Embed Size (px)
Citation preview
ICT Technician’s Update Conference
17 March 2008
Introduction
Penny Patterson
You Tube and Schools
Penny Patterson
Network Access Control
Steve Hanna
Juniper Networks
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 5
Network Access Controlfor Education
By Steve Hanna, Distinguished Engineer, Juniper
Co-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 6
Implications of Expanded Network UsageCritical data at riskCritical data at risk
Perimeter security ineffectivePerimeter security ineffective
Endpoint infections Endpoint infections
may proliferatemay proliferate
Network control Network control
can be lostcan be lost
Network Security DecreasesNetwork Security Decreases
As Access Increases
Mission-critical
network assets
Mobile and remote
devices transiting the
LAN perimeter
Broader variety of
network endpoints
Faculty, staff, parent,
and/or student access
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 7
Network Access Control Solutions
Control Access• to critical resources• to entire network
Based on• User identity and role• Endpoint identity and health• Other factors
With• Remediation• Management
FeaturesFeatures
Consistent Access Controls
Reduced Downtime• Healthier endpoints• Fewer outbreaks
Safe Remote Access
Safe Access for• Faculty, Staff• Students, Parents• Guests• Devices
BenefitsBenefits
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 8
What is Trusted Network Connect (TNC)?
Open Architecture for Network Access Control
Suite of Standards to Ensure Interoperability
Work Group in Trusted Computing Group (TCG)
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 9
TCG: The Big Picture
TCG Standar
ds
TCG Standar
ds
Applications•Software Stack•Operating Systems•Web Services•Authentication•Data Protection
Storage
Mobile Phones
Servers
Desktops & Notebooks
Security Hardware
Networking
Printers & Hardcopy
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 10
TNC Architecture Overview
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
Wireless
Wired
NetworkPerimeter
FW
VPN
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 11
Typical TNC Deployments
Uniform Policy
User-Specific Policies
TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 12
Uniform Policy
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
NetworkPerimeter
Client RulesWindows XP- SP2- OSHotFix 2499- OSHotFix 9288- AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0- Firewall
RemediationNetwork
ProductionNetwork
Non-compliant SystemWindows XP
SP2x OSHotFix 2499x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall
Compliant SystemWindows XP
SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 13
User-Specific Policies
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
NetworkPerimeter
Access Policies- Authorized Users- Client Rules
GuestUser
Ken –Faculty
Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall
Linda –Finance
Guest NetworkInternet Only
ClassroomNetwork
FinanceNetwork
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 14
TPM Integrity Check
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
NetworkPerimeter
Client Rules- BIOS- OS- Drivers- Anti-Virus Software
ProductionNetwork
Compliant SystemTPM Verified
BIOS OS Drivers Anti-Virus Software
TPM – Trusted Platform Module
Hardware module built into most of today’s PCs
Enables a hardware Root of Trust
Measures critical components during trusted boot
PTS interface allows PDP to verify configuration and remediate as necessary
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 15
TNC Architecture in Detail
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
(IF-PTS)
TSS
TPM
Platform TrustService (PTS)
TNC Client (TNCC)(IF-TNCCS)
TNC Server(TNCS)
(IF-M)
(IF-IMC) (IF-IMV)
t CollectorCollectorIntegrity Measurement
Collectors (IMC)
VerifersVerifiersIntegrity Measurement
Verifiers (IMV)
NetworkAccess
Requestor PolicyEnforcementPoint (PEP)
(IF-T)
(IF-PEP) Network AccessAuthority
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 16
TNC Status
TNC Architecture and all specs released• Available Since 2006 from TCG web site
Rapid Specification Development Continues• New Specifications, Enhancements
Number of Members and Products Growing Rapidly
Compliance and Interoperability Testing and Certification Efforts under way
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 17
TNC Vendor Support
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
EndpointSupplicant/VPN Client, etc.
Network DeviceFW, Switch, Router, Gateway
AAA Server, Radius,Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 18
TNC/NAP/UAC Interoperability Announced May 21, 2007 by TCG, Microsoft, and
Juniper
NAP products implement TNC specifications• Included in Windows Vista, Windows XP SP 3, and
Windows Server 2008
Juniper UAC and NAP can interoperate• Demonstrated at Interop Las Vegas 2007• UAC will support IF-TNCCS-SOH in 1H2008
Customer Benefits• Easier implementation – can use built-in Windows NAP client• Choice and compatibility – through open standards
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 19
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 20
What About Open Source? Several open source implementations of TNC
• University of Applied Arts and Sciences in Hannover, Germany (FHH)
http://tnc.inform.fh-hannover.de• libtnc
https://sourceforge.net/projects/lib/tnc• OpenSEA 802.1X supplicant
http://www.openseaalliance.org• FreeRADIUS
http://www.freeradius.org
TCG support for these efforts• Liaison Memberships• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 21
Summary Network Access Control provides
• Strong Security and Safety• Tight Control Over Network Access• Reduced PC Administration Costs
Open Standards Clearly Needed for NAC• Many, Many Vendors Involved in a NAC System• Some Key Benefits of Open Standards
• Ubiquity, Flexibility, Reduced Cost
TNC = Open Standards for NAC• Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc.• Can Use TPM to Detect Root Kits
TNC: Coming Soon to a Network Near You!
