Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Guest wireless restrictions
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Mon, 29 Apr 2013 13:39:28 -0500

From personal experience, the guest wireless process at VT works
extremely well.  My opinion might change if I had somebody besides Randy
as my sponsor, but when I'm there for his SANS-EDU offering, things
"just work".

And speaking of SANS-EDU...
  SEC505 with Jason Fossen
  May 20-25
  http://www.cpe.vt.edu/isect/
  $1250 for EDU, State/Local Gov, or LEO
  $579 for the certification opportunity

- ken

On 4/29/13 1:24 PM, randy wrote:
The key to our guest wireless system is to assign the guests to a
university "sponsor".  The sponsor has the ability to dictate the
hours/days the guest can access the net.  We don't restrict protocol or
bandwidth for guests as far as I know. The sponsor and the guest share
responsibility for being good netizens.

Our guest access FAQ page is at http://www.cns.vt.edu/data_guestFAQ.html.

-Randy Marchany
VA Tech IT Security Office & Lab



On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu
<mailto:david.curry () newschool edu>> wrote:


    We're (still) in the process of thinking about how we want to split
    our wireless network into two SSIDs, one for students/faculty/staff
    and one for "guests" (in quotes because students and staff may be
    allowed to use it too). We're thinking we want to do what a number
    of other schools have done, and limit the "guest" SSID to a few
    protocols:

      * ICMP
      * HTTP and HTTPS
      * POP and IMAP in their SSL flavors only (no plaintext)
      * SMTP in its SSL and TLS flavors only (no plaintext)
      * VPN (IPSec, PPTP, L2TP)

    which after Googling around a bit seems to be a pretty common set
    (some also allow unencrypted POP/IMAP/SMTP, and others also allow
    various flavors of chat/instant messaging). 

    We'd also like (we think) to limit individual user bandwidth on the
    guest wireless, partly to cut down on the damage a "misbehaving"
    client can cause, and partly to encourage students/faculty/staff to
    move over to the "secure" SSID. Googling around on this topic, I've
    been able to find lots of schools doing this, but very few that
    document what their limits actually are.

    So, two questions:

     1. If you limit the protocols on your guest wireless, is there
        anything not in the list above that you've found it necessary to
        allow?
     2. If you limit the bandwidth (speed) on your guest wireless, what
        are your download/upload limits (speeds), and what does that
        allow/not allow (e.g., streaming audio/video).

    Thanks,

    --Dave


    --

    *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

    *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

    +1 212 229-5300 x4728 • david.curry () newschool edu
    <mailto:david.curry () newschool edu>



-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault