Master Show - To Parent Directory

advertisement
ICT Technician’s Update
Conference
17 March 2008
Introduction
Penny Patterson
You Tube and Schools
Penny Patterson
Network Access Control
Steve Hanna
Juniper Networks
Network Access Control
for Education
By Steve Hanna, Distinguished Engineer, Juniper
Co-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Implications of Expanded Network Usage
Critical data at risk
As Access Increases
Mission-critical
network assets
Mobile and remote
devices transiting the
LAN perimeter
Broader variety of
network endpoints
Perimeter security
ineffective
Endpoint infections
may proliferate
Network control
can be lost
Network Security Decreases
Faculty, staff, parent,
and/or student access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Network Access Control Solutions
Features
 Control Access
• to critical resources
• to entire network
 Based on
• User identity and role
• Endpoint identity and health
• Other factors
 With
• Remediation
• Management
Benefits
 Consistent Access Controls
 Reduced Downtime
• Healthier endpoints
• Fewer outbreaks
 Safe Remote Access
 Safe Access for
• Faculty, Staff
• Students, Parents
• Guests
• Devices
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What is Trusted Network Connect (TNC)?
 Open Architecture for Network Access Control
 Suite of Standards to Ensure Interoperability
 Work Group in Trusted Computing Group (TCG)
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TCG: The Big Picture
Applications
Desktops &
Notebooks
•Software Stack
•Operating Systems
•Web Services
•Authentication
•Data Protection
Printers &
Hardcopy
Mobile
Phones
Storage
TCG
Standard
s
Servers
Networking
Copyright © 2008 Juniper Networks, Inc.
Security
Hardware
www.juniper.net
‹#›
TNC Architecture Overview
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Wireless
Wired
Network
Perimeter
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Typical TNC Deployments
 Uniform Policy
 User-Specific Policies
 TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Uniform Policy
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Remediation
Network
Non-compliant System
Windows XP
 SP2
x OSHotFix 2499
x OSHotFix 9288
 AV - McAfee Virus Scan 8.0
 Firewall
Production
Network
Compliant System
Windows XP
 SP2
 OSHotFix 2499
 OSHotFix 9288
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
Client Rules
Windows XP
- SP2
- OSHotFix 2499
- OSHotFix 9288
- AV (one of)
- Symantec AV 10.1
- McAfee Virus Scan 8.0
- Firewall
www.juniper.net
‹#›
User-Specific Policies
Access
Requester (AR)
Guest
User
Ken –
Faculty
Linda –
Finance
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Guest
Network
Internet Only
Classroom
Network
Access Policies
- Authorized Users
- Client Rules
Finance
Network
Windows XP
 OSHotFix 9345
 OSHotFix 8834
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
www.juniper.net
‹#›
TPM Integrity Check
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
TPM – Trusted Platform Module
- Hardware module built into most
of today’s PCs
- Enables a hardware Root of Trust
- Measures critical components
during trusted boot
- PTS interface allows PDP to
verify configuration and remediate
as necessary
Production
Network
Compliant System
TPM Verified
 BIOS
 OS
 Drivers
 Anti-Virus Software
Copyright © 2008 Juniper Networks, Inc.
Client Rules
- BIOS
- OS
- Drivers
- Anti-Virus Software
Network
Perimeter
www.juniper.net
‹#›
TNC Architecture in Detail
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
(IF-M)
t Collector
IntegrityCollector
Measurement
Collectors (IMC)
Verifers
Integrity Verifiers
Measurement
Verifiers (IMV)
(IF-IMC)
(IF-IMV)
(IF-TNCCS)
TNC Server
(TNCS)
TNC Client (TNCC)
(IF-PTS)
Platform Trust
Service (PTS)
TSS
(IF-T)
Network
Access
Requestor
(IF-PEP)
Policy
Enforcement
Point (PEP)
Network Access
Authority
TPM
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Status
 TNC Architecture and all specs released
• Available Since 2006 from TCG web site
 Rapid Specification Development Continues
• New Specifications, Enhancements
 Number of Members and Products
Growing Rapidly
 Compliance and Interoperability Testing and
Certification Efforts under way
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Vendor Support
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
AAA Server, Radius,
Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC/NAP/UAC Interoperability
 Announced May 21, 2007 by TCG, Microsoft, and
Juniper
 NAP products implement TNC specifications
• Included in Windows Vista, Windows XP SP 3, and
Windows Server 2008
 Juniper UAC and NAP can interoperate
• Demonstrated at Interop Las Vegas 2007
• UAC will support IF-TNCCS-SOH in 1H2008
 Customer Benefits
• Easier implementation – can use built-in Windows NAP client
• Choice and compatibility – through open standards
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What About Open Source?
 Several open source implementations of TNC
• University of Applied Arts and Sciences in Hannover, Germany
(FHH)
http://tnc.inform.fh-hannover.de
• libtnc
https://sourceforge.net/projects/lib/tnc
• OpenSEA 802.1X supplicant
http://www.openseaalliance.org
• FreeRADIUS
http://www.freeradius.org
 TCG support for these efforts
• Liaison Memberships
• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Summary
 Network Access Control provides
• Strong Security and Safety
• Tight Control Over Network Access
• Reduced PC Administration Costs
 Open Standards Clearly Needed for NAC
• Many, Many Vendors Involved in a NAC System
• Some Key Benefits of Open Standards
• Ubiquity, Flexibility, Reduced Cost
 TNC = Open Standards for NAC
• Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc.
