Re: Guest wireless restrictions

[Ken Connelly <Ken.Connelly () UNI EDU>]

From personal experience, the guest wireless process at VT works
extremely well.  My opinion might change if I had somebody besides Randy
as my sponsor, but when I'm there for his SANS-EDU offering, things
"just work".

And speaking of SANS-EDU...
  SEC505 with Jason Fossen
  May 20-25
  http://www.cpe.vt.edu/isect/
  $1250 for EDU, State/Local Gov, or LEO
  $579 for the certification opportunity

- ken

On 4/29/13 1:24 PM, randy wrote:
> The key to our guest wireless system is to assign the guests to a
> university "sponsor".  The sponsor has the ability to dictate the
> hours/days the guest can access the net.  We don't restrict protocol or
> bandwidth for guests as far as I know. The sponsor and the guest share
> responsibility for being good netizens.
>
> Our guest access FAQ page is at http://www.cns.vt.edu/data_guestFAQ.html.
>
> -Randy Marchany
> VA Tech IT Security Office & Lab
>
>
>
> On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu
> <mailto:david.curry () newschool edu>> wrote:
>
>
>     We're (still) in the process of thinking about how we want to split
>     our wireless network into two SSIDs, one for students/faculty/staff
>     and one for "guests" (in quotes because students and staff may be
>     allowed to use it too). We're thinking we want to do what a number
>     of other schools have done, and limit the "guest" SSID to a few
>     protocols:
>
>       * ICMP
>       * HTTP and HTTPS
>       * POP and IMAP in their SSL flavors only (no plaintext)
>       * SMTP in its SSL and TLS flavors only (no plaintext)
>       * VPN (IPSec, PPTP, L2TP)
>
>     which after Googling around a bit seems to be a pretty common set
>     (some also allow unencrypted POP/IMAP/SMTP, and others also allow
>     various flavors of chat/instant messaging). 
>
>     We'd also like (we think) to limit individual user bandwidth on the
>     guest wireless, partly to cut down on the damage a "misbehaving"
>     client can cause, and partly to encourage students/faculty/staff to
>     move over to the "secure" SSID. Googling around on this topic, I've
>     been able to find lots of schools doing this, but very few that
>     document what their limits actually are.
>
>     So, two questions:
>
>      1. If you limit the protocols on your guest wireless, is there
>         anything not in the list above that you've found it necessary to
>         allow?
>      2. If you limit the bandwidth (speed) on your guest wireless, what
>         are your download/upload limits (speeds), and what does that
>         allow/not allow (e.g., streaming audio/video).
>
>     Thanks,
>
>     --Dave
>
>
>     --
>
>     *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
>     *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
>     +1 212 229-5300 x4728 • david.curry () newschool edu
>     <mailto:david.curry () newschool edu>

-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!