Re: Ports/applications permitted for Guest Access

["Gioia, Matthew P." <MGioia () STLCC EDU>]

We treat guests like people coming in from the internet - we drop them
off at the firewall and they get access to our externally facing
systems. We were considering restricting non-web/email/vpn application
ports as well. Then I went through our flow logs to see how much of the
bandwidth "everything-else" took up. Everything-else took up about
10-15% of the traffic. So 85%+ of our traffic was already riding those
ports. So then the question became - do the pros outweigh the cons when
we're talking about 10-15% of our guest-access bandwidth, or are there
better ways to spend my time? It took about 30 seconds to consider. 

Of course YMMV,

Matthew Gioia, CISSP
Network Security Analyst
St. Louis Community College
(314) 539-5075


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A Safian
Sent: Friday, September 09, 2011 10:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Ports/applications permitted for Guest Access

Greetings,

We are looking at modifying and expanding our current guest access
policy.  Currently guests have the same access as everyone else, but,
they also need to have a guest ID provided to them.  This is a somewhat
cumbersome process.  We would like relax the policy, but, at the same
time, we don't want to just allow anyone to do anything on our network.

We are considering offering guest access for specific ports or
applications.  Guests might not even be considered part of "our"
network.  My question, for those of you who do have guest access is,
what exactly do you allow your quests to do?  Our initial thought is
something like web, email, vpn.  I especially am concerned that we limit
P2P on the guest network.

Thanks.