• Can Use TPM to Detect Root Kits
 TNC: Coming Soon to a Network Near You!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
For More Information
 TCG Web Site
• https://www.trustedcomputinggroup.org
 Juniper UAC Web Site
• http://www.juniper.net/products_and_services/
unified_access_control
 Steve Hanna
•
•
•
•
•
Distinguished Engineer, Juniper Networks
Co-Chair, Trusted Network Connect Work Group, TCG
Co-Chair, Network Endpoint Assessment Working Group, IETF
email: shanna@juniper.net
Blog: http://www.gotthenac.com
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
LGfL Network 2009 - 2012
Stuart Tilley
Synetrix
Technician Conference –
Network overview and proposed enhancement
2008 - 2012
17th March 2008
Presented by :Stuart Tilley - Network & Systems
Overview
• Introduction
• Current Network Overview
• Proposed Technology Refresh
–
–
–
–
–
Core Network
Access Network
Access bandwidth
URL filtering
Edge CPE
• Summary
Introduction
• Current Network Implemented in April 2002
• Designed and Built by Synetrix a key LGfL service
provider
• Emerging Technology (MPLS) and vendor choice has
provided a platform for;
–
–
–
–
Delivery of High availability and scalable Broadband services
Secure and safe educational environment
New service development and delivery
Shared community network (LPSN)
• Network Refresh - keeping pace with technology to and
beyond 2012
The London Network – Physical Topology
Enfield
Barnet
Haringey
Harrow
Waltham
Forest
Romford
Newham
Camden
Park
Royal
Tele
House
Hayes
Earls
Court
Welling
Lambeth
Bexley
Heath
Richmond
Lewisham
Core
Core Network Node
Merton
AP
Aggregation Point
Croydon
Core 10Gbps Links
Bromley
Nodal Loop 1Gbps
Nodal Loop 100Mbps
Purley
The London Network
Physical Network Topology
• 3 Core locations and 21 Aggregation Points serving 33
London Authorities
• Resilient dark fibre connecting core locations (10Gb/sec
– OC192 SDH)
• AP’s connected to core by resilient nodal loops currently
1Gb or 100Mb capacity
• Resilient Service Hosting – SLB
• Resilient Tier 1 ISP’s (Thus, Abovenet, UKERNA, BBC)
– Total Internet Capacity 6Gbps
• All Broadband services delivered over fibre (scalable
bandwidth)
The London Network – Logical
Waltham Forest
Camden
6Bone
VPN1
VPN1
Native IPv6 peering
VPN2
VPN2
BGP4
VPN3
AP
AP
Edge sites connected
at 2, 5, 10 & 100Mbps Ethernet
BBC
BGP4
Edge sites configured
Into appropriate VPN at
any AP
100Mb
160Gbps Router
1Gbps
UKERNA
2Gbps
BGP4
2Gbps
VPN
3
VPN
1
VPN
2
VPN1
Edge sites access core
services via resilient
MPLS core/access
network with QoS applied
dependant on application
VPN2
VPN3
Internet
or
BGP4
10
Gb
c
ps
e
MPLS VPN's
10
Gb
p
AP
sc
or
Newham
e
Telehouse
Participate in same L2
broadcast domains as Earls
Court
SLB
1Gbps
160Gbps Router
VPN
3
VPN
1
VPN
3
VPN
2
URL URL
Participate in same L2
broadcast domains as Park
Royal
160Gbps Router
VPN
1
Virus Virus
email email
&
&
Web Web
Virtual Firewalls
Dark Fibre - 0C192 MPLS (10Gbps)
SHDS or Dark Fibre - 100M-2.4Gbps MPLS
SHDS - WES 100Mbps
URL URL
Virus Virus
Gigabit
Firewall
SHDS - WES 1000 (1Gbps)
SLB
MPLS VPN's
10Gbps core
MPLS VPN's
VPN
2
Virtual Firewalls
Park Royal
Earls Court
MPLS IP VPN's
LEA1
LEA2
LEA3
vpn
1 vpn
2 vpn
3
Gigabit
Firewall
Author Stuart Tilley
Date
25/01/2006
email email
&
&
Web Web
The London Network
Logical Network
• MPLS core network
• Dedicated RFC2547bis Layer3 VPN’s
– Provides fully routed Virtual WANs per ‘customer’
(LEA or LA)
– Totally autonomous routing policy and access control
per Virtual WAN – WMSv1 & v2
– Virtual WANs distributed across complete physical
network
• QoS Support
Network Statistics
•
•
•
•
•
Total of edge bandwidth purchased 23Gbps
Total traffic transiting network 3Gbps (average)
Total capacity of Juniper access layer 228Gbps
Total Capacity of Juniper core 480Gbps
Total Internet Bandwidth - (Sept 2002) 30Mbps
today averaging over 2Gbps
• HTTP traffic via URL service 1.5GMbps
• Requests served from Cache 400Mbps
Proposed Core Technology upgrade
• Upgrade existing Juniper M160 with Next Generation
MX960
• Fully resilient chassis (redundant HW) such as;
–
–
–
–
Power Supplies
Cooling fans
Routing Engines (RE)
Switch Control Board
• Fully resilient design/configuration
– Dual Dense Port Concentrators (DPC’s) 10G + 1G
– Support resilient backbone and core switching
• JUNOS code – leading standards development
• Low risk migration
Proposed Core Technology Upgrade
Proposed MX960 core build
Telehouse Core
MX960
Juniper
1
PEM
0
1
2
3
YELLOW ALARM
MASTER
0
®
NETWO RKS
FAIL
OK
FAIL
OK
FAIL
OK
OK
FAIL
NC
C
NO
NC
C
MX960
NO
OFFLINE
OK
FAIL
RED ALARM
ACO/LT
ONLINE
FAN
RE 0
OK
OK
FAIL
RE 1
OK
FAIL
OK
FAIL
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
0
1
2
3
4
5
0
1
2 6
7
8
9
10
11
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
OK/FAIL
OK/FAIL
OK/FAIL
OK/FAIL
2/0 2/5
FABRIC
ONLY
FABRIC
ACTIVE
OK/FAIL
0/0 0/5
2/0 2/5
1/0 1/5
3/0 3/5
FABRIC
ONLY
FABRIC
ACTIVE
0/0
0/0
TUNNEL
TUNNEL
LINK
LINK
RE-S-1300
RE-S-2000
0/0
1/0 1/5
DPC 40xGE
DPC 4x10GE
DPC 40xGE
DPC 4x10GE
SCB
SCB
OK/FAIL
0/0 0/5
0/0
1/0
1/0
TUNNEL
TUNNEL
TUNNEL
LINK
LINK
LINK
TUNNEL
LINK
3/0 3/5
0/0
0/0
TUNNEL
TUNNEL
LINK
LINK
0/0
0/0
TUNNEL
TUNNEL
LINK
LINK
s
p
Gb
10