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 22
For More Information TCG Web Site
• https://www.trustedcomputinggroup.org
Juniper UAC Web Site• http://www.juniper.net/products_and_services/
unified_access_control
Steve Hanna• Distinguished Engineer, Juniper Networks• Co-Chair, Trusted Network Connect Work Group, TCG• Co-Chair, Network Endpoint Assessment Working Group, IETF• email: [email protected]• Blog: http://www.gotthenac.com
LGfL Network 2009 - 2012
Stuart Tilley
Synetrix
Presented by :-Stuart Tilley - Network & Systems
Technician Conference – Network overview and proposed enhancement
2008 - 2012
17th March 2008
Overview
• Introduction• Current Network Overview• Proposed Technology Refresh
– Core Network – Access Network – Access bandwidth– URL filtering– Edge CPE
• Summary
Introduction
• Current Network Implemented in April 2002• Designed and Built by Synetrix a key LGfL service
provider• Emerging Technology (MPLS) and vendor choice has
provided a platform for;– Delivery of High availability and scalable Broadband services– Secure and safe educational environment– New service development and delivery– Shared community network (LPSN)
• Network Refresh - keeping pace with technology to and beyond 2012
The London Network – Physical Topology
Croydon
Purley
Merton
Bromley
BexleyHeath
Welling
Lewisham
Richmond
Hayes
Harrow
Park Royal
EarlsCourt
TeleHouse
Romford
BarnetHaringey
Newham
WalthamForest
Enfield
Lambeth
AP
Core Core Network Node
Aggregation Point
Core 10Gbps Links
Nodal Loop 100Mbps
Nodal Loop 1Gbps
Camden
The London Network
Physical Network Topology• 3 Core locations and 21 Aggregation Points serving 33
London Authorities• Resilient dark fibre connecting core locations (10Gb/sec
– OC192 SDH)• AP’s connected to core by resilient nodal loops currently
1Gb or 100Mb capacity• Resilient Service Hosting – SLB • Resilient Tier 1 ISP’s (Thus, Abovenet, UKERNA, BBC)
– Total Internet Capacity 6Gbps• All Broadband services delivered over fibre (scalable
bandwidth)
The London Network – Logical
6BoneNative IPv6 peering
BGP4
BBCBGP4
VPN1
VPN3
VPN2
Virtual Firewalls
Gigabit Firewall
MPLS VPN's
Earls Court
Virtual Firewalls
URL
Virus
URL
Virus
email &
Web
Gigabit Firewall
Park Royal
1Gbps
SLB
Author
MPLS IP VPN'sLEA1LEA2LEA3
Edge sites connected at 2, 5, 10 & 100Mbps Ethernet
Edge sites configuredInto appropriate VPN at any AP
Edge sites access coreservices via resilient MPLS core/access network with QoS applied dependant on application
SHDS - WES 1000 (1Gbps)
SHDS or Dark Fibre - 100M-2.4Gbps MPLS
URL
Virus
URL
email &
Web
SLB
160Gbps Router
SHDS - WES 100Mbps
Dark Fibre - 0C192 MPLS (10Gbps)
vpn3
vpn2
vpn1
2Gbps
Camden
AP
UKERNABGP4
2Gbps
InternetBGP4
VPN1
VPN3
VPN2
MPLS VPN's
1Gbps
160Gbps Router
email &
Web
100Mb
AP
VPN1
VPN1
VPN3
VPN2
MPLS VPN's
160Gbps Router
AP
VPN2
Waltham Forest
10Gbps core
10Gbps core 10Gbps core
Newham
Telehouse
Stuart Tilley
Date 25/01/2006
email &
Web
Virus
VPN1VPN1
VPN2
VPN2
VPN3
VPN3
Participate in same L2 broadcast domains as Earls
Court
Participate in same L2 broadcast domains as Park
Royal
The London Network
Logical Network • MPLS core network• Dedicated RFC2547bis Layer3 VPN’s
– Provides fully routed Virtual WANs per ‘customer’ (LEA or LA)
– Totally autonomous routing policy and access control per Virtual WAN – WMSv1 & v2
– Virtual WANs distributed across complete physical network
• QoS Support
Network Statistics
• Total of edge bandwidth purchased 23Gbps
• Total traffic transiting network 3Gbps (average)
• Total capacity of Juniper access layer 228Gbps
• Total Capacity of Juniper core 480Gbps
• Total Internet Bandwidth - (Sept 2002) 30Mbps today averaging over 2Gbps
• HTTP traffic via URL service 1.5GMbps
• Requests served from Cache 400Mbps
Proposed Core Technology upgrade
• Upgrade existing Juniper M160 with Next Generation MX960
• Fully resilient chassis (redundant HW) such as;– Power Supplies– Cooling fans– Routing Engines (RE)– Switch Control Board
• Fully resilient design/configuration– Dual Dense Port Concentrators (DPC’s) 10G + 1G– Support resilient backbone and core switching
