At the start of the month the government published a guide on choosing the right broadband for your school (you can click here to read it).
The principles are good, and in no way controversial: the connection should be stable, suitable for the user load, offer a good level of performance, provide high uptime and be future proofed to support an increasing cloud based environment.
The DfE guide has clearly been written to be accessible to senior leaders who lack any technical experience. However, I do fear that some of the simplifications risk overlooking some of the best connectivity practices that are out there in modern British schools and muddy the issue around monitoring and filtering.
I wrote this blog post to discuss some of these options and issues in the hopes that it will highlight the need for a deeper discussion, and more thorough advice, on the best connectivity solutions for schools. Particularly with a focus on the potential of dark fibre connections, wireless links between schools and the use of firewalls in safeguarding.
Dark Fibre
The DfE guide outlines Fibre to the Premises (FTTP) to your ISP as the gold standard of connectivity. However, the idea of setting up private Wide Area Networks, to share an internet connection between schools using previously unused dark fibre, is overlooked.
Dark fibre is fibre optic cable that is placed in the ground, left unused, and is just waiting for someone to lease it (and literally ‘light it up’) to create direct network connections between different physical buildings. Providers such as CityFibre have miles of dark fibre running under cities and extensive lines running throughout the UK. If schools work together they can lease dark fibre to network themselves to each other and create their own, low cost, Wide Area Networks.
These lines, in themselves, carry no internet. However, as long as one school in the network sets up an internet breakout (i.e. a dedicated fibre line to an internet service provider) and has a firewall in the setup to handle monitoring and filtering, then every school can share that connection over their private WAN. This offers huge economies of scale for groups of schools, and MATs, who can take advantage of a single high quality internet connection and share it between multiple schools at a fraction of the cost (rather than pay for one connection for each school).
To illustrate, in the Sidney Stringer Multi-Academy Trust we have a setup our WAN as below:
This involves a 1Gbps symmetrical internet connection coming into Sidney Stringer Academy which is filtered and monitored by a Smoothwall S10 sitting between the internet connection and the core switch. All other schools are then connected to our core switch via leased fibre lines running between Sidney Stringer Academy and the other Academies.
The advantages are:
- Economies of scale – A group of schools can share one high capacity internet line (usually a symmetrical 1Gbps connection) which means that multiple schools only need to pay for one internet connection. The leased fibre lines running between schools are significantly cheaper than putting a separate line into each school.
- Shared On Premises Hosting – While cloud hosting is an ideal, in some cases cloud hosting is not always practical or more cost effective in practice (e.g. printing servers, cashless catering systems, some MIS systems such as CAPITA SIMS). By sharing fibre optic lines between schools the different schools can work together to only run one data centre for its serverload. This means you don’t need each school to have its own separate data centres with all the associated costs of cooling, power and buying the hardware to go into the room!
- Quality of access (especially for primary schools) – A primary school could not afford its own symmetrical 1Gbps connection. By pooling with other schools, on the same WAN, the quality of internet access that a primary school receives will be the same as a large secondary school. All users on the WAN will receive the same quality of connectivity.
- Allows Multi Academy Trusts to run multiple sites as one school – If the schools are part of a centralised IT Team within a MAT then establishing point to point links between schools, and centralising IT services, means that multiple schools can be run and managed as if they were a single large school. This provides better management, quality of service and standardisation. For example, as the diagram above shows there is one firewall to configure and setup for the MAT rather than one for each of the five schools.
Wireless WAN Cost Savings
Where topography allows schools can be joined together with an over the air milliwave connection rather than leasing fibre optic cable. In many ways this model is identical to the dark fibre network above. The only difference is that the connections between schools are wireless and not wired.
In this model, a milliwave dish is configured and placed on one school, with the internet breakout, and connected to the core switch at the school. Then a second dish is fitted to the second school without an internet breakout and plugged into their core switch. Both schools can benefit from sharing one internet connection over a line of sight wireless link but only one internet connection needs to be paid for. Moreover, if the internet breakout school has a firewall both schools can share their monitoring and filtering solution. The model below illustrates how four schools could setup dishes to share one internet breakout and firewall that is hosted in school 1.
For those unfamiliar with the technology it does sound scary. However, many trusts have already had this system in operation for years. The Dixons Multi-Academy Trust in Bradford is a good example.
Before trying this, there is some critical advice you should take notice of:
- Overspec your connectivity – In real world conditions wireless connections never operate at their theoretical maximum speed. Therefore if you are looking to establish an over the air link of 1Gbps start looking at 2.5Gbps equipment. If you are looking for a good guide to look over hardware then https://wifigear.co.uk/ provides a good range and selection to help you start your research.
- Line of sight is critical – You must ensure that you can see the site you are connecting to in order to establish a connection and that the connection is well within the distance limits of your devices. Of course there’s no substitute for a good pair of binoculars to test for line of sight! However, a good tool for initial feasbility checks is https://www.solwise.co.uk/wireless-elevationtool.html. This site will show where topography provides a feasible line of sight connection between two locations. However, it won’t tell you if there are buildings or planning projects that are likely to block your links. For that, read the next point!
- Ask the experts – I can not stress this last point enough! The technology that facilitates this level of wireless connectivity is relatively new. Also, you need an expert to see if there is a new building project that is likely to pop up in the next few years and block your connection. Contacting experts in the field, for example Haptic or Boundless Networks, who can offer advice and supervise installation is critical for any mission critical network links. There are many areas where new developments and demolitions make this connectivity work unsuitable so it is worth checking with experts before you start putting anything on your roof!