1G
bp
s
Earls Court Core
Park Royal Core
MX960
MX960
Juniper
®
NETWO RKS
PEM
0
1
2
3
0
MASTER
1
ONLINE
YELLOW ALARM
NC
FAN
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
C
NO
NC
C
OK
FAIL
Juniper
MX960
NO
OFFLINE
RE 0
OK
RED ALARM
ACO/LT
®
NETWO RKS
PEM
0
1
2
3
0
MASTER
1
ONLINE
NC
FAN
RE 0
OK
FAIL
FAIL
OK
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
RED ALARM
C
NO
NC
C
MX960
NO
OFFLINE
RE 1
OK
FAIL
YELLOW ALARM
ACO/LT
OK
FAIL
RE 1
OK
FAIL
OK
FAIL
FAIL
OK
OK
FAIL
OK
FAIL
OK
FAIL
OK
FAIL
FAIL
0
1
2
3
4
5
0
1
2 6
7
8
9
10
11
0
1
2
3
4
5
0
1
2 6
7
8
9
10
11
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
ONLINE
OK/FAIL
OK/FAIL
DPC 40xGE
DPC 4x10GE
0/0 0/5
SCB
OK/FAIL
2/0 2/5
OK/FAIL
FABRIC
ONLY
FABRIC
ACTIVE
FABRIC
ACTIVE
0/0
TUNNEL
TUNNEL
LINK
LINK
LINK
RE-S-1300
TUNNEL
TUNNEL
LINK
LINK
LINK
0/0
TUNNEL
LINK
1/0 1/5
3/0 3/5
1/0 1/5
3/0 3/5
0/0
1/0
1/0
TUNNEL
TUNNEL
TUNNEL
LINK
LINK
LINK
TUNNEL
LINK
3/0 3/5
0/0
1/0 1/5
RE-S-2000
RE-S-1300
RE-S-2000
0/0
1/0
1/0
TUNNEL
0/0
2/0 2/5
0/0
TUNNEL
LINK
0/0
0/0 0/5
FABRIC
ONLY
FABRIC
ACTIVE
0/0
TUNNEL
3/0 3/5
OK/FAIL
OK/FAIL
2/0 2/5
FABRIC
ONLY
FABRIC
ACTIVE
0/0
1/0 1/5
DPC 40xGE
OK/FAIL
OK/FAIL
0/0 0/5
FABRIC
ONLY
DPC 4x10GE
OK/FAIL
2/0 2/5
SCB
OK/FAIL
OK/FAIL
DPC 40xGE
DPC 4x10GE
DPC 40xGE
DPC 4x10GE
SCB
SCB
OK/FAIL
0/0 0/5
0/0
0/0
TUNNEL
TUNNEL
TUNNEL
LINK
LINK
LINK
TUNNEL
LINK
10Gbps
0/0
0/0
0/0
0/0
TUNNEL
TUNNEL
TUNNEL
TUNNEL
LINK
LINK
LINK
LINK
Aggregated 10Gbps
uplinks supporting L2
& L3 services
Stack 10G
1
1
2
MGMT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
41
42
43
44
45
46
47
48
45x
46x
47x
48x
Solid ON = Link
Blinking = Activity
45x
46x
47x
48x
Solid ON = Link
Blinking = Activity
2
MGMT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
41
42
43
44
45
46
47
48
45x
46x
47x
48x
Solid ON = Link
Blinking = Activity
45x
46x
47x
48x
Solid ON = Link
Blinking = Activity
2
STACK NO.
FAN
PSU-I
PSU-I
PSU-E
TM
2
36
37
38
39
40
CONSOLE
Shared Ports
Summit X450e-48p
Stack 10G
1
1
MGMT
Stack 10G
1
1
2
STACK NO.
FAN
PSU-E
48
TM
2
MGMT
36
37
38
39
40
CONSOLE
Shared Ports
Summit X450e-48p
Stack 10G
1
1
2
STACK NO.
FAN
48
2
STACK NO.
FAN
PSU-I
PSU-I
PSU-E
PSU-E
Summit X450e-48p
TM
Extreme Virtual Switch
providing server
aggregation
Shared Ports
CONSOLE
Summit X450e-48p
TM
Shared Ports
Extreme Virtual Switch
providing server
aggregation
CONSOLE
Proposed Access Technology Upgrade
• Replace Existing M10 with Juniper M10i
• Fully resilient chassis (redundant HW) such as;
–
–
–
–
Power Supplies
Cooling fans
Routing Engine (RE)
Forwarding Engine Board (FEB)
• Fully resilient Design/Configuration
– 2 x 1Gbps Nodal loop Interfaces
– 2 x 1Gbps Virtual switch uplinks (initial deployment)
Proposed Access Technology Upgrade
• Replace Existing Extreme S48i aggregation
switch with Juniper EX4200.
• Redundant Power supply
• Virtual Chassis Configuration (max 10)
• 48 port 10/100/1000 capability
• Architecture design based high end core routing
products
– Packet Forwarding Engine
– Routing Engine
Proposed Access Technology Upgrade
•
Fully resilient design\configuration
– Virtual chassis deployment
– Multiple 1Gbps uplinks (resilience)
Existing Design
Proposed Design
Aggregation Point (AP)
Aggregation Point (AP)
1Gbps Nodal Loops
1Gbps Nodal Loop
Fully resilient M10i
(redundant PSU, routing and
forwarding engines)
100Mbps Nodal Loop
Juniper
NETWORKS
3
2
1
0
Ethernet 1000BASE-X SFP
ETHERNET 1000 BASE LX/SX/LH
LINE
STATUS
RX ACTI V ITY
ACTIVITY
LINK
STATUS
0/
TX
RX
ETHERNET 100BASE-TX
Ethernet 1000BASE-X SFP
LINE
STATUS
RX ACTI V ITY
ACTIVITY
LINK
1/
LT
TX
RX
Internet
ETHERNET 1000 BASE LX/SX/LH
STATUS
STATUS
PORT 0
RX
LINK
STAT
US
M10
TM
PORT 1
RX
LINK
NETWORKS
PORT 2
RX
LINK
PORT 3
RX
LINK
Juniper
ETHERNET 1000
BASE-TX
R
P rocessor
ETHERNET 1000
BASE-TX
ETHERNET 100BASE-TX
3
STATUS
PORT 0
RX
LINK
PORT 1
RX
LINK
STAT
US
PORT 2
RX
LINK
PORT 3
RX
LINK
MGMT
LINK
ACT
LINK
ACT
LINK
PIC 0/3
PIC 0/2
PIC 0/1
PIC 0/0
PIC 1/3
PIC 1/2
PIC 1/1
PIC 1/0
2
PICS ON/OFF
0/2
0/1
1
PC CARD
0/0
0/1
AUX/MODEM
MGMT
AUX/MODEM
MGMT
HDD MASTER
RESET
MINOR ALARM
CONSOLE
OFFLINE
PC CARD
0/0
FAIL
JUNIPER NETWORKS LABEL THIS SIDE
PORT 0
CONSOLE
ONLINE
RE-400
MAJOR ALARM
0/2
FAIL
JUNIPER NETWORKS LABEL THIS SIDE
PICS ON/OFF
ACT
0/3
PORT 1
HDD MASTER
RESET
MINOR ALARM
PORT 0
1/
0
RE-400
MAJOR ALARM
0/3
PORT 1
LINK
AUX/MODEM
ACT
0/
CONSOLE
ONLINE
OFFLINE
Resilient 200Mbps Capacity Links
1
50
RT
49
RT
PO MT
MG
PO
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
41
40
42
43
44
45
46
47
48
2Gbps Aggregated
Uplink
CONSOLE
49
EX4200 48 port 10/100/1000
switches (max 10 per stack)
Extreme Networks Summit48si
50
R
1
50
RT
49
RT
PO MT
MG
PO
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
41
40
42
43
44
45
46
47
48
CONSOLE
49
Extreme Networks Summit48si
50
R
2, 5, 10, 100 Service delivery
BT LES service Active Equipment (A end)
Virtual Switch
Point to Point fibre delivered via ‘A’ end and ‘B’
end BT serving exchange
2, 5, 10, 100 & 1000Mbps Service delivery
Sample AP Configuration
BT LES service Active Equipment (A end)
BT LES service Active Equipment (B end)
BT LES service Active Equipment (B end)
Edge Site
Edge Site
1
50
RT
49
RT
PO MT
MG
PO
