Learning from my students on network security products

As a beginning high school teacher, this year I have found that you have to take advantage of those "teaching moments." These are unfortunately (at least, for me) those rare times when you actually penetrate your students' minds and get across some significant but hard to understand piece of information that can explain something you were trying to dance around for hours, days, or even weeks earlier. Sometimes it is called an "aha" -- as when the lights go on and the student suddenly sits up and pays attention to what you are saying. I look forward to these moments: They make the whole teaching experience worthwhile for me.

Well, we teachers have our moments too, when we finally learn something from our students. And the biggest moments for me have been dealing with the failure of a couple of network security products. Let me explain.

I began my school year with many of my kids clamoring to try to hack into their own networks, asking me to help them use the same kind of tools that the "real" hackers run every day out on the big, bad Internet. So, latching on their interest, I tried to accommodate them, showing them how to use Ethereal, nmap, netcat and the like, but that didn't work. My kids didn't want to take the time to muck around with a bunch of obscure command-line parameters and watch these port scanners work their way through ten thousand ports and zillions of IP addresses: They wanted to sniff out their friends' (and enemies') network and AOL passwords.

So it is somewhat ironic that while I began this year testing network security, the moments that I have gotten my own "ahas" have been in the same area. The twist is that I have learned more from the failures of products than from the usual hacker tools.

The security failures that I observed were much more prosaic and have close parallels to the failures of these products that you would observe in the ordinary workplace. I am talking about establishing encrypted e-mail and virtual private networks (VPN) tunnels. Both are products that are very desirable but are still very hard to implement.

Last fall I took a few of the students aside and had them try to get Pretty Good Privacy working among us to encrypt our e-mail traffic. Well, the project fell flat on its face. A few of the kids got PGP installed on their home computers. But then when they tried to transfer the keys to the school computers, they ran into problems. The whole key infrastructure thing bogged down, and I never could find the time to debug things or set it up properly to really get everything working. It might have been our school's firewall, or the way we lock down the lab computers using Fortress to keep the kids from messing up their configuration. It might have been me, even though I have used PGP in the past successfully.

The real reason, though, is this: We could communicate just fine with unencrypted e-mail (which is how I send their homework assignments out), so why bother with all the security anyway? As I said, this mirrors the state of encrypted e-mail in the corporate world all too well.

My latest teaching moment was this spring. I have been trying to set up a VPN between my home network and a student's. Again, another failure. The idea here was to have each student be able to view a bunch of shared documents on my home network, just as they would connect to a local file server, but across the Internet. That is the nice thing of having a VPN and something that is desirable in corporate applications, as well.

To make things easier, we began this experiment by using a matched pair of Linksys EtherFast model BEFVP41 routers. They are remarkably easy to install: You just plug it into your cable modem and attach your computers to its switched hub ports. It is remarkably hard to configure properly, which is done with a series of Web-based screens. When I saw the screens, I thought that my students would take to them like ducks in water. No fussy and obscure command line parameters! Finally, something that could speak their language. Well, I was partly right.

But so far two of my better students have brought home the routers and we've had no luck getting connected to each other's home networks. I know the product works: I spent an hour with one of Linksys' technical support folks and we got our tunnel up and running just fine. But the product isn't really ready for corporate use or even student use. It isn't because my kids aren't sharp; they are. It isn't because they aren't motivated to tinker with the product and get it working; they tinker with tons of stuff on their computers every night, probably too much to the concern of their parents. It is just that the Linksys routers have too many knobs to tweak and to turn before they will work properly. You might want to spend some time pre-configuring them before you ship them out to the hinterlands.

Network security products like PGP and low-end VPN routers have their place, to be sure. But they are still way too hard to use for the average person, even a highly motivated teenaged geek.