• JUNOS code – leading standards development• Low risk migration
Proposed Core Technology Upgrade
Proposed MX960 core build
YELLOW ALARM RED ALARM
NC C NONC C NO MX960ACO/LT
0
ONLINE
OK FAIL
1
ONLINE
OK FAIL
2 6
ONLINE
OK FAIL
7
ONLINE
OK FAIL
8
ONLINE
OK FAIL
9
ONLINE
OK FAIL
10
ONLINE
OK FAIL
11
ONLINE
OK FAIL
5
ONLINE
OK FAIL
4
ONLINE
OK FAIL
3
ONLINE
OK FAIL
2
ONLINE
OK FAIL
1
ONLINE
OK FAIL
0
ONLINE
OK FAIL
0 1 2 3PEM
1
0
FAN
MASTER
ONLINE
OFFLINE
Juniper ®NETWORKS
RE 1RE 0
OK/FAIL
SC
B
FABRICACTIVE
FABRICONLY
TUNNEL
LINK
1/0
RE
-S-1
30
0
OK/FAIL
SC
B
FABRICACTIVE
FABRICONLY
TUNNEL
LINK
1/0
RE
-S-2
00
0
OK/FAIL
DP
C 4
x1
0G
E
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
OK/FAIL
DP
C 4
0x
GE
0/0 0/5 2/0 2/5
1/0 1/5 3/0 3/5
OK/FAIL
DP
C 4
x1
0G
E
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
OK/FAIL
DP
C 4
0x
GE
0/0 0/5 2/0 2/5
1/0 1/5 3/0 3/5
YELLOW ALARM RED ALARM
NC C NONC C NO MX960ACO/LT
0
ONLINE
OK FAIL
1
ONLINE
OK FAIL
2 6
ONLINE
OK FAIL
7
ONLINE
OK FAIL
8
ONLINE
OK FAIL
9
ONLINE
OK FAIL
10
ONLINE
OK FAIL
11
ONLINE
OK FAIL
5
ONLINE
OK FAIL
4
ONLINE
OK FAIL
3
ONLINE
OK FAIL
2
ONLINE
OK FAIL
1
ONLINE
OK FAIL
0
ONLINE
OK FAIL
0 1 2 3PEM
1
0
FAN
MASTER
ONLINE
OFFLINE
Juniper ®NETWORKS
RE 1RE 0
OK/FAIL
SC
B
FABRICACTIVE
FABRICONLY
TUNNEL
LINK
1/0
RE
-S-1
30
0
OK/FAIL
SC
B
FABRICACTIVE
FABRICONLY
TUNNEL
LINK
1/0
RE
-S-2
00
0
OK/FAIL
DP
C 4
x1
0G
E
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
OK/FAIL
DP
C 4
0x
GE
0/0 0/5 2/0 2/5
1/0 1/5 3/0 3/5
OK/FAIL
DP
C 4
x1
0G
E
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
OK/FAIL
DP
C 4
0x
GE
0/0 0/5 2/0 2/5
1/0 1/5 3/0 3/5
YELLOW ALARM RED ALARM
NC C NONC C NO MX960ACO/LT
0
ONLINE
OK FAIL
1
ONLINE
OK FAIL
2 6
ONLINE
OK FAIL
7
ONLINE
OK FAIL
8
ONLINE
OK FAIL
9
ONLINE
OK FAIL
10
ONLINE
OK FAIL
11
ONLINE
OK FAIL
5
ONLINE
OK FAIL
4
ONLINE
OK FAIL
3
ONLINE
OK FAIL
2
ONLINE
OK FAIL
1
ONLINE
OK FAIL
0
ONLINE
OK FAIL
0 1 2 3PEM
1
0
FAN
MASTER
ONLINE
OFFLINE
Juniper ®NETWORKS
RE 1RE 0
OK/FAIL
SC
B
FABRICACTIVE
FABRICONLY
TUNNEL
LINK
1/0
RE
-S-1
30
0
OK/FAIL
SC
B
FABRICACTIVE
FABRICONLY
TUNNEL
LINK
1/0
RE
-S-2
00
0
OK/FAIL
DP
C 4
x1
0G
E
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
OK/FAIL
DP
C 4
0x
GE
0/0 0/5 2/0 2/5
1/0 1/5 3/0 3/5
OK/FAIL
DP
C 4
x1
0G
E
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
TUNNEL
LINK
0/0
OK/FAIL
DP
C 4
0x
GE
0/0 0/5 2/0 2/5
1/0 1/5 3/0 3/5
10Gbps
10Gbps
1Gbps
CONSOLESummit X450e-48p
TM Shared Ports
45x 46x 47x 48x
STACK NO.FAN
PSU-I
PSU-E
MGMT
Solid ON = LinkBlinking = Activity
1 3 52 4 6 7 8 129 1110 1613 1514 17 19 2118 20 22 23 24 2825 2726 3229 3130 33 35 3734 36 38 39 40 4441 4342 4845 474610GStack1
2
1
2
CONSOLESummit X450e-48p
TM Shared Ports
45x 46x 47x 48x
STACK NO.FAN
PSU-I
PSU-E
MGMT
Solid ON = LinkBlinking = Activity
1 3 52 4 6 7 8 129 1110 1613 1514 17 19 2118 20 22 23 24 2825 2726 3229 3130 33 35 3734 36 38 39 40 4441 4342 4845 474610GStack1
2
1
2
CONSOLESummit X450e-48p
TM Shared Ports
45x 46x 47x 48x
STACK NO.FAN
PSU-I
PSU-E
MGMT
Solid ON = LinkBlinking = Activity
1 3 52 4 6 7 8 129 1110 1613 1514 17 19 2118 20 22 23 24 2825 2726 3229 3130 33 35 3734 36 38 39 40 4441 4342 4845 474610GStack1
2
1
2
CONSOLESummit X450e-48p
TM Shared Ports
45x 46x 47x 48x
STACK NO.FAN
PSU-I
PSU-E
MGMT
Solid ON = LinkBlinking = Activity
1 3 52 4 6 7 8 129 1110 1613 1514 17 19 2118 20 22 23 24 2825 2726 3229 3130 33 35 3734 36 38 39 40 4441 4342 4845 474610GStack1
2
1
2
Aggregated 10Gbps uplinks supporting L2
& L3 services
Earls Court CorePark Royal Core
Telehouse Core
Extreme Virtual Switch providing server
aggregation
Extreme Virtual Switch providing server
aggregation
MX960 MX960
MX960
Proposed Access Technology Upgrade
• Replace Existing M10 with Juniper M10i• Fully resilient chassis (redundant HW) such as;
– Power Supplies– Cooling fans– Routing Engine (RE)– Forwarding Engine Board (FEB)
• Fully resilient Design/Configuration– 2 x 1Gbps Nodal loop Interfaces– 2 x 1Gbps Virtual switch uplinks (initial deployment)
Proposed Access Technology Upgrade
• Replace Existing Extreme S48i aggregation switch with Juniper EX4200.
