Basis of design

User Requirements

Computer Use

Computer use in ECE Services is typically of four main types:

1. Individual administration by educator(s) on their own laptop or administration desktop
2. Collaborative - educator/child on educator’s laptop or classroom desktop (e.g. composing “learning stories”)
3. Independent (child) on classroom desktop (e.g. digital image manipulation, book making (graphical/image intensive)
4. Telecommunications – voice and video interactive session with other institutions or individuals using iChat, iSight, Skype, or equivalent

Centre Sizes

Centres can be licenced for up to 50 children, with a maximum of 25 under two years of age.

Staff/Child Ratios

The minimum ratio of educators to children is governed by regulation:

• Session attendance: 1:15
• All day attendance: 1:10
• Under two year olds 1:5
• For the purposes of this document the calculated maximum number of educators at any point in time is eight (5 for under 2’s and 3 for over 2’s in an all day Service).

Number of Computers

The assumed optimum number of computers is:

• For every FTE educator – 1 laptop
• Available to children – up to 4 desktops/laptops
• Likely maximum total computers at any time is 10
• Likely average number of computers at any time is 6

While much of the educator/child collaboration is over image intensive work, this type of learning is mostly constrained to the computer in use.  These documents will often be sent for printing or storage on a device elsewhere in the network or emailed off-site.

User Applications

Computer use is heavily image-intensive.  Educators and children use digital still and video cameras and manipulate images in documents and create short DVDs.

Real-time applications impose special requirements on data priority and bandwidth, and video conferencing applications, for example, may require not only QoS to be supported by Ethernet switches over wired connections but symmetrical broadband internet access to be available.

Family Engagement

ICT provides huge potential for family engagement with children’s learning.  While computers and internet access in the home provide the greatest flexibility for delivering information to parents and carers, other options are available to homes without a computer.  Community based computers (e.g. community centres and public libraries) offer one option but most homes will have a TV set and either a DVD player, video tape player, Playstation or Xbox.  Children’s learning stories can be converted to DVD format for playing in the home.

Technical Challenges

Internet Access

Broadband internet access, appropriate to the needs of the ECE Service, is desirable.  It is expected that this will typically be provided by a DSL connection.  The real-time communications applications of voice and video conferencing, e.g. iChat and Skype, impose special requirements on data priority and bandwidth, and may require not only QoS to be supported by Ethernet switches over wired connections but also symmetrical broadband internet access to be available.

Video-chat sessions require a web-camera (built-in or external), USB video class (UVC) camera, or FireWire DV camcorder; and a minimum 128kbps upstream and downstream internet connection.  The performance of the video-chat session over a basic ADSL connection (128kbps upstream) may be negatively affected if other internet activity is continued.

Users should be aware that web-chat applications are an easy target for attacks from the internet.

Switching

While the network hierarchy for large installations might include three functional layers (edge or access, distribution, and core), in small ECE Service installations these layers will be “collapsed” into a single access layer.

The access layer provides the first level of access to the network and provides terminal device addressing and attachment.  Layer 2 switching, security, and QoS reside at this layer.

Broadcast storms, auto-negotiation failures, excessive collisions, and other transmission errors requiring manageable switches for detection and resolution are unlikely to be a problem in such elementary networks.  Nevertheless, simple design does not reduce the exposure to broadcast storms and it is important that switches are configured correctly with broadcast storm protection.
Because architectures up to Layer 2 allow end-station connectivity, it is possible to construct a Layer 2–only network, providing simple, inexpensive, high-performance connectivity for small installations.  However, Layer 2 does not extend beyond the Service’s boundary and Layer 3 (routing) capabilities are required to connect to the internet.  The Layer 3 capabilities are provided by the DSL router which should include a SPI firewall and be locked down.

Router/Firewall

Connection to the public network (internet) requires strict security processes to be implemented.  The heart of the security system in small networks is the Firewall-Router.  No computer should be connected directly to the internet without a Firewall in place.