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
1
POR MT
MG
50
T
POR 49
T
CONSOLE
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
CONSOLE
49
50
Extreme Networks Summit48si
R
49
50
Extreme Networks Summit48si
R
Access Bandwidth Upgrade
• All current 100Mbps nodal loops upgraded to 1Gbps
–
–
–
–
–
–
–
–
–
–
–
–
Merton – Croydon
Merton – Earls Court
Bromley - Croydon
Bromley – Welling
Lewisham - Welling
Welling – Bexleyheath
Romford – Bexleyheath
Romford – Telehouse
Waltham Forest – Camden
Haringey – Camden
Haringey – Barnet
Hayes - Harrow
• Prevent degradation of service in the event of primary loop failure
• Enhanced Traffic Engineering capability
Access Bandwidth Upgrade
Enfield
Barnet
Haringey
Harrow
Waltham
Forest
Romford
Newham
Camden
Park Royal
Tele
House
Hayes
Earls
Court
Welling
Lambeth
Bexley
Heath
Richmond
Lewisham
Merton
Croydon
Core
AP
Bromley
Core Network Node
Aggregation Point
Core 10Gb Links
Nodal Loop 1Gbps
Purley
URL Filtering Platform Enhancements
• Evaluation exercise underway “Squid MkII” vs
Bluecoat 8100.
• Scaled to 2.5Gbps (N+1 resilience total 5Gbps)
• Additional Active/passive F5’s deployed to scale
beyond 2.5Gbps
• Current total filtered traffic 1.5Gbps
• Expect 500Mbps year on year increase
URL Filtering Platform Enhancements
32GB RAM for super fast access to the most frequently accessed cached-objects. Represents a 16x performance benefit over current hardware
2x 1Gbps copper ethernet interfaces.
One facing the internet, the other
facing the user, representing a 10x
performance improvement over
current hardware
2x 4-Core CPU allowing 8
concurrent execution threads/
process to handle users
requests, cache-lookups and
drive the high-performance
XFS file system
4-Core CPU
SQUID
Represents a minimum of 8x
performance benefit over
current hardware
XFS Allocation Groups allow
concurrent (multi-threaded) access to
stored objects.
4-Core CPU
XFS Filesystem
Supports stripe-aligned storage blocks for better RAID performance
Balanced-Trees for fast i-node lookups
Ideal for many small files (typically 25KB)
EXT3 Filesystem for operating
system
Disk 1
Disk 2
Operating System (RAID1)
Mirrrored Disks
Hot-Swappable
Disk 3
Disk 4
Disk 5
Disk 6
Disk 7
Cached Objects (RAID5)
Hot-Swappable
Represents a 4x performance benefit over current hardware
Disk 8
Replacement CPE
•
•
Extreme 24e3/S200 replaced with Juniper J2320
Features
–
–
–
–
•
Forwarding performance IMIX 400Mbps
3DES performance 170Mbps
4 onboard 10/100 ports
3 Physical Interface Card (PIM) slots
ES code
– Combines session state information/next hop forwarding
•
MPLS support fast reroute (resilient fibre services)
Summary
•
•
•
High availability, scalable future proof infrastructure
Low risk implementation/migration
Continued delivery of existing Network Centric services such as;
–
–
–
–
–
–
•
Securestore
Desktop Content Control (DCC)
Campus Monitoring Protection (CMP)
High Definition Video Conferencing (HDVC)
Secure Remote Access (SRA)
Broadband Resilience Service (BRS)
Enhanced distributed functionality – enabling new service developments
such as:
–
–
–
–
Virtual Private LAN Services (VPLS)
Broadcast video
High capacity Resilient Broadband Services
Security Services
Per-User URL Filtering
Stewart Duncan
Technical Manager
Current URL Filtering
• LGfL URL Filtering Service is based
around the NetSweeper Product
• Policies can currently be configured by IP
address and time of day
• Reporting features are available to report
on IP based sessions
What is required?
•Schools and LAs would like to identify end
users for reporting
•Have the ability to setup different policies for
individual users or groups of users
•IT Managers and Head Teachers need the
ability to track URL traffic for an individual
rather than a specific IP address
What are LGfL doing to help?
• LGfL working with Synetrix and Atomwide to
enable the platform to offer Per-User
/Group level Filtering
• Enabling the USO to link with the
NetSweeper Platform
• Allow local management of User Policies
through a web based front-end
Where we are so far
• A trial is currently taking place in various
locations across London
• So far the trial is going well and bugs are
being identified and cleared up
What does it Look like?
The new front end allows configuration of
multiple groups each with a separate policy.
What does it Look like?
Here you can configure which users belong
to which policy within the USO.
What does it Look like?
Users are then prompted to log in when they
run Internet Explorer and try and access the
web.
What does it Look like?
If users try and breach the policy they belong to, the standard
deny page is displayed with details of the Group Name they
belong to.
Summary
• Per User Level Filtering will be available
for Schools and LAs soon.
• It is available from Synetrix
• Support is available on 08700 636465
(option 1) or by email.
• The service will cost:
• £145 setup and £225 per year
SIF
The Schools Interoperability
Framework
Rupert Hay Campbell
Barking and Dagenham
SIF in Barking & Dagenham
Rupert Hay-Campbell
Contents
• What is SIF?
• About Barking & Dagenham
– MIS systems in use
– Data requirements & issues
• SIF in Barking & Dagenham
What is SIF?