• Redundant Power supply• Virtual Chassis Configuration (max 10)• 48 port 10/100/1000 capability• Architecture design based high end core routing
products– Packet Forwarding Engine– Routing Engine
Proposed Access Technology Upgrade
• Fully resilient design\configuration
– Virtual chassis deployment
– Multiple 1Gbps uplinks (resilience)
TM
LT
M10
JuniperNETW ORKS
AUX/MODEM
CONSOLE
MG M T
PIC 0/3
PIC 1/3
PIC 0/2
PIC 1/2
PIC 0/1
PIC 1/1
PIC 0/0
PIC 1/0
PI nternetrocessor
R ETHERNET 100BASE-TX
ST
AT
US
PO
RT
1R
XLIN
K
PO
RT
0R
XLIN
K
PO
RT
2R
XLIN
K
PO
RT
3R
XLIN
K
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
CONSOLE
49 50
MG
MT
PORT 49
PORT 50
Extreme Networks Summit48siR
ETHERNET 100BASE-TX
ST
AT
US
PO
RT
1R
XLIN
K
PO
RT
0R
XLIN
K
PO
RT
2R
XLIN
K
PO
RT
3R
XLIN
K
ETHERNET 1000 BASE-TX
ST
AT
US
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
CONSOLE
49 50
MG
MT
PORT 49
PORT 50
Extreme Networks Summit48siR
Resilient 200Mbps Capacity Links
Aggregation Point (AP)
BT LES service Active Equipment (A end)
ETHERNET 1000 BASE-TX
ST
AT
US
BT LES service Active Equipment (B end)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
CONSOLE
49 50
MG
MT
PORT 49
PORT 50
Extreme Networks Summit48siR
Point to Point fibre delivered via ‘A’ end and ‘B’ end BT serving exchange
2, 5, 10, 100 Service delivery
Edge Site
1/
3 2 1 0
3 2 1 0
0/
1/
0/
JuniperNETWORKS
MINOR ALARM
MAJOR ALARM
LINK LINK ACTACT
PORT 1 PORT 0
PICS ON/OFF
0/3 0/2 0/1 0/0
AUX/MODEM
OFFLINE
MGMT
CONSOLEPC CARD
RESET
HDD MASTER
FAIL ONLINE
RE-400
JUNIPER NETWORKS LABEL THIS SIDE
AUX/MODEM
OFFLINE
MGMT
CONSOLEPC CARD
RESET
HDD MASTER
FAIL ONLINE
RE-400
JUNIPER NETWORKS LABEL THIS SIDEMINOR ALARM
MAJOR ALARM
LINK LINK ACTACT
PORT 1 PORT 0
PICS ON/OFF
0/3 0/2 0/1 0/0
Ethernet 1000BASE-X SFP
ST
AT
US
LINK
ACTIVITY
Ethernet 1000BASE-X SFP
ST
AT
US
LINK
ACTIVITY
ETHERNET 1000 BASE LX/SX/LH
LINE
RX AC
TI V ITY
RX
TX
STA
TU
S
ETHERNET 1000 BASE LX/SX/LH
LINE
RX AC
TI V ITY
RX
TX
STA
TU
S
Virtual Switch
2Gbps AggregatedUplink
1Gbps Nodal Loops
EX4200 48 port 10/100/1000 switches (max 10 per stack)
Fully resilient M10i(redundant PSU, routing and
forwarding engines)
Sample AP Configuration BT LES service Active Equipment (A end)
BT LES service Active Equipment (B end)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
CONSOLE
49 50
MGM
T
PORT 49
PORT 50
Extreme Networks Summit48siR
Edge Site
1Gbps Nodal Loop
100Mbps Nodal Loop
Aggregation Point (AP)
2, 5, 10, 100 & 1000Mbps Service delivery
Existing Design Proposed Design
Access Bandwidth Upgrade
• All current 100Mbps nodal loops upgraded to 1Gbps– Merton – Croydon – Merton – Earls Court– Bromley - Croydon– Bromley – Welling– Lewisham - Welling– Welling – Bexleyheath– Romford – Bexleyheath– Romford – Telehouse– Waltham Forest – Camden– Haringey – Camden– Haringey – Barnet– Hayes - Harrow
• Prevent degradation of service in the event of primary loop failure• Enhanced Traffic Engineering capability
Access Bandwidth Upgrade
Park Royal
Lambeth
Richmond
Harrow
Hayes
Merton
Barnet
Enfield
Camden
Haringey
Newham
Waltham Forest
Tele House
Croydon
Welling
Romford
Bexley Heath
Bromley
Lewisham
Earls Court
Purley AP
Core Network Node
Aggregation Point
Core 10Gb Links
Nodal Loop 1Gbps
Core
URL Filtering Platform Enhancements
• Evaluation exercise underway “Squid MkII” vs Bluecoat 8100.
• Scaled to 2.5Gbps (N+1 resilience total 5Gbps)• Additional Active/passive F5’s deployed to scale
beyond 2.5Gbps• Current total filtered traffic 1.5Gbps• Expect 500Mbps year on year increase
URL Filtering Platform Enhancements
Disk 1 Disk 4Disk 3Disk 2 Disk 5 Disk 8Disk 7Disk 6
Operating System (RAID1)Mirrrored DisksHot-Swappable
Cached Objects (RAID5)Hot-Swappable
Represents a 4x performance benefit over current hardware
EXT3 Filesystem for operating system
XFS FilesystemSupports stripe-aligned storage blocks for better RAID performance
Balanced-Trees for fast i-node lookupsIdeal for many small files (typically 25KB)
XFS Allocation Groups allow concurrent (multi-threaded) access to
stored objects.
SQUID
4-Core CPU
4-Core CPU
2x 4-Core CPU allowing 8 concurrent execution threads/
process to handle users requests, cache-lookups and drive the high-performance
XFS file system
Represents a minimum of 8x performance benefit over
current hardware
2x 1Gbps copper ethernet interfaces. One facing the internet, the other
facing the user, representing a 10x performance improvement over
current hardware
32GB RAM for super fast access to the most frequently accessed cached-objects. Represents a 16x performance benefit over current hardware
Replacement CPE
• Extreme 24e3/S200 replaced with Juniper J2320• Features
– Forwarding performance IMIX 400Mbps– 3DES performance 170Mbps– 4 onboard 10/100 ports– 3 Physical Interface Card (PIM) slots
• ES code – Combines session state information/next hop forwarding
• MPLS support fast reroute (resilient fibre services)
Summary
• High availability, scalable future proof infrastructure• Low risk implementation/migration• Continued delivery of existing Network Centric services such as;
– Securestore– Desktop Content Control (DCC) – Campus Monitoring Protection (CMP)– High Definition Video Conferencing (HDVC)– Secure Remote Access (SRA)– Broadband Resilience Service (BRS)
• Enhanced distributed functionality – enabling new service developments such as:
– Virtual Private LAN Services (VPLS)– Broadcast video– High capacity Resilient Broadband Services– Security Services
Per-User URL Filtering
Stewart Duncan
Technical Manager
Current URL Filtering
• LGfL URL Filtering Service is based around the NetSweeper Product
• Policies can currently be configured by IP address and time of day
• Reporting features are available to report on IP based sessions
What is required?
•Schools and LAs would like to identify end users for reporting
•Have the ability to setup different policies for individual users or groups of users
•IT Managers and Head Teachers need the ability to track URL traffic for an individual rather than a specific IP address
What are LGfL doing to help?
• LGfL working with Synetrix and Atomwide to enable the platform to offer Per-User /Group level Filtering
• Enabling the USO to link with the NetSweeper Platform
• Allow local management of User Policies through a web based front-end
Where we are so far
• A trial is currently taking place in various locations across London
• So far the trial is going well and bugs are being identified and cleared up
What does it Look like?
The new front end allows configuration of multiple groups each with a separate policy.
What does it Look like?
Here you can configure which users belong to which policy within the USO.
What does it Look like?
Users are then prompted to log in when they run Internet Explorer and try and access the web.