In packet-switched networks such as LANs and the internet, a router is a device or, in some cases, software in a computer.  The router is connected to at least two networks and determines the next network point to which a data-packet should be forwarded toward its destination based on its current understanding of the state of the networks it is connected to and the routes in its table.  A router is located at any gateway (where one network meets another), including each point-of-presence on the internet.

For small computer networks which have broadband internet connections, a router can act as a hardware firewall.  This is true even if the ‘network’ has only one computer.  It is generally accepted that a router can provide better protection against hacking than a software firewall, because no computer IP addresses are directly exposed to the internet.  This makes port scans (a technique for exploring weaknesses) essentially impossible.  In addition, a router does not consume computer resources as a software firewall does.  Commercially manufactured routers are relatively easy to install, reasonably priced, and available for hard-wired and wireless networks.

A firewall is a combination of hardware and software that enforces a boundary between two or more networks in accordance with local security policy, and is most often used between an individual computer or local area network, and the internet.

The system acts as a security filter that can restrict types of network communication.  Working closely with the router program, it examines each network packet to determine whether to forward it toward its destination. A firewall can also include or work with a proxy server that makes network requests on behalf of workstation users.  A firewall is usually installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.

There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable (previously identified) domain name and IP addresses.  For extramural users, firewalls allow remote access in to the private network by the use of secure logon procedures and authentication certificates.  This method is known as VPN.

Wireless Access

Because educators use their own laptops to work with children in the classroom and outdoor environment, wireless access would appear to be an obvious and essential service.  However, even with only (say) three laptops in use, it is likely that bandwidth related problems will arise from time to time.  Reasons for problems might include:

• The actual data through-put of wireless access, which is shared by all users connected to any particular access point, is less than half the stated data rate due to signalling and security overheads
• The data rate shared by all users is reduced in concert with the rates available to the most distant user
• Wireless access does not support QoS data priority on the radio path.  Real-time applications (voice and video) on the same path may be interrupted by other users or applications sending large files, e.g. printing

Remote Access

Authorised access to onsite computers will require security and authentication protocols and (usually) a static IP address.  Static IP addresses can be issued by internet services providers, e.g. Xtra.  Commercial internet plans include static IP addresses and there is an additional charge for this feature.

There are work-arounds for users with a dynamic IP address normally provided with ‘domestic’ internet plans.  One work-around is to create an account and assign your static resources to a DNS service which will facilitate working with a dynamic IP address.  Nevertheless, the small extra charge associated with use of a static IP address may prove to be simpler solution.

Servers

A small server would provide a central data repository, a data backup mechanism, web proxy and caching, access security, and a number of other services.  Most educators will have a good working knowledge of personal computers and the filing systems and applications they use.  However, for most ECE Services attempting to establish and manage a client/server environment, the cost and the expertise required to support it might be prohibitive.  Fortunately there are alternatives available to ECE Services.

1. With the imposition of a few basic security considerations, a more practical solution might be to create a peer to peer (serverless workgroup) environment which uses one of the computers as a central resource for storage, backup, and printer spooling.  Both Windows and Mac OS computers can join the workgroup.
2. Use Windows Home Server to setup a simple server on an ordinary PC which automatically sets up the sharing, storage, access, and protection of data, together with a remote access facility.  There is not yet an Apple equivalent for Windows Home Server but both Windows and Mac OS computers can join the network.

Storage and Backup

Without a server, the Service’s operating data (children’s and financial records), if not centrally stored by the parent body, are likely to be stored on either an educator’s laptop or the administration desktop.  Backup of data must typically be manually invoked and there is the added security risk of theft from insecure premises.  Portable HDDs may provide a convenient and cost effective means of regular data backup and restoration in such circumstances.  A large capacity USB memory stick might also provide a convenient means of backing up data for individual computers.  Providing the normal security precautions are observed, USB memory sticks provided a simple means of transferring files between computers.