After reading a comment to Dave Warlick’s blog on wifi access in schools, I had to respond with a comment of my own.
If you are the teacher of a school district and your IT staff says they can’t secure WIFI access, you need to start asking questions. Wifi access can be made relative secure.
(From my comment:)
1. Turn off the broadcast SSID, this stops the wireless from showing up when someone opens their laptop. (Security by obscurity isn’t the best, but it’s a start! 
)
2. Turn on WPA encryption.
3. Put the wireless on their own VLAN where it doesn’t have access to internal resources. You can combine this with VPN access so authenticated users can access the internal network. This step requires some knowledge to setup.
Just as a network administrator must take the steps to secure wired access, steps must also be taken with the wireless network.
If you’re going to have widely available WIFI in the schools, isn’t it important to make it easy for people to use it? While not broadcasting the SSID and using WPA are about as good as you can get from a security perspecitive, it also makes it really difficult for one of your users to connect to the wireless network.
I prefer the approach of keeping the wireless network open. Broadcast the SSID and leave the access points totally open. Then, put that vlan behind a firewall that (a) requires authentication, (b) only allows web and dns traffic, and (c) forces transparent proxying and logs the hell out of everything.
So… An authorized user (any student or staff member with a network account) fires up any wireless device in my high school cafeteria. It won’t do anything except web browsing. If they’re not logged in, it redirects them to a login page. Once they’ve logged in, they can get filtered Internet acccess from that device for up to 24 hours. If they log in on another device, it logs them off from the first one. It provides access, but it also locks them down.
Of course, the down side is that you can’t protect the wireless users from *each other*, but it will do a pretty good job of protecting your network from malicious wireless use.
Regarding the ability of IT staff to secure wireless devices, I can see some people making a case for that. My network only has a total of nine managed switches in 22 wiring closets. The vast majority of the infrastructure is unmanaged. So to just put a wireless device on a different vlan isn’t always a reasonable option.
I think the problem is complicated by the old Airports. When they came out, people just connected them and ran with it, without thinking about security. Now that we have a past practice established, it’s hard to go back and say, “it’s not quite that easy.”
[...] This started a discussion of wireless networks in schools, and Brian Crosby picked up on it. He commented that school IT departments frown on wireless access because it’s hard to secure. Ryan Collins explained how easy it is to secure wireless devices by not broadcasting SSIDs and using WPA encryption. I chimed in on Ryan’s blog about how that would make it difficult (impossible?) for users to connect their own devices to the wireless network. [...]