• In the UK SIF has developed out of a number of
Government initiatives:
– Harnessing Technology
– School Management Information systems and value for
money
Recommendation 3
That Becta will establish a supplier-independent and open interoperability
architecture to create the opportunity for improved interoperability at the school level
and at the LEA or regional broadband consortium (RBC) level. Additionally Becta’s
interoperability arrangements will draw, to the maximum extent possible, on ongoing
work across Government on interoperability standards.
School Management Information Systems and Value for Money, Becta 2005, p. 4
What is SIF?
• An open standard, launched in the USA in 1997
– Over 300 software vendors, school districts and other
organisations are members
• A standard, not a product
• Standards are developed by the members, not imposed
by a central authority
• Clear governance model
• Certification of products
What is SIF?
• Hub and spoke model of data integration
• Zone Integration Server
– A software application that acts as the hub ensuring that
data is routed to the correct applications
• SIF agent
– A piece of software that connects an application to the ZIS
SIF – Publish/Subscribe model
2. The ZIS works
out which
applications
subscribe to the
data items
Data
SIF
Agent
LA Zone Integration Server
SIF
Agent
LA Main System
1. A change is made to
the data held in a
publishing application
3. The Data is then
sent to the subscribing
applications
SIF
Agent
School
Network
SIF
Agent
SIF
Agent
Catering
System
Data
School MIS
Library
System
SIF – Request/Response
model
1. An application
requests data relating
to an object
SIF
Agent
3. The provider
responds with the
requested data
LA Zone Integration Server
SIF
Agent
LA Main System
SIF
Agent
2. The ZIS identifies
the default provider for
the object and routes
the request
School
Network
SIF
Agent
SIF
Agent
Req.
Catering
System
Data
School MIS
Library
System
What is SIF?
What would a national SIF
infrastructure look like?
• Multiple zones
• Hierarchy of zones
• What happens to school census?
Data challenges
• Large number of data systems in schools and
Children’s Services
• Data systems do not share information
– Inefficient working with large scale re-entry of data, data
errors and inconsistencies
• ContactPoint and LDQT represent significant
challenges
• Learning Platform developments
Further information
Rupert Hay-Campbell
MIS Adviser
Tel: 020 8270 4880
Email: rupert.hay-campbell@lbbd.gov.uk
Web sites:
www.sifinfo.org/uk
http://localauthorities.becta.org.uk/index.php?section=ndi&catcod
e=la_ndi_02
The LGfL USO
Ian Lehmann
Operations Manager
What is USO?
Unified Sign On (USO)
A term used by LGfL to describe an authentication system
where the same username and password is used to gain
access to a wide variety of systems.
In this scenario it is necessary to enter the username and
password once for each service that is accessed.
However, a user can alter his/her password in one place and
have that change propagate to all systems
What is the LGfL USO?
• A database of users within London and the
UK
• A database of users which can be
maintained by nominated contacts in
schools and Local Authorities
• A system for authenticating against LGfL
protected resources both Web
(Shibboleth) and non-web based.
Service access illustration for LGfL USO
User Account holders:
All Users
USO Username
Single Username & Password

LGfL Podcast service
LGfL Weather Station monitoring system
LGfL Premium content
The Digitalbrain portal
Click to Meet video conferencing system
Sophos Anti-Virus update service
Windows Update Services (WSUS)
LGfL Support services and advisory web sites
PAN London Admissions System
Other VLE/MLEs, including:
It’s Learning,
Moodle,
First Class
Uniservity
Adobe Connect web collaboration suite
Atomwide WebScreen
Atomwide Shibboleth enabled Email Filtering
Atomwide VPN Remote Access Services
Synetrix USO Integrated Filtering (UIF)
Synetrix Email Systems’ Email Content Control
Synetrix Remote Secure Access Service
Synetrix E-Safety Service
LGfL MLE (Fronter)
LGfL StaffMail
LGfL LondonMail
LGfL MailProtect

With ADSync and/or LASync options
Access to School LAN ‘Home’ and
‘Shared’ areas, and to applications
authenticated via the local AD
Access to LA AD authenticated
applications inc.:
Capita SIMS Learning Gateway
Service access
illustration for Non
Full-USO User
Account holders:
Digitalbrain Username
For Digitalbrain Service, plus:

LGfL Podcast service
LGfL Weather Station monitoring system
LGfL Premium content
The Digitalbrain portal
LGfL MLE (Fronter)
Fronter Username
For Fronter Service, plus:
USO Username (Staff Only)
For USO/Shibboleth services,
inc.:



With ADSync and/or LASync
Access to School LAN ‘Home’ and
‘Shared’ areas, and to applications
authenticated via the local AD
Access to LA AD-applications inc.:
SIMS Learning Gateway
SharePoint
Corporate Services
Shibboleth-enabled services:
Atomwide/LGfL USO-only Services:
Click to Meet video conferencing system
Sophos Anti-Virus update service
Windows Update Services (WSUS)
LGfL Support services and advisory web sites
PAN London Admissions System
Other VLE/MLEs, including:
It’s Learning, Moodle, First Class, Uniservity
Adobe Connect web collaboration suite
Atomwide WebScreen
Atomwide Shibboleth-enabled Email Filtering
Atomwide VPN Remote Access Services
Synetrix USO Integrated Filtering (UIF)
Synetrix Email Systems’ Email Content Control
Synetrix Remote Secure Access Service
Synetrix E-Safety Service
LGfL StaffMail
LGfL LondonMail
LGfL MailProtect
What other advantages does the
LGfL USO provide?
• The USO provides a school or Local
Authority with one database of users for
authentication against any service.
• The LGfL USO can provide authentication
for the Per User Level Filtering service
offered by NetSweeper.
• The LGfL USO can also be used to
synchronize with the local school or LA
Active Directory system.
What does ADSync Look like?
The LGfL USO ADSync does provide one Username
and Password for all services
How can you get the LGfL USO for
your school or LA?
•Details of the LGfL USO are available from your LA or
LGfL representative
•Alternatively see www.uso.lgfl.net for further information
or contact lgflsupport@atomwide.com
LGfL Managed
Email Services
Brian Durrant
Chief Executive
London Grid for Learning
StaffMail
StaffMail
•
•
•
•
•
•
•
•
For Staff, Governors and Admin
Delivered in conjunction with Atomwide
Dual Hosted (Telehouse and Park Royal)
Fault Tolerant & Resilient
Full Exchange 2007 Functionality
5GB Mailbox Limit
Max 20MB Email Size inc. attachments
Provided ‘free’ to LGfL Schools
StaffMail Features
• Personal and shared calendaring
• Personal and shared address books
• Accessible via:
– MS Outlook
– MS Outlook Web Access
– Outlook Mobile Access (compatible PDA or
m’phone)
• POP3, SMTP, IMAP protocols supported,
and mail forwarding
StaffMail Login Screen
• Access to StaffMail is via LGfL USO
StaffMail Outlook Web Access
StaffMail & MailProtect
• All email scanned for viruses, spam and
inappropriate content by LGfL MailProtect.
