Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Guest wireless restrictions
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Mon, 29 Apr 2013 14:28:09 -0400

We're planning to use sponsored access as well (no open access). But we
still want to limit it, both because many of the users are not
faculty/staff/students and they don't need unfettered access, and also
because we want to convince faculty/staff/students to use the "secure" SSID
and not the "guest" one.


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Mon, Apr 29, 2013 at 2:24 PM, randy <marchany () vt edu> wrote:

The key to our guest wireless system is to assign the guests to a
university "sponsor".  The sponsor has the ability to dictate the
hours/days the guest can access the net.  We don't restrict protocol or
bandwidth for guests as far as I know. The sponsor and the guest share
responsibility for being good netizens.

Our guest access FAQ page is at http://www.cns.vt.edu/data_guestFAQ.html.

-Randy Marchany
VA Tech IT Security Office & Lab



On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu>wrote:


We're (still) in the process of thinking about how we want to split our
wireless network into two SSIDs, one for students/faculty/staff and one for
"guests" (in quotes because students and staff may be allowed to use it
too). We're thinking we want to do what a number of other schools have
done, and limit the "guest" SSID to a few protocols:

   - ICMP
   - HTTP and HTTPS
   - POP and IMAP in their SSL flavors only (no plaintext)
   - SMTP in its SSL and TLS flavors only (no plaintext)
   - VPN (IPSec, PPTP, L2TP)

which after Googling around a bit seems to be a pretty common set (some
also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors
of chat/instant messaging).

We'd also like (we think) to limit individual user bandwidth on the guest
wireless, partly to cut down on the damage a "misbehaving" client can
cause, and partly to encourage students/faculty/staff to move over to the
"secure" SSID. Googling around on this topic, I've been able to find lots
of schools doing this, but very few that document what their limits
actually are.

So, two questions:

   1. If you limit the protocols on your guest wireless, is there
   anything not in the list above that you've found it necessary to allow?
   2. If you limit the bandwidth (speed) on your guest wireless, what
   are your download/upload limits (speeds), and what does that allow/not
   allow (e.g., streaming audio/video).

Thanks,

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]