What does it Look like?
If users try and breach the policy they belong to, the standard deny page is displayed with details of the Group Name they belong to.
Summary
• Per User Level Filtering will be available for Schools and LAs soon.
• It is available from Synetrix
• Support is available on 08700 636465 (option 1) or by email.
• The service will cost:
• £145 setup and £225 per year
SIFThe Schools Interoperability
FrameworkRupert Hay Campbell
Barking and Dagenham
SIF in Barking & Dagenham
Rupert Hay-Campbell
Contents
• What is SIF?• About Barking & Dagenham
– MIS systems in use– Data requirements & issues
• SIF in Barking & Dagenham
What is SIF?• In the UK SIF has developed out of a number of
Government initiatives:– Harnessing Technology– School Management Information systems and value for
money
Recommendation 3That Becta will establish a supplier-independent and open interoperability architecture to create the opportunity for improved interoperability at the school level and at the LEA or regional broadband consortium (RBC) level. Additionally Becta’s interoperability arrangements will draw, to the maximum extent possible, on ongoing work across Government on interoperability standards.
School Management Information Systems and Value for Money, Becta 2005, p. 4
What is SIF?
• An open standard, launched in the USA in 1997– Over 300 software vendors, school districts and other
organisations are members
• A standard, not a product• Standards are developed by the members, not imposed
by a central authority• Clear governance model• Certification of products
What is SIF?
• Hub and spoke model of data integration• Zone Integration Server
– A software application that acts as the hub ensuring that data is routed to the correct applications
• SIF agent– A piece of software that connects an application to the ZIS
SIF AgentSIF
Agent
SIF AgentSIF
Agent
SIF Agent
SIF – Publish/Subscribe model
School MIS
CateringSystem
SchoolNetwork
LA Main System
LibrarySystem
LA Zone Integration Server
2. The ZIS works out which applications subscribe to the data items
3. The Data is then sent to the subscribing applications
Data
DataDataDataData
1. A change is made to the data held in a publishing application
SIF AgentSIF
Agent
SIF AgentSIF
Agent
SIF Agent
SIF – Request/Response model
School MIS
CateringSystem
SchoolNetwork
LA Main System
LibrarySystem
LA Zone Integration Server
1. An application requests data relating to an object
2. The ZIS identifies the default provider for the object and routes the request
Data
3. The provider responds with the requested data
Req.
What is SIF?
What would a national SIF infrastructure look like?
• Multiple zones• Hierarchy of zones• What happens to school census?
Data challenges
• Large number of data systems in schools and Children’s Services
• Data systems do not share information– Inefficient working with large scale re-entry of data, data
errors and inconsistencies
• ContactPoint and LDQT represent significant challenges
• Learning Platform developments
Further informationRupert Hay-CampbellMIS AdviserTel: 020 8270 4880Email: [email protected]
Web sites:www.sifinfo.org/ukhttp://localauthorities.becta.org.uk/index.php?section=
ndi&catcode=la_ndi_02
The LGfL USO
Ian Lehmann
Operations Manager
What is USO?
Unified Sign On (USO)
A term used by LGfL to describe an authentication system where the same username and password is used to gain
access to a wide variety of systems.
In this scenario it is necessary to enter the username and password once for each service that is accessed.
However, a user can alter his/her password in one place and have that change propagate to all systems
What is the LGfL USO?
• A database of users within London and the UK
• A database of users which can be maintained by nominated contacts in schools and Local Authorities
• A system for authenticating against LGfL protected resources both Web (Shibboleth) and non-web based.
Service access illustration for LGfL USO User Account holders:
All Users
USO Username
Single Username & Password
LGfL Podcast serviceLGfL Weather Station monitoring systemLGfL Premium contentThe Digitalbrain portalClick to Meet video conferencing systemSophos Anti-Virus update serviceWindows Update Services (WSUS)LGfL Support services and advisory web sitesPAN London Admissions SystemOther VLE/MLEs, including:
It’s Learning, Moodle, First ClassUniservity
Adobe Connect web collaboration suiteAtomwide WebScreenAtomwide Shibboleth enabled Email FilteringAtomwide VPN Remote Access ServicesSynetrix USO Integrated Filtering (UIF)Synetrix Email Systems’ Email Content ControlSynetrix Remote Secure Access ServiceSynetrix E-Safety Service LGfL MLE (Fronter)LGfL StaffMailLGfL LondonMailLGfL MailProtect
With ADSync and/or LASync options
Access to School LAN ‘Home’ and ‘Shared’ areas, and to applications authenticated via the local AD
Access to LA AD authenticated applications inc.: Capita SIMS Learning Gateway
Shibboleth-enabled services:
LGfL Podcast serviceLGfL Weather Station monitoring systemLGfL Premium contentThe Digitalbrain portalLGfL MLE (Fronter)
USO Username (Staff Only)For USO/Shibboleth services, inc.:
Digitalbrain UsernameFor Digitalbrain Service, plus:
Fronter UsernameFor Fronter Service, plus:
Service access illustration for Non Full-USO User Account holders:
With ADSync and/or LASync
Access to School LAN ‘Home’ and ‘Shared’ areas, and to applications authenticated via the local AD
Access to LA AD-applications inc.: SIMS Learning GatewaySharePointCorporate Services
Atomwide/LGfL USO-only Services:
Click to Meet video conferencing systemSophos Anti-Virus update serviceWindows Update Services (WSUS)LGfL Support services and advisory web sitesPAN London Admissions SystemOther VLE/MLEs, including: It’s Learning, Moodle, First Class, UniservityAdobe Connect web collaboration suiteAtomwide WebScreenAtomwide Shibboleth-enabled Email FilteringAtomwide VPN Remote Access ServicesSynetrix USO Integrated Filtering (UIF)
Synetrix Email Systems’ Email Content ControlSynetrix Remote Secure Access ServiceSynetrix E-Safety Service LGfL StaffMailLGfL LondonMailLGfL MailProtect
What other advantages does the LGfL USO provide?
• The USO provides a school or Local Authority with one database of users for authentication against any service.
• The LGfL USO can provide authentication for the Per User Level Filtering service offered by NetSweeper.
• The LGfL USO can also be used to synchronize with the local school or LA Active Directory system.
What does ADSync Look like?
The LGfL USO ADSync does provide one Username and Password for all services
How can you get the LGfL USO for your school or LA?