• Staff can control spam including access to
spam release, email spam digest
reporting, and email in/out reporting.
StaffMail on-line identity & domains
• By default each user will receive an email
address based upon their USO account name
with a domain name of lgflmail.org
• For example, ‘John Smith’ may receive a USO
user name of jsmit001.318 and an email
address of jsmit001.318@lgflmail.org
• LAs may supply own domain (eg. lbwf.org) and
this may be applied to all users in the LA
• Schools may supply their own domain name
“schoolname.la.sch.uk” and to be applied to all
of the users in the USO in their school
StaffMail Address Books
• Each user may add and delete entries from their
own private address book
• a school staff member will see:
– all staff at their school - only
– all pupils at their school that are using LondonMail
– the LA shared list
• a LA staff member will see:
– school lists of staff
– the LA shared list
LondonMail
LondonMail
• A Microsoft Live@edu service, branded LGfL, offered as
a turn-key solution for use by pupils.
• highly availability web-mail service for curriculum use
• inbound and outbound mail filtering by MicroSoft
• protects against viruses, spam and inappropriate content
• all inbound email also scanned for viruses, spam and
inappropriate content by LGfL MailProtect.
• Exchange Functionality hosted by Microsoft in Dublin
• 5GB Mailbox Limit
• Max 20MB Email Size including Attachments
• Provided ‘free’ to LGfL Schools
LondonMail Features
• Personal and shared calendaring
• Personal address books
• Accounts will be accessible via:
– MS Outlook
– MS Outlook Web Access
– Outlook Mobile Access (compatible PDA or
m’phone)
• POP3, SMTP, IMAP protocols supported,
and mail forwarding
LondonMail Outlook Web Access
LondonMail - identities & domains
• each user is allocated an email address based upon
their existing USO or new USOlite account name
• ‘John Smith’ receives jsmit001.318 and an email address
of jsmit001.318@lgflmail.net
• As a Becta Accredited Internet Services Provider LGfL
supports email address anonymity. As a requirement of
accreditation, LGfL enables LAs and schools to reduce
the risk to pupils by providing by default email addresses
that protect pupils' anonymity
• An LA may choose to supply their own domain (lbwf.org)
and this may be applied to all users in the LA
MailProtect
MailProtect
• Used in conjunction with LGfL StaffMail
and LondonMail services
• MailProtect uses email filtering technology
provided by Email Systems
• Dual Hosted (Telehouse and Park Royal)
• Fault Tolerant & Resilient
Service Documentation
• The most current versions can be found on the
LGfL Support website (http://support.lgfl.net)
• LGfL Managed Microsoft Exchange Email
Service for Staff (StaffMail)
• LGfL Managed Microsoft Exchange Email
Service for Pupils (LondonMail)
• LGfL Email Content Control (MailProtect)
• USO Service Description
• USO Service Datasheet
• USO Service Pricing
Timelines
•
•
•
•
•
•
•
•
020 8255 5555 Support Number – Now!
StaffMail pilot users – 17 March 2008
StaffMail first LA – 31 March 2008
LondonMail test users – 21 April 2008
LondonMail pilot schools – 2 June 2008
LondonMail first LA – 24 July 2008
MailProtect – 17 March 2008
Full Production All Services – 3 September 2008
Migration from @mail
• LGfL @mail will cease service 31.10.08
• Contact lists will be migratable
• If full migration is required, use Synetrix
Email Hosting sync utility
Future
• StaffMail RIM (Blackberry) Access
• LondonMail Shared Contact Lists
Finally….
New
low-cost LGfL
support number
020 82 55 55 55
•
•
•
•
Local call on 020 82 55 55 55
Same as 08700 63 64 65 (but cheaper!)
08700 63 64 65 still operational
Help desk for StaffMail and LondonMail
Services are via Option 3
Microsoft Dublin Data Centre
LondonMail & USO-lite
• LGfL USOlite accounts may be provisioned for certain individual
services, such as LGfL LondonMail. Where these have been
provisioned, the account is restricted for use only with those
designated services
• In the event of non USO account holders subscribing to multiple
services that are supplied complete with a USOlite account, then the
user may be able to use the same credentials for each service.
USOlite accounts cannot access LGfL Shibboleth services such as
Premium Content
• Should a user’s account be upgraded from USOlite to a full USO
account as part of a school or LA USO purchase, the user will be
able to retain their ‘-lite’ on line identity, with its functionality simply
being upgraded automatically as part of the process
• USOlite accounts cannot be upgraded individually
Microsoft’s European Mega Data
Centre at Grange Castle, Dublin
• Previous slide -Rendering of the finished
data centre
• £250 million mostly automated plant
• Total building footprint - 570,000 square
feet
• 18.9 acre site
Similar Microsoft Data Centre
under Construction
Mobile Learning Devices
Paul Whiteman
Merton
Which Mobile
Device?
Paul Whiteman
LB Merton
Is it really mobile?
Who is going to carry it ?
Can we afford them?
Can we afford to
replace them?
Are they insured?
Value for money?
Buy or lease?
How long do the
batteries last?
How long to recharge?
Will it survive the odd knock?
Is it compatible with other
systems in the school?
How easy are they going to
be to support?
How desirable is it?
Will I find them on
sale at the local?
Who owns the
equipment?
Who pays for it?
Is your solution future proof?
The London MLE
(Fronter 81)
Antony Moore
Fronter
SRF and Technician’s
Richard Allen
Becta
SRF for Technicians
London Technicians Conference
17th March 2008
By Richard Allen
Consultant – Learning Services
How are you doing?
• You’ve reduced the number of printer errors by
upgrading printer drivers / replacing printers/
ensuring all same type of printers used / stopped
people printing huge graphics
• ……. And so on
• At which point does your audience stop listening
to you explaining all the great stuff you’ve done
with drivers, software, networks, computers?
• Why – because they don’t get excited about
computer stuff (no really they don’t!!!)
