Network Services

A network is only useful if it has sound support services. A client was rebuilding its network from scratch to migrate from an old network.

We were asked to develop a new set of DNS, DHCP, Active Directory, and Group Policies for an education authority. Might seem simple, but there were technicalities around password policies.

It’s always a pleasure to get involved in a green-field project where we’re allowed to flex our creativity. We had to deliver the design for secure network support services design.

We began my looking at what the authority wanted to do with it’s network. They had three main networks: corporate, student, and a BYOD WiFi network. The corporate network contained confidential student and teacher records, and was secured from the other two. Data needed on either side was moved across a gateway service. The student network hosted the authority-owned devices, such as workstations, printers, and scanners. The BYOD WiFi network also supported the connection of authority-owned WiFi devices such as smartphones and tablets.

Working with the network team, we first delivered the DNS service. It had to be separated into the different domains, plus with forwarding of authority domain queries to the authority DNS services. Any unauthorised device connecting to either the WiFi or wired network would be sent to a segregated network where it could do no damage.

DHCP was a challenge. DHCP addresses based on the PKI certificates was needed. An authorised device would have a valid certificate, and would be allocated the relevant network and DHCP address.

For Active Directory, we looked at the students who would be authenticating to the network. The authority had extended the schema to enable storage of student characteristics, such as exam performance, learning requirements, special needs requirements, and dietary requirements. We were also faced with another problem. Passwords.

The idea of the new network was for students to keep the same user ID throughout their time with the authority, from the moment they enter, to the moment they leave. The problem about passwords was how do you expect a four-year-old to remember a long an complex password, and at the same time, it wouldn’t be good for older students to have simple, two-digit passwords.

Password policies in Active Directory are set for the entire domain. However, you can create a small piece of software that over rides the domain policy, which was written specifically for this purpose. It checks the user’s location in Active Directory, then if they are in a primary school, they get a simple password, and as they progress up through the system, their passwords get increasingly complex. Using Active Directory, we would wrap this up as a package and deliver it.

A Group Policy design needed to cater for school, town, and county administrators. Depending on where the administrator was located, they would get increasing rights over user accounts, to be able to populate student attributes. 

The rollout of the new network was pivotal to our designs and were were please to see it fully operational and working as expected.

Experience, and good testing made sure it worked first time.

We took the time to understand the needs of the authority and balanced them against security risks. This enabled us to design what was needed.

Every part of the solution was scalable to cater for tens or hundreds of thousands of students.

Other government departments would send in representatives from time to time, and we were able to enable them to connect and communicate back to their home networks.