•Details of the LGfL USO are available from your LA or LGfL representative
•Alternatively see www.uso.lgfl.net for further information or contact [email protected]
LGfL ManagedEmail Services
Brian Durrant
Chief Executive
London Grid for Learning
StaffMail
StaffMail
• For Staff, Governors and Admin• Delivered in conjunction with Atomwide• Dual Hosted (Telehouse and Park Royal)• Fault Tolerant & Resilient• Full Exchange 2007 Functionality• 5GB Mailbox Limit• Max 20MB Email Size inc. attachments• Provided ‘free’ to LGfL Schools
StaffMail Features
• Personal and shared calendaring • Personal and shared address books • Accessible via:
– MS Outlook – MS Outlook Web Access – Outlook Mobile Access (compatible PDA or
m’phone)
• POP3, SMTP, IMAP protocols supported, and mail forwarding
StaffMail Login Screen
• Access to StaffMail is via LGfL USO
StaffMail Outlook Web Access
StaffMail & MailProtect
• All email scanned for viruses, spam and inappropriate content by LGfL MailProtect.
• Staff can control spam including access to spam release, email spam digest reporting, and email in/out reporting.
StaffMail on-line identity & domains• By default each user will receive an email
address based upon their USO account name with a domain name of lgflmail.org
• For example, ‘John Smith’ may receive a USO user name of jsmit001.318 and an email address of [email protected]
• LAs may supply own domain (eg. lbwf.org) and this may be applied to all users in the LA
• Schools may supply their own domain name “schoolname.la.sch.uk” and to be applied to all of the users in the USO in their school
StaffMail Address Books
• Each user may add and delete entries from their own private address book
• a school staff member will see:– all staff at their school - only– all pupils at their school that are using LondonMail– the LA shared list
• a LA staff member will see:– school lists of staff– the LA shared list
LondonMail
LondonMail
• A Microsoft Live@edu service, branded LGfL, offered as a turn-key solution for use by pupils.
• highly availability web-mail service for curriculum use• inbound and outbound mail filtering by MicroSoft• protects against viruses, spam and inappropriate content• all inbound email also scanned for viruses, spam and
inappropriate content by LGfL MailProtect. • Exchange Functionality hosted by Microsoft in Dublin• 5GB Mailbox Limit• Max 20MB Email Size including Attachments• Provided ‘free’ to LGfL Schools
LondonMail Features
• Personal and shared calendaring • Personal address books • Accounts will be accessible via:
– MS Outlook – MS Outlook Web Access – Outlook Mobile Access (compatible PDA or
m’phone)• POP3, SMTP, IMAP protocols supported,
and mail forwarding
LondonMail Outlook Web Access
LondonMail - identities & domains
• each user is allocated an email address based upon their existing USO or new USOlite account name
• ‘John Smith’ receives jsmit001.318 and an email address of [email protected]
• As a Becta Accredited Internet Services Provider LGfL supports email address anonymity. As a requirement of accreditation, LGfL enables LAs and schools to reduce the risk to pupils by providing by default email addresses that protect pupils' anonymity
• An LA may choose to supply their own domain (lbwf.org) and this may be applied to all users in the LA
MailProtect
MailProtect
• Used in conjunction with LGfL StaffMail and LondonMail services
• MailProtect uses email filtering technology provided by Email Systems
• Dual Hosted (Telehouse and Park Royal)
• Fault Tolerant & Resilient
Service Documentation
• The most current versions can be found on the LGfL Support website (http://support.lgfl.net)
• LGfL Managed Microsoft Exchange Email Service for Staff (StaffMail)
• LGfL Managed Microsoft Exchange Email Service for Pupils (LondonMail)
• LGfL Email Content Control (MailProtect)• USO Service Description• USO Service Datasheet• USO Service Pricing
Timelines
• 020 8255 5555 Support Number – Now!• StaffMail pilot users – 17 March 2008• StaffMail first LA – 31 March 2008• LondonMail test users – 21 April 2008• LondonMail pilot schools – 2 June 2008• LondonMail first LA – 24 July 2008• MailProtect – 17 March 2008• Full Production All Services – 3 September 2008
Migration from @mail
• LGfL @mail will cease service 31.10.08
• Contact lists will be migratable
• If full migration is required, use Synetrix Email Hosting sync utility
Future
• StaffMail RIM (Blackberry) Access
• LondonMail Shared Contact Lists
Finally….
New
low-cost LGfL
support number
020 82 55 55 55
• Local call on 020 82 55 55 55
• Same as 08700 63 64 65 (but cheaper!)
• 08700 63 64 65 still operational
• Help desk for StaffMail and LondonMail Services are via Option 3
Microsoft Dublin Data Centre
LondonMail & USO-lite• LGfL USOlite accounts may be provisioned for certain individual
services, such as LGfL LondonMail. Where these have been provisioned, the account is restricted for use only with those designated services
• In the event of non USO account holders subscribing to multiple services that are supplied complete with a USOlite account, then the user may be able to use the same credentials for each service. USOlite accounts cannot access LGfL Shibboleth services such as Premium Content
• Should a user’s account be upgraded from USOlite to a full USO account as part of a school or LA USO purchase, the user will be able to retain their ‘-lite’ on line identity, with its functionality simply being upgraded automatically as part of the process
• USOlite accounts cannot be upgraded individually
Microsoft’s European Mega Data Centre at Grange Castle, Dublin
• Previous slide -Rendering of the finished data centre
• £250 million mostly automated plant
• Total building footprint - 570,000 square feet
• 18.9 acre site
Similar Microsoft Data Centre under Construction
Mobile Learning Devices
Paul Whiteman
Merton
Which Mobile Device?
Paul WhitemanLB Merton
Is it really mobile?
Who is going to carry it ?
Can we afford them?
Can we afford to replace them?
Are they insured?
Value for money?
Buy or lease?
How long do the batteries last?
How long to recharge?
Will it survive the odd knock?
Is it compatible with other systems in the school?
How easy are they going to be to support?
How desirable is it?
Will I find them on sale at the local?
Who owns the equipment?
Who pays for it?
Is your solution future proof?
The London MLE(Fronter 81)
Antony Moore
Fronter
SRF and Technician’s
Richard Allen
Becta
SRF for TechniciansLondon Technicians Conference 17th March 2008
By Richard Allen
Consultant – Learning Services
How are you doing?
