Explain to the teachers that videos must be downloaded in advance using one of the several video downloaders.

If a limited number of teachers need full unfiltered access then an HTTP / HTTPS proxy with a password (or a different password per teacher) could be set up for those teachers. Actually, setting up the entire network to require a proxy to go out is an alternative to securing the wifi.

I realize that this idea goes against what companies like Google want, where their products (like Chromebooks) won't work at all in a filtered network unless you unblock youtube (which is practically everything entertainment wise). Do you want school to be for education, or for big companies to come in and try to bypass teachers and deliver content directly to students?

Another way to filter things is to partially allow it but break it in some way. Youtube does this when they want to censor something. They won't remove it from Youtube, but they'll make it not show up in the related videos. This prevents people from switching away from Youtube where things are as censored, while preventing most people from seeing it. You could randomly assign all MAC addresses belonging to Apple products (like iPhones) to the throttled to 5KB/sec list, assuming the teachers' computers aren't Apple. You could request all teachers to turn off their devices. Then monitor all MAC addresses that are in use and assign those to the filter or block list, or throttle to 5KB/sec. Some student devices will still work and it'll take them a long time to figure out what's going on.

You could monitor sites that you know only students are going on and then block based on MAC addresses. Most of the student & device combinations will prevent MAC address changing. Eventually someone will probably figure out jail breaking and such and so network wide filtering, wired Ethernet, or WPA Enterprise will need to be deployed.