There is very little written about networking prison computers. The tale you are about to read is the true account of my experience in a prison networking project.
My home state has more than a dozen major prison facilities containing thousands of inmates. Many of these inmates are evaluated or treated for mental illness. Psychiatric services are provided by a multimillion-dollar, multiyear contract, and supplying networked resources to clinicians as part of this contract is a major challenge. This is the deployment in which I was involved. For reasons of corporate confidentiality, I am withholding the name of the organization, but suffice it to say that it's a leader in its field. Nevertheless, initial enthusiasm was somewhat dampened as the project evolved into a major corporate exercise.
A prison serves to keep people on the inside in and people on the outside out. What factors must be considered to securely network binary data in and out? Every system manager and network administrator knows that every site setup has its own challenges, but perhaps nowhere else are logistical issues as restrictive as when networking a prison. By the very nature of the environment, a prison has its own rules.
Prisons are a necessary part of society, but one that intentionally lies well below the radar of the average citizen. Here are some general principles involved in networking this very restrictive, security-conscious environment.
The primary mandate is simple and straightforward: Establish high-speed solid and secure connectivity to all networked sites so that employees can do their jobs as efficiently and effectively as possible.
Stark reality
The stark reality involves much more. Create computer accounts quickly for many novice users. Administer e-mail for unenlightened users. Set up dozens of desktops and laptops with remote access capability, as well as all necessary applications, vendor patches and antivirus protections. Enable file sharing on a need-to-know basis. Adjust permissions by global groups, not individuals. Use access control lists judiciously.
Backup all data online and off-line -- and often. Record and track all changes to the satisfaction of prison officials. Lastly, but no less important, be aware that you must accomplish all of the above in conjunction with older, on-site legacy equipment. And much of it must be done remotely.
All access is controlled. Prison network operators don't divulge their router addresses easily. Files must be secured from within and without. A prison has a culture and it must be respected; it's their turf. There may also be IP address jurisdictional disputes. Once these are resolved, then use dynamic addressing rather than static addressing for improved network management.
All tech support staff must register in advance and wear a special photo ID at all times. Technicians may be magnetic-wanded, frisked and searched. Travel light because all bags and boxes are thoroughly examined. Two-way pagers and cell phones will likely be confiscated and held until you leave (these devices are hot commodities inside a prison). Avoid bringing sharp objects or anything that could become a sharp object. Be psychologically prepared for constant surveillance.
Clothing counts
Get approval in advance for all equipment supplies. Make a list and check it twice. If you need something and it's not on the list, then it might as well be on the moon. Many prisons also have strict color-code dress policies for staff, visitors, correction officers and inmates. The sight of the wrong color in the wrong hallway or corridor leads to unexpected consequences.
Dial-up networking is quick and easy but generally unsuitable because it's insecure. It could also be too tempting a target for interested outsiders. Standard telecom resources, such as DSL and ISDN, may not have adequate bandwidth. A virtual private network (VPN) can be set up relatively quickly provided that firewall and connection issues are resolved. The simplicity and robustness of a VPN configuration are very important because the more complex the resource, the less likely it will be used.
Port lockdown is severe. The cogent philosophy is "If in doubt, keep it out." Depending on cost and need, a frame-relay T1 network, in conjunction with proxy servers, makes a viable solution if it can be monitored and maintained. Be sure to obtain the blessing of prison officials. Secure networked printers so that output cannot be misdirected. Automate routine tasks by means of a script language. One-click executables empower the user while maintaining security. (In the Windows environment, WinBatch is an excellent scripting development tool and an evaluation copy sans compiler is freely downloadable). Detect loss of connectivity quickly. Block potentially dangerous e-mail attachments.
Be aware that some prisons use vintage hardware and software so what appears to be a routine problem becomes a major effort for lack of compatibility. (Case in point: a request to copy a large database between a very old machine and a contemporary machine was confounded by an out-of-date operating system, a lack of Internet access, a lack of intranet access, inability to install a Zip drive or CD-ROM burner or USB flash drive, not enough electrical outlets and a reluctance to open the case and physically remove the hard drive.)
Firewalls may prevent the luxury of remote administration. Since prisons are often geographically dispersed and isolated, system personnel might spend much time traveling between sites. Therefore plan and deploy a setup strategy that is as simple as possible to reduce maintenance needs. Work with on-site IT staff for routine repairs. Keep plenty of spare parts readily available. If prison network users must access several non-native systems (a registration system, a scheduling system, a medical records system, a court system), then password resets often become a major issue. Users want a single, easily remembered password; neither is a good idea. Inmates have plenty of time on their hands to keep trying passwords (keep in mind that some inmates may be former hackers).
Passwords
Maintain best practices in password management. Passwords should be complex (upper- and lower-case, numbers, punctuation marks, at least seven characters long). They should expire at least every few months and should not be reused. Replacement passwords should not have the same format (password1, password2) and should not be recycled (no previously used passwords). No personal names or dates. Never share a password.
Prevent dictionary attacks (no common words) and block repetitive guessing (lock out the account after several consecutive failures). Have you ever noticed that TV programs show characters cracking into computer consoles within a few moments? Don't let that happen to you.
Immediately disable computer accounts whenever staff exits the system. Dormant and guest accounts can only lead to trouble.
Above all, maintain best security practices. Do so however loud or however much people grumble about their inconvenience. One sloppy password can wreck a security system. Users must be trained and retrained.
Networking a prison environment offers challenges in access, security and compatibility. The world behind the walls has need of IT services most professionals never see.