• You’ve reduced the number of printer errors by upgrading printer drivers / replacing printers/ ensuring all same type of printers used / stopped people printing huge graphics
• ……. And so on• At which point does your audience stop listening to you explaining all the great stuff you’ve done with drivers, software, networks, computers?
• Why – because they don’t get excited about computer stuff (no really they don’t!!!)
How to promote the good work you do
• Tell your customers the impact it has on them
• Inform your school leaders about the benefits in the classroom
• Show how improved ICT availability is increasing user confidence
• Demonstrate how enthusiastic the students are to learn when using ICT
• The best way to tell them – get them to tell you!
School staff understand assessments
• Use an environment familiar to your customers
• Ask them to assess the use of ICT using the self review framework to show how the school is doing
• Use the technical support assessment to check on how you are doing with ICT support
• Together you could achieve ICT Mark
What is it all about?
“The self-review framework isn’t just about ICT and, interestingly, that is a
key factor of its success. It focuses the mind on the whole spectrum of school
development.”
Steve Gater – Headteacher, Walker Technology College, Newcastle
Self-review framework
A jointly developed framework of standards describing progression through a model of institutional maturity in the use of ICT.
ICT Mark
An agreed set of standards, within the self-review framework, indicating that technology is being harnessed effectively and efficiently.
Mat
urity
and
effe
ctiv
enes
s
A maturity model for developing good ICT……
Self-review framework
All good schools should be here
Some schools will be here
Where are you?
Where are you?
The self-review framework is a maturity model. It describes stages of development across 8 elements.
Developing
Implementing
Strategic
Systematic
Mature
15% - 20%
……using self-review to track progress
Actions supported by the leadership team determine improvement outcomes
..rather than actions changing the learning environment.
Schools tend to focus actions on staff and resources….
The self-review elements working together
Impact on the Learner
The curriculum
Extending opportunities for
learning
Learning and teaching
Assessment
Leadership and management
Professional development(People resource)
Resources
Self-review - people planning improvement
• Review practice not technology• Focus on evaluating whole school improvement not auditing technology implementation
• Review your actions and progress as well as practice
• Use review to establish a consensus involving:–All staff–Pupils' views and insights–Other stakeholders
Element 7; Resources – the strands• 7a. Provision
–7a-1 Physical environments –7a-2 Sufficiency and suitability of resources –7a-3 Digital learning resources
• 7b. Access –7b-1 ICT supporting efficient working practices –7b-2 Technical support
• 7c. Management –7c-1 Procurement –7c-2 Evaluation of ICT resources
Commentary - improvement across all elements
Example - 7a-2
Element 7 – ResourcesStrand a) – ProvisionAspect 2 – Sufficiency of provision
L3 Might link to learning and teaching (element 3) commentary
L2Commentary might also describe improvement and link to impact on pupil outcomes (element 8)
There are enough ICT resources to make a
contribution to the current practice in learning, teaching
and school organisation.
L3
The school is well equipped with a good range of ICT resources and these are
sufficient to make a significant impact on learning,
teaching and school organisation.
L2
The self-review framework..
“…. has enabled all the staff, not just the ICT specialists, to understand where we are going strategically. It has brought us
together and consolidated the whole vision for the school.”
Roger Whittall – Headteacher, Westwood School
Some Useful Becta Tools
•Self Review Framework• Investment Planner (TCO)•Functional and Technical Specs•Framework Agreements•FITS•SIFA and UK Federation
Self-review benefits and outcomes
• Where are you in your whole school improvement and ICT development
• How does your school compare with others• What are your schools aspirations• What does good look like in your school• How will your school progress further• What actions will prioritise• Where might your school need support
Ofsted success for ICT Mark schools
Schools accredited with the ICT Mark are considerably more likely to be rated ‘outstanding’ in all five measures.
More specifically, ICT Mark accredited schools are:
• Four times more likely to be rated as ‘outstanding’ in the Overall effectiveness of the school category (ICT Mark schools: 40%, national primary: 9%, national secondary: 10%)
• Three times more likely to be rated as ‘outstanding’ in the Achievement and standards category (ICT Mark schools: 31%, national primary: 8%, national secondary: 9%)
• Three times more likely to be rated as ‘outstanding’ in the Leadership and management category (ICT Mark schools: 42%, national primary: 11%, national secondary: 12%)
• Four times more likely to be rated as ‘outstanding’ in the Teaching and learning category (ICT Mark schools: 29%, national primary: 7%, national secondary: 5%)
Ofsted reports on ICT Mark schools
The large majority of Ofsted reports on ICT Mark schools contain positive comments in relation to a number of ICT areas, including:
• Use of interactive whiteboards;• Development of pupils ICT skills;• The use of ICT to raise attainment;• Investment and level of ICT resources;• Planning, assessment and pupil profiling using ICT;• Teachers ICT skills;• ICT raising pupil confidence; and• ICT leading to involvement in community events.
Vision and aspirations
What are your aspirations for how technology might be used to support wider school aims and learning environment.
• Classroom and teaching strategies• Curriculum development• Assessment for learning• Extending opportunities for learning• Parental engagement
Celebrate success
Enables schools to recognise and celebrate their successes.When a school feels secure in its judgement that it has reached the nationally agreed standards in all the aspects of the framework, it may choose to apply for the ICT Mark.To gain the ICT Mark the school requests a visit from an accredited assessor, who will validate the school’s self-evaluation.
The ICT Excellence Awards offer further recognition for schools that demonstrate evidence of excellent practice above and beyond the levels of the ICT Mark.Informs other schools and organisations that you are a potential partner for extending opportunities for learning through technology
Assessments, SRF and FITS links
• http://matrix.becta.org.uk
• http://schools.becta.org.uk/index.php?section=srf
• http://www.becta.org.uk/fits
Register your results and be recognised
BSF
Anne Casey
What we will cover in this session
• Fundamental facts of ICT in BSF
• What elements to consider as part of a managed service
• How the ICT funding is allocated
• How much input the schools have
What we wont cover in this session
• The specific ICT elements for your school• The procurement process• The scope of your school/LA managed service
The Golden Thread
ICT Vision & StrategySfC1
SfC
2
OBC
ICTOutput
Spec
ICT Vision
ICT Vision
& Strategy
& Strategy
And the ICT?
