K-12 schools face unique challenges with their IT infrastructure. Their user base needs access to a large amount of information while at the same time facing restrictions. While it does sound like some corporate network policies, the restrictions in the education environment are legal in nature. Schools must find new ways to provide the assurance of restricting content without destroying their network in the process. Which lead me to ask: Can SDN Help?
The government E-Rate program gives schools money each year under Priority 1 funding for Internet access. Indeed, the whole point of the E-Rate program is to get schools connected to the Internet. But we all know the Internet comes with a bevy of distractions. Many of those distractions are graphic in nature and must be eliminated in a school. Because it’s the law.
The Children’s Internet Protection Act (CIPA) mandates that schools and libraries receiving E-Rate funding for high speed broadband Internet connections must filter those connections to remove questionable content. Otherwise they risk losing funding for all E-Rate services. That makes content filters very popular devices in schools, even if they aren’t funded by E-Rate (which they aren’t).
Content filters also cause network design issues. In the old days, we had to put the content filter servers on a hub along with the outbound Internet router in order to insure they could see all the traffic and block the bad bits. That became increasing difficult as network switch speeds increased. Forcing hundreds of megabits through a 10Mbit hub was counterproductive. Moving to switchport mirroring did alleviate the speed issues, but still caused network design problems. Now, content filters can run on firewalls and bastion host devices or are enabled via proxy settings in the cloud. But we all know that running too many services on a firewall causes performance issues. Or leads to buying a larger firewall than needed.
Another issue that has crept up as of late is the use of Virtual Private Networking (VPN) as a way to defeat the content filter. Setting up an SSL VPN to an outside, non-filtered device is pretty easy for a knowledgeable person. And if that fails, there are plenty of services out there dedicated to defeating content filtering. While the aim of these service is noble, such as bypassing the Great Firewall of China or the mandated Internet filtering in the UK, they can also be used to bypass the CIPA-mandated filtering in schools as well. It’s a high-tech game of cat-and-mouse. Blocking access to one VPN only for three more to pop up to replace it.
Software Defined Protection
So how can SDN help? Service chaining allows traffic to be directed to a given device or virtual appliance before being passed on through the network. This great presentation from Networking Field Day 7 presenter Tail-f Networks shows how service chaining can force traffic through security devices like IDS/IPS and through content filters as well. There is no need to add hubs or mirrored switch ports in your network. There is also no need to configure traffic to transit the same outbound router or firewall, thereby creating a single point of failure. Thanks to the magic of SDN, the packets go to the filter automatically. That’s because they don’t really have a choice.
It also works well for providers wanting to offer filtering as a service to schools. This allows a provider to configure the edge network to force traffic to a large central content filter cluster and ensure delivery. It also allows the service provider network to operate without impact to non-filtered customers. That’s very useful even in ISPs dedicated to education institutions, as the filter provisions for K-12 schools don’t apply to higher education facilities, like colleges and universities. Service chaining would allow the college to stay free and clear while the high schools are cleansed of inappropriate content.
The VPN issue is a thorny one for sure. How do you classify traffic that is trying to hide from you? Even services like Netflix are having trouble blocking VPN usage and they stand to lose millions if they can’t. How can SDN help in this situation? We could build policies to drop traffic headed for known VPN endpoints. That should take care of the services that make it easy to configure and serve as a proxy point. But what about those tech-savvy kids that setup SSL VPNs back home?
Luckily, SDN can help there as well. Many unified threat management appliances offer the ability to intercept SSL conversations. This is an outgrowth of sites like Facebook defaulting to SSL to increase security. SSL intercept essentially acts as a man-in-the-middle attack. The firewall decrypts the SSL conversation, scans the packets, and re-encrypts it using a different certificate. When the packets come back in, the process is reversed. This SSL intercept capability would allow those SSL VPN packets to be dropped when detected. The SDN component ensures that HTTPS traffic is always redirected to a device that and do SSL intercept, rather than taking a path through the network that might lead to a different exit point.
Content filtering isn’t fun. I’ve always said that I don’t envy the jobs of people that have to wade through the unsavory parts of the Internet to categorize bits as appropriate or not. It’s also a pain for network engineers that need to keep redesigning the networking and introducing points of failure to meet federal guidelines for decency. SDN holds the promise of making that easier. In the above Tail-f example, the slide deck shows a UI that allows simple blocking of common protocols like Skype. This could be extended to schools where student computers and wireless networks are identified and bad programs are disallowed while web traffic is pushed to a filter and scrubbed before heading out to the Wild Wild Web. SDN can’t solve every problem we might have, but if it can make the mundane and time consuming problems easier, it might just give people the breathing room they need to work on the bigger issues.