The advantages of this model as the same as a fibre connection with one key benefit. There are low to zero running costs for linking schools. Once the wireless links are established there is no rental cost on maintaining links between schools.
What about the firewall?
Under the ‘Safe and secure connectivity’ section of the DfE article we are told that a good broadband service will provide good monitoring, filtering and alerting for critical risks. However, in my experience, the firewall is rarely hosted on the provider’s end unless you have a specialist education broadband provider. Moreover, there is an unspoken expectation that, for any meaningful level of filtering and active monitoring, schools (or groups of schools) will host their own firewall as a physical unit on site and maintain it to a standard they seem to be suitable for safeguarding.
We’re now in the age of excellent cloud based monitoring and filtering products that can undertake many of these responsibilities (Securly being a great example). It is definitely worth a debate over whether a cloud hosted filtering and monitoring solution may be more suitable for your circumstances. Moreover, many education focused services (such as South West Grid For Learning or London Grid for Learning) offer a hosted firewall as part of their education focused internet service packages.
However, I strongly believe that schools and MATs need to be a bit savvy themselves when it comes to managing internet filtering and monitoring. In my travels, I have seen older third party monitoring systems in schools and even hosted by third party education broadband providers (mostly those operated by local councils) that do not monitor or inspect suspicious searches made on Google over HTTPS but will still alert you if anyone fires up a Napster client from 2001! In 2019…that’s not very helpful! However, school leaders need to be informed enough to make sensible choices about the solutions that they pay for.
The DfE guide suggests that monitoring, filtering and alterting is required but that filtering should not be overly restrictive. However, going beyond this, there is more core advice I would recommend to schools when searching for a monitoring and filtering solution, and from a safeguarding perspective, it is important for schools and MATs to really grapple with the level of monitoring and filtering that is required in the modern world.:
- In 2019 Layer 7 Inspection and Deep Inspection is critical – While this sounds very nerdy, schools and particularly safeguarding leads need to understand that most web traffic is sent in an encrypted form (by default) and it can therefore be difficult for older inspection systems to see the content of web searches. I would never suggest that safeguarding leads need to know how private and public keys work – or even hear the term HTTPS! However, they need to know that the modern encrypted internet is hard to inspect and monitor by default. This potentially means that every Google search, eBay search or Amazon search is encrypted and cannot be monitored unless you have a solution, sat in the middle, that provides layer 7 packet inspection. Not all monitoring solutions, especially third party and local authority solutions, provide this level of inspection. In my experience of monitoring a MAT Firewall, when there have been issues requiring safeguarding investigation, in the majority of cases it is because of a suspicious search term being entered into Google, Bing, eBay or Amazon. Layer 7 Analysis and Deep Packet Inspection is a must for any meaningful monitoring solution that is going to protect children online.
- Who does the monitoring? – In the DfE guide it states that the internet should be monitored. However, the biggest question to be answered here is who does the monitoring? Does the provider offer this service or does the school take responsibility for its own firewall/Securly subscription? This needs to be clearly defined and carried into policy for monitoring to be effective. Without clear procedures for checking suspicious accesses/searches there are likely to be mistakes. If you are relying on a third party agent to inform you about any monitoring issues you need a way to quality assure that they are not missing suspicious searches. Perhaps carry out a few on controlled test accounts and see if they report back! Better yet, consider a firewall solution where you can get daily reports to go through yourself. In the Sidney Stringer MAT having a centralised and single Smoothwall S10 has been excellent for this!
- How do we make the internet not restrictive? – The DfE guide rightly states that the internet should not be too restrictive. However, this is a difficult balance to achieve. In reality, everyone wants those dodgy VPN apps to be blocked (so that students are not bypassing filtering by putting their entire internet traffic in the hands of a total stranger). However, a lot of those apps try to masquerade as legitimate services. Sure, you can block all direct IP connections over HTTP and HTTPS, block the common service providers, common URL patterns etc. etc. – Eventually you’ll get the balance right. However, it’s a tough balance to strike in reality. There needs to be more clearly defined advice about how to do this. The DfE could offer further advice by publishing detailed advice on getting the balance between access and filtering correct.
Recommendations
If the DfE is passionate about providing the best broadband advice for schools, which is great to see, there needs to be a bit more work in the following areas:
- Published case studies on how schools have utilised dark fibre to set up their own cost saving Wide Area Networks that share one powerful internet connection. There should be advice on how to go about setting up these networks. This is, in my experience, the most powerful way to increase connectivity and provide cost savings for schools and MATs. It is also the best way to provide high levels of internet connectivity to schools with lower budgets or smaller primary schools.
- Published case studies and guides on how to establish high quality wireless links over a long distance to provide cost savings on connectivity in MATs and groups of schools.
- Recommending schools check whether their monitoring and filtering solutions have layer 7 inspection and can monitor encrypted search terms.
- Publish detailed technical case studies on how to achieve a balance between safe filtering and a good quality of internet access.
To conclude
It is great in the Ed Tech community to see the DfE taking a lead and offering schools advice on how to get the most out of their internet connectivity and working towards a cloud first IT environment. It is certainly refreshing and should be celebrated! However, there is clearly a lot more work needed to get case studies out there, and clear advice, that showcases the best connectivity practices for schools, the best cost saving practices for MATs, and clear advice to get the best broadband, monitoring and filtering solutions into all UK schools.
Andrew Walls