What is a Managed Service?At its simplest a Managed Service consists of a single contract designed to deliver all ICT systems and services. This comprises provision of and support for:
Learning Platform including MIS, VLE and learning content Wide area network – probably linking to the LA’s broadband
service Institutional infrastructure (School LAN) All users’ equipment: access devices; peripherals, etc. Network services: user account management; e-mail; back-up;
virus protection; Internet filtering and/or monitoring; curriculum software servers; video-conferencing; etc
And…..
Anywhere, anytime access for all users Integration of legacy hardware and software Change management: operational training; pedagogical
training ICT for school administration Helpdesk Technical support Refresh and sustainability Local choice
ICT Output Specification & OBC
•e.g. the facility for visually impaired students to be able to access their personal, adapted profile from whatever user device they may choose to use at any location
Output specification.
• Design and Installation Requirements (Learning platform, infrastructure and equipment)
• Transition and Implementation Requirements• Operational Requirements• Finance and Management Requirements
The ICT Supply Chain – how it works
LEP Bidding Consortium inc. Construction, FM, F&E, ICT
ICT Partner / key supplier
ICT
Out
put
Spe
cific
atio
nin
c. L
ocal
Cho
ice
Fun
d
Active network kit
Services – AV, email Peripheral devices
VLE MIS
Computer hardware
Curriculum software
Specialist hardware
Tech Support Trainingcentral provision some school choice full school choice
How is a Managed Service financed? BSF capital: £225 per pupil place for passive network
infrastructure BSF capital: £1450 per pupil place for equipment, software and
servicesThis is a way of describing the overall ICT funding envelope.
It is NOT an allocation formula for schools.
School revenue: annual contribution for the 5-year life of the ICT contract to fund on-going maintenance of the ICT managed service: ‘extra’ elements of local choice funds; the refresh pot; training.
What we advise LAs to do.
• Ensure schools understand scope of managed services
• Ensure schools understand current TCO• Engage all technical staff in discussions• Engage all relevant staff in development of the output
specification• Ensure current staffing position and levels of service
are understood
e-Safety
Helen Warner
Kensington and Chelsea
LGfL supporting e-safety
Helen Warner
Royal Borough of Kensington and Chelsea ICT Support Service
• A class of 9 year olds are in the ICT suite. The teacher gives them a research topic ‘Thailand’. Salil calls the teacher over to tell her that the search results include a link ‘adult sex’, he is told “Don’t click the link” and the teacher then moves away to talk to another group of children elsewhere in the classroom.
• Darren, a young Australian teacher, has his own MySpace area and has posted pictures of himself, his friends and lots of details of his life. There’s a video clip of him in Lanzarotte, very drunk, having fun. Some of his pupils have found it.
• A very high number of pupils have their own MSN Messenger accounts and brag about how many ‘friends’ they have. You overhear one of the particularly brash Y9 girls bragging about her ‘older boyfriend’, who she plans to meet.
http://www.esafety.lgfl.net/
Education Programme
• Penelope, Head of Maths, has emailed some pupil reports to her hotmail account so she can finish at home.
Alan, a science teacher, has been using his open Blog to share his views about education, his school and the school’s leadership.
A teacher tells her technician she is upset because a pupil has posted a rude message on a Forum in the London MLE and asks him which child it was because she doesn’t know.
Policy Resources
•Policy separated into sections and includes specific references for child protection and anti-bullying policies
Acceptable Use Policies
• Mr Jones reports that a student has a pornographic image on his screen. The student says the “image just appeared and it’s the first time it’s happened”.
• A 14 year old boy has taken his own life. There is an allegation of bullying and that the pupil had used websites that openly support suicide.
LGfL URL filtering• Based around the NetSweeper filtering system• Provides 4 levels of filtering
Blocks all illegal content on the Internet Watch Foundation blacklist
– Global Deny list - contains other URLs deemed to be entirely unsuitable for access within LGfL network
– Category database - categorises URLs and blocks by category
– Local Deny list - allows blocking of individual URLs– Local Allow list - allows access to an otherwise
blocked URL
LGfL monitoring reportsURL logging
• Every request made through the URL filtering service is logged, including:– Date and time– IP address of the user– URL details– Category of the URL– Whether it was blocked or allowed
• All logs are kept for a minimum of 3 months and are fully searchable
• Logs are stored unprocessed, for forensic purposes
• Forensic software also available – contact Synetrix
NetSweeper Reporter Wizard
• John, the technician finds evidence of a member of support staff gaining access to some pornographic videos. He tells the Deputy, Keith, who says, which computer? “Lets have a look”. Keith takes a look and agrees. They suspect its Danny, who’s part-time and wait until he’s in to challenge him. He denies all knowledge and then accuses the Deputy of harassing him. Danny has never signed an Acceptable Use Policy form.
1. Inform Head / senior leader and start an incident log.
All staff must report back to the member of SMT who updates the incident log at each stage.
2. Don’t use the equipment. Photograph, bag and secure it – witness by 2 people from SMT.
Suspend user’s network / computer access.
3. SMT decide if sufficient initial evidence / doubt to suspend member of staff pending investigation.
Possible incident procedure in case of illegal content
4. Link computer name to IP address on LAN.If auditing enabled on server, link username to computer.Request Internet logs from Synetrix.SMT inform LA – eSafety officer (Personnel) etc.Gather evidence e.g. screen prints if have Forensic software, AUP form, CCTV footage, timetable, etc.
5. SMT decide whether to involve a Third Party Forensic firm.Start disciplinary action if necessary.
In case of Child Pornography – immediately inform Police.0808 100 00 40 at: http://www.met.police.uk/childpornography/index.htm
Possible incident procedure in case of illegal content cont:
Useful Online Resources
Penny Patterson
and
Gary Jelks
Useful Online Resources
Penny Patterson
and
Gary Jelks
How would you use?
• School network
• Standalone in school
• At home only
http://www.tech.lgfl.net
http://www.roboform.com
http://www.safer-networking.org
Social networking
• MySpace
• Bebo
• Piczo
http://www.skype.com
http://www.thinkfree.com
http://www.youtube.com
http://www.lgfl.net/lgfl/accounts/techsupport/techconf/menu/
ICT Technician’s Update Conference
17 March 2008
