Educause Security Discussion mailing list archives
Re: Questions/thoughts around outsourcing guest wireless
From: "Perry, Jeff" <perry () KU EDU>
Date: Tue, 7 Aug 2012 15:33:22 +0000
I'm not aware that it has but I can't claim to follow. I know that in 2005 the law was expanded and that (unlike the 1994 version) this is where a lot of the fog of war crept in. However in my mind there are some good reasons that we want to look again at how we serve true "guests" (i.e. those that don't have an individual sponsor). 1.) We are increasing our work and outreach to the community in general and thus the questions around this are compounding 2.) Calea isn't the only law/policy that impacts those of us in this space with regards to guest a. i.e. many edu's are in heavily populated areas and thus guest wifi, if not planned accordingly, can become the ISP of people in houses/business that are in close physical proximity to campus property 3.) BYOD and other user driven technology realms are further bluring the lines between a.) who your users are b.) what they'll be connecting with c.) circumstances where data availability is important to the end user d.) what control you have over the environment as a whole 4.) All of the typical issues that arise with AAA (authentication, authorization, and audit). So as we see it, while we want to make sure that we understand and appropriately address any calea issues/impacts the major reasons we're looking into this again (fairly deeply) is the above. Things like eduroam and InCommon (both very interesting projects) come in to play here too as they too further blur the line of "who is my customer and how do I have to treat them". Quinn Shamblin wrote:
My institution and a previous institution both took the interpretation that we were not the ISP by the definition of the law, that it was the services that we purchased our bandwidth from that would fall into this category
That is ours as well but we've been told by a few others and people in the legal areas that once you include guest wireless to people that aren't directly and demonstrably part of your "private network" (i.e. those you don't have a clear legal relationship with) our ability to argue that we are a "private network" (USC 1002(B)(2)) is eroded. Calea is a bit of a black hole as from my read of it and the companion documents (FCC 05-153 36) it was clearly written for ISP's and then in 2005 the RIAA and MPAA succeeded in getting EDU's arguably opted in or at least in bluring the lines further between entities like us and common carrier ISPs. Thanks, Jeff From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Tuesday, August 07, 2012 9:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Questions/thoughts around outsourcing guest wireless Sorry to hijack the thread, but......Has CALEA ever been "tested"? Apologies if this sounds naïve, but - I remember (about 3.5 years ago) that we were planning on being "CALEA compliant", and when I asked a couple of questions of the resident Educause expert on CALEA - I was basically told that, as far as they knew, we were the ONLY college that was even broaching the subject.......at that time, it was essentially seen as an unfunded mandate, and possibly unenforceable....?? Is CALEA now in the mainstream? M From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Perry, Jeff Sent: Monday, August 06, 2012 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Questions/thoughts around outsourcing guest wireless I am writing to seek information from peer institutions regarding how you handle guest wireless access. According to our read of CALEA, in order for a college or university to be considered exempt from CALEA our network must a.) qualify as a "private network" and b.) not "support" the connection of the private network to the internet. In that we, like many edu's, are gain external network access via a regional research/educational network provider and do not provide non "private" network access we currently operate under the understanding that we are CALEA exempt (i.e. our network provider is but we are not). However we, like many of you, host many campus constituents on a daily basis at many locations on our campus. These use cases can range from students/parents visiting but not yet enrolled, public events, athletic events, community functions, etc. As such, we are seeking to improve the experience of users on our guest wireless network while understanding the calea impacts. One of the easiest ways that we have considered to provide guest wireless access yet maintain calea exemption is to outsource guest wifi to a third party. We've also looked at a myriad of technologies in this space to help us have better information about these users (such as sms based guest credential system and many of those discussed here in the past). However in my mind, even though we may have good/better information about each particular guest, we'd still be providing services to the general public which may or may not (lawyers required) cause us to no longer be seen as a "private" network. In other words, we'd be providing network services to people not directly affiliated with our institution in a clear way. Thus we're back again to considering outsourcing for the guest network traffic and I wanted to get the thoughts of some of you regarding that. If you've time (as school starts up around the country) could you answer a few questions for me 1.) Do you currently provide guest wireless access to people on your campus that are not student, staff, faculty, affiliates? 2.) If so how to you read the calea requirements re: public/private networks? What access control/restrictions do you use? 3.) Do you outsource wifi? If so how has it gone? Any particular thoughts/caveats? 4.) Has anyone operated a hybrid style agreements where you host the SSID/AP's etc (as part of a larger system) and simply hand off the authentication and network traffic to a third party? (i.e. we don't want to have third party radios in our buildings due to spectrum management etc). Thanks so much, I appreciate any discussion around this topic. Take care, Jeff Perry -------------------------------------------- Jeff Perry, CISSP Deputy Technology Officer Information Technology The University of Kansas Direct +1 785-864-0489 Fax +1 785-864-0485 Email perry () ku edu<mailto:perry () ku edu> -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean.
Current thread:
- Questions/thoughts around outsourcing guest wireless Perry, Jeff (Aug 06)
- Re: Questions/thoughts around outsourcing guest wireless SCHALIP, MICHAEL (Aug 07)
- Re: Questions/thoughts around outsourcing guest wireless Shamblin, Quinn (Aug 07)
- Re: Questions/thoughts around outsourcing guest wireless Perry, Jeff (Aug 07)
- Re: Questions/thoughts around outsourcing guest wireless Tim Doty (Aug 07)
- Re: Questions/thoughts around outsourcing guest wireless SCHALIP, MICHAEL (Aug 07)