How to promote the good
work you do
• Tell your customers the impact it has on them
• Inform your school leaders about the benefits in the
classroom
• Show how improved ICT availability is increasing
user confidence
• Demonstrate how enthusiastic the students are to
learn when using ICT
• The best way to tell them – get them to tell you!
School staff understand
assessments
• Use an environment familiar to your customers
• Ask them to assess the use of ICT using the self
review framework to show how the school is doing
• Use the technical support assessment to check on
how you are doing with ICT support
• Together you could achieve ICT Mark
What is it all about?
“The self-review framework isn’t just
about ICT and, interestingly, that is a
key factor of its success. It focuses the
mind on the whole spectrum of school
development.”
Steve Gater – Headteacher, Walker Technology College, Newcastle
Self-review framework
A jointly developed framework of standards describing
progression through a model of institutional maturity in
the use of ICT.
ICT Mark
An agreed set of standards, within the selfreview framework, indicating that technology
is being harnessed effectively and efficiently.
A maturity model for developing good ICT……
Self-review
framework
Mature
Some schools
will be here
Where
are you?
Systematic
All good schools
should be here
The self-review
framework is a
maturity model. It
describes stages of
development across
8 elements.
15% - 20%
Strategic
Where
are you?
Implementing
Developing
……using self-review to track progress
The self-review elements working together
The curriculum
Impact on the
Learner
Learning and
teaching
Professional development
(People resource)
Assessment
Resources
Extending
opportunities for
learning
..rather than actions changing
the learning environment.
Schools tend to focus actions
on staff and resources….
Leadership and management
Actions supported by the leadership team determine improvement outcomes
Self-review - people planning
improvement
• Review practice not technology
• Focus on evaluating whole school
improvement not auditing technology
implementation
• Review your actions and progress as well as
practice
• Use review to establish a consensus involving:
–All staff
–Pupils' views and insights
–Other stakeholders
Element 7; Resources – the strands
• 7a. Provision
– 7a-1 Physical environments
– 7a-2 Sufficiency and suitability of resources
– 7a-3 Digital learning resources
• 7b. Access
– 7b-1 ICT supporting efficient working practices
– 7b-2 Technical support
• 7c. Management
– 7c-1 Procurement
– 7c-2 Evaluation of ICT resources
Commentary - improvement across all elements
Example - 7a-2
Element 7
Strand a)
Aspect 2
– Resources
– Provision
– Sufficiency of provision
L3
There are enough ICT
resources to make a
contribution to the current
practice in learning, teaching
and school organisation.
L3
Might link to learning and teaching
(element 3) commentary
L2
Commentary might also describe
improvement and link to impact on
pupil outcomes (element 8)
The school is well equipped
L2 with a good range of ICT
resources and these are
sufficient to make a
significant impact on learning,
teaching and school
organisation.
The self-review framework..
“…. has enabled all the staff, not just the
ICT specialists, to understand where we
are going strategically. It has brought us
together and consolidated the whole vision
for the school.”
Roger Whittall – Headteacher, Westwood School
Some Useful Becta Tools
• Self Review Framework
• Investment Planner (TCO)
• Functional and Technical Specs
• Framework Agreements
• FITS
• SIFA and UK Federation
Self-review benefits and outcomes
• Where are you in your whole school improvement
and ICT development
• How does your school compare with others
• What are your schools aspirations
• What does good look like in your school
• How will your school progress further
• What actions will prioritise
• Where might your school need support
Ofsted success for ICT Mark schools
Schools accredited with the ICT Mark are considerably more
likely to be rated ‘outstanding’ in all five measures.
More specifically, ICT Mark accredited schools are:
• Four times more likely to be rated as ‘outstanding’ in the
Overall effectiveness of the school category
(ICT Mark schools: 40%, national primary: 9%, national secondary: 10%)
• Three times more likely to be rated as ‘outstanding’ in the
Achievement and standards category
(ICT Mark schools: 31%, national primary: 8%, national secondary: 9%)
• Three times more likely to be rated as ‘outstanding’ in the
Leadership and management category
(ICT Mark schools: 42%, national primary: 11%, national secondary: 12%)
• Four times more likely to be rated as ‘outstanding’ in the
Teaching and learning category
(ICT Mark schools: 29%, national primary: 7%, national secondary: 5%)
Ofsted reports on ICT Mark schools
The large majority of Ofsted reports on ICT Mark schools
contain positive comments in relation to a number of ICT
areas, including:
• Use of interactive whiteboards;
• Development of pupils ICT skills;
• The use of ICT to raise attainment;
• Investment and level of ICT resources;
• Planning, assessment and pupil profiling using ICT;
• Teachers ICT skills;
• ICT raising pupil confidence; and
• ICT leading to involvement in community events.
Vision and aspirations
What are your aspirations for how technology
might be used to support wider school aims and
learning environment.
• Classroom and teaching strategies
• Curriculum development
• Assessment for learning
• Extending opportunities for learning
• Parental engagement
Celebrate success
Enables schools to recognise and celebrate
their successes.
When a school feels secure in its judgement that it has reached
the nationally agreed standards in all the aspects of the
framework, it may choose to apply for the ICT Mark.
To gain the ICT Mark the school requests a visit from an
accredited assessor, who will validate the school’s selfevaluation.
The ICT Excellence Awards offer further
recognition for schools that demonstrate evidence of
excellent practice above and beyond the levels of the ICT Mark.
Informs other schools and organisations that you are a potential
partner for extending opportunities for learning through
technology
Assessments, SRF and FITS links
• http://matrix.becta.org.uk
• http://schools.becta.org.uk/index.php?section=
srf
• http://www.becta.org.uk/fits
Register your results and be recognised
Thank you
richard.allen@becta.org.uk
BSF
Anne Casey
BSF ICT
Anne Casey
anne.casey@partnershipsforschools.org.uk
What we will cover in this session
• Fundamental facts of ICT in BSF
• What elements to consider as part of a managed
service
• How the ICT funding is allocated
• How much input the schools have
What we wont cover in this session
• The specific ICT elements for your school
• The procurement process
• The scope of your school/LA managed service
The Golden Thread
SfC
1
ICT Vision
& Strategy
SfC
ICT
Output
ICT Vision
2
ICT Vision
OBC
& Strategy
Spec
& Strategy
And the ICT?
What is a Managed Service?
At its simplest a Managed Service consists of a
single contract designed to deliver all ICT systems
and services.
This comprises provision of and support for:





Learning Platform including MIS, VLE and learning content
Wide area network – probably linking to the LA’s broadband service
Institutional infrastructure (School LAN)
All users’ equipment: access devices; peripherals, etc.
