Re: Ports/applications permitted for Guest Access

[Derek Diget <derek.diget+educause-security () WMICH EDU>]

On Sep 9, 2011 at 11:16 -0400, Kevin Wilcox wrote:
=>Our guests can get out on ports 80 and 443. If they can do it over
=>those ports, they're allowed. Bandwidth restrictions are in place,
=>it's faster to register and use the standard campus wireless than to
=>plug in and say they're a guest.

General comment to list....


Don't forget TCP port 587 for message/email submission on 
phones/laptops/mobile devices.  See section 4 of BCP 134 (RFC 5068 
<http://www.ietf.org/rfc/rfc5068.txt>) and in particular the first 
paragraph of section 4.1.

The user would probably also want/need 143 (and hope the remote provider 
requires STARTTLS) or 993.  I will grudgingly add 110/995 for the sites 
that still offer POP.


<rantMode=on>

My personal preference would include TCP port 22 as well.  (But then I 
run a sshd on port on other common ports like 80, 443, 53, 123, 20, 21, 
389, 636, 2105 for the times that access providers decide that the 
Internet is only accessed via a web browser on port 80/443.  And there 
is then the use of corkscrew or apache in tunneling SSH for the sites 
that want to do layer-7 inspection on port 80/443, but I haven't been at 
a site long enough to make playing those games worth it. :)

<rantMode=off>


-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************