Educause Security Discussion
mailing list archives
Re: Guest wireless restrictions
From: "Childs, Aaron" <aaron () WESTFIELD MA EDU>
Date: Tue, 30 Apr 2013 16:31:16 +0000
Good Afternoon David,
We limit to http, https and vpn for our Guest SSID. The only bandwidth limiting we do is give it the lowest QoS policy
out to the Internet.
Have a good day,
[Description: Description: Description: logo-email]
Aaron Childs, CCNA
Associate Director, Networking
Please Note: new e-mail address - aaron () westfield ma edu<mailto:aaron () westfield ma edu>
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David
Sent: Monday, April 29, 2013 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Guest wireless restrictions
We're (still) in the process of thinking about how we want to split our wireless network into two SSIDs, one for
students/faculty/staff and one for "guests" (in quotes because students and staff may be allowed to use it too). We're
thinking we want to do what a number of other schools have done, and limit the "guest" SSID to a few protocols:
* HTTP and HTTPS
* POP and IMAP in their SSL flavors only (no plaintext)
* SMTP in its SSL and TLS flavors only (no plaintext)
* VPN (IPSec, PPTP, L2TP)
which after Googling around a bit seems to be a pretty common set (some also allow unencrypted POP/IMAP/SMTP, and
others also allow various flavors of chat/instant messaging).
We'd also like (we think) to limit individual user bandwidth on the guest wireless, partly to cut down on the damage a
"misbehaving" client can cause, and partly to encourage students/faculty/staff to move over to the "secure" SSID.
Googling around on this topic, I've been able to find lots of schools doing this, but very few that document what their
limits actually are.
So, two questions:
1. If you limit the protocols on your guest wireless, is there anything not in the list above that you've found it
necessary to allow?
2. If you limit the bandwidth (speed) on your guest wireless, what are your download/upload limits (speeds), and
what does that allow/not allow (e.g., streaming audio/video).
DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011
+1 212 229-5300 x4728 * david.curry () newschool edu<mailto:david.curry () newschool edu>
- Re: Guest wireless restrictions, (continued)