Network services: user account management; e-mail; back-up;
virus protection; Internet filtering and/or monitoring; curriculum
software servers; video-conferencing; etc
And…..
 Anywhere, anytime access for all users
 Integration of legacy hardware and software
 Change management: operational training; pedagogical
training
 ICT for school administration
 Helpdesk
 Technical support
 Refresh and sustainability
 Local choice
ICT Output Specification & OBC
•e.g. the facility for
visually impaired
students to be able to
access their personal,
adapted profile from
whatever user device
they may choose to
use at any location
Output specification.
• Design and Installation Requirements (Learning
platform, infrastructure and equipment)
• Transition and Implementation Requirements
• Operational Requirements
• Finance and Management Requirements
The ICT Supply Chain – how it works
ICT Output Specification
inc. Local Choice Fund
LEP Bidding Consortium inc. Construction, FM, F&E, ICT
ICT Partner / key supplier
Active network kit
Services – AV, email
VLE
MIS
central provision
Computer hardware
Peripheral devices
Specialist hardware
Curriculum software
Tech Support
Training
some school choice
full school choice
How is a Managed Service financed?
 BSF capital: £225 per pupil place for passive network
infrastructure
 BSF capital: £1450 per pupil place for equipment, software and
services
This is a way of describing the overall ICT funding envelope.
It is NOT an allocation formula for schools.
 School revenue: annual contribution for the 5-year life of the
ICT contract to fund on-going maintenance of the ICT managed
service: ‘extra’ elements of local choice funds; the refresh pot;
training.
What we advise LAs to do.
• Ensure schools understand scope of managed
services
• Ensure schools understand current TCO
• Engage all technical staff in discussions
• Engage all relevant staff in development of the output
specification
• Ensure current staffing position and levels of service
are understood
e-Safety
Helen Warner
Kensington and Chelsea
LGfL supporting e-safety
Helen Warner
Royal Borough of Kensington and Chelsea
ICT Support Service
• A class of 9 year olds are in the ICT suite.
The teacher gives them a research topic
‘Thailand’. Salil calls the teacher over to
tell her that the search results include a
link ‘adult sex’, he is told “Don’t click the
link” and the teacher then moves away to
talk to another group of children elsewhere
in the classroom.
• Darren, a young Australian teacher, has
his own MySpace area and has posted
pictures of himself, his friends and lots of
details of his life. There’s a video clip of
him in Lanzarotte, very drunk, having fun.
Some of his pupils have found it.
• A very high number of pupils have their
own MSN Messenger accounts and brag
about how many ‘friends’ they have. You
overhear one of the particularly brash Y9
girls bragging about her ‘older boyfriend’,
who she plans to meet.
http://www.esafety.lgfl.net/
Education Programme
• Penelope, Head of Maths, has emailed
some pupil reports to her hotmail account
so she can finish at home.
Alan, a science teacher, has been
using his open Blog to share his views
about education, his school and the
school’s leadership.
A teacher tells her technician she
is upset because a pupil has
posted a rude message on a
Forum in the London MLE and
asks him which child it was
because she doesn’t know.
Policy Resources
•Policy separated into sections and
includes specific references for child
protection and anti-bullying policies
Acceptable Use Policies
• Mr Jones reports that a student has a
pornographic image on his screen. The
student says the “image just appeared and
it’s the first time it’s happened”.
• A 14 year old boy has taken his own life.
There is an allegation of bullying and that
the pupil had used websites that openly
support suicide.
LGfL URL filtering
• Based around the NetSweeper filtering system
• Provides 4 levels of filtering
–
–
–
–
Blocks all illegal content on the
Internet Watch Foundation blacklist
Global Deny list - contains other URLs deemed to be
entirely unsuitable for access within LGfL network
Category database - categorises URLs and blocks by
category
Local Deny list - allows blocking of individual URLs
Local Allow list - allows access to an otherwise
blocked URL
LGfL monitoring reports
URL logging
• Every request made through the URL filtering service is
logged, including:
–
–
–
–
–
Date and time
IP address of the user
URL details
Category of the URL
Whether it was blocked or allowed
• All logs are kept for a minimum of 3 months and are
fully searchable
• Logs are stored unprocessed, for forensic purposes
• Forensic software also available – contact Synetrix
NetSweeper Reporter Wizard
• John, the technician finds evidence of a member
of support staff gaining access to some
pornographic videos. He tells the Deputy, Keith,
who says, which computer? “Lets have a look”.
Keith takes a look and agrees. They suspect its
Danny, who’s part-time and wait until he’s in to
challenge him. He denies all knowledge and
then accuses the Deputy of harassing him.
Danny has never signed an Acceptable Use
Policy form.
Possible incident procedure in case of
illegal content
1. Inform Head / senior leader and start an incident log.
All staff must report back to the member of SMT who
updates the incident log at each stage.
2. Don’t use the equipment. Photograph, bag and secure it –
witness by 2 people from SMT.
Suspend user’s network / computer access.
3. SMT decide if sufficient initial evidence / doubt to suspend
member of staff pending investigation.
Possible incident procedure in case of
illegal content cont:
4. Link computer name to IP address on LAN.
If auditing enabled on server, link username to computer.
Request Internet logs from Synetrix.
SMT inform LA – eSafety officer (Personnel) etc.
Gather evidence e.g. screen prints if have Forensic software,
AUP form, CCTV footage, timetable, etc.
5. SMT decide whether to involve a Third Party Forensic firm.
Start disciplinary action if necessary.
In case of Child Pornography – immediately inform Police.
0808 100 00 40 at:
http://www.met.police.uk/childpornography/index.htm
Useful Online Resources
Penny Patterson
and
Gary Jelks
Useful Online Resources
Penny Patterson
and
Gary Jelks
How would you use?
• School network
• Standalone in school
• At home only
http://www.tech.lgfl.net
http://audacity.sourceforge.net/
http://filehippo.com/download_hij
ackthis/
http://free.grisoft.com
http://housecall.trendmicro.com
http://www.edugeek.net/
http://www.intravnews.com/
http://www.lavasoft.com
http://www.microsoft.com/technet
/sysinternals/FileAndDisk/PsTool
s.mspx
http://www.netstumbler.com
http://www.roboform.com
http://www.safer-networking.org
Social networking
•
•
•
•
Facebook
MySpace
Bebo
Piczo
http://www.skype.com
http://www.thinkfree.com
http://www.youtube.com
http://www.lgfl.net/lgfl/accounts/te
chsupport/techconf/menu/
ICT Technician’s Update
Conference
17 March 2008
Download