Re: Questions/thoughts around outsourcing guest wireless

["Perry, Jeff" <perry () KU EDU>]

I'm not aware that it has but I can't claim to follow.  I know that in 2005 the law was expanded and that (unlike the 
1994 version) this is where a lot of the fog of war crept in.

However in my mind there are some good reasons that we want to look again at how we serve true "guests" (i.e. those 
that don't have an individual sponsor).

1.)    We are increasing our work and outreach to the community in general and thus the questions around this are 
compounding

2.)    Calea isn't the only law/policy that impacts those of us in this space with regards to guest

a.       i.e. many edu's are in heavily populated areas and thus guest wifi, if not planned accordingly, can become the 
ISP of people in houses/business that are in close physical proximity to campus property

3.)    BYOD and other user driven technology realms are further bluring the lines between a.) who your users are b.) 
what they'll be connecting with c.) circumstances where data availability is important to the end user d.) what control 
you have over the environment as a whole

4.)    All of the typical issues that arise with AAA (authentication, authorization, and audit).

So as we see it, while we want to make sure that we understand and appropriately address any calea issues/impacts the 
major reasons we're looking into this again (fairly deeply) is the above.

Things like eduroam and InCommon (both very interesting projects) come in to play here too as they too further blur the 
line of "who is my customer and how do I have to treat them".

Quinn Shamblin wrote:
> My institution and a previous institution both took the interpretation that we were not the ISP by the definition of 
> the law, that it was the services that we purchased our bandwidth from that would fall into this category

That is ours as well but we've been told by a few others and people in the legal areas that once you include guest 
wireless to people that aren't directly and demonstrably part of your "private network" (i.e. those you don't have a 
clear legal relationship with) our ability to argue that we are a "private network" (USC 1002(B)(2)) is eroded.

Calea is a bit of a black hole as from my read of it and the companion documents (FCC 05-153 36) it was clearly written 
for ISP's and then in 2005 the RIAA and MPAA succeeded in getting EDU's arguably opted in or at least in bluring the 
lines further between entities like us and common carrier ISPs.

Thanks,
Jeff

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
MICHAEL
Sent: Tuesday, August 07, 2012 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Questions/thoughts around outsourcing guest wireless

Sorry to hijack the thread, but......Has CALEA ever been "tested"?  Apologies if this sounds naïve, but - I remember 
(about 3.5 years ago) that we were planning on being "CALEA compliant", and when I asked a couple of questions of the 
resident Educause expert on CALEA - I was basically told that, as far as they knew, we were the ONLY college that was 
even broaching the subject.......at that time, it was essentially seen as an unfunded mandate, and possibly 
unenforceable....??

Is CALEA now in the mainstream?

M

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Perry, Jeff
Sent: Monday, August 06, 2012 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Questions/thoughts around outsourcing guest wireless

I am writing to seek information from peer institutions regarding how you handle guest wireless access.

According to our read of CALEA, in order for a college or university to be considered exempt from CALEA our network 
must a.) qualify as a "private network" and b.) not "support" the connection of the private network to the internet.  
In that we, like many edu's, are gain external network access via a regional research/educational network provider and 
do not provide non "private" network access we currently operate under the understanding that we are CALEA exempt (i.e. 
our network provider is but we are not).

However we, like many of you, host many campus constituents on a daily basis at many locations on our campus.  These 
use cases can range from students/parents visiting but not yet enrolled, public events, athletic events, community 
functions, etc.  As such, we are seeking to improve the experience of users on our guest wireless network while 
understanding the calea impacts.

One of the easiest ways that we have considered to provide guest wireless access yet maintain calea exemption is to 
outsource guest wifi to a third party.  We've also looked at a myriad of technologies in this space to help us have 
better information about these users (such as sms based guest credential system and many of those discussed here in the 
past).  However in my mind, even though we may have good/better information about each particular guest, we'd still be 
providing services to the general public which may or may not (lawyers required) cause us to no longer be seen as a 
"private" network.  In other words, we'd be providing network services to people not directly affiliated with our 
institution in a clear way.

Thus we're back again to considering outsourcing for the guest network traffic and I wanted to get the thoughts of some 
of you regarding that.

If you've time (as school starts up around the country) could you answer a few questions for me

1.)    Do you currently provide guest wireless access to people on your campus that are not student, staff, faculty, 
affiliates?

2.)    If so how to you read the calea requirements re: public/private networks?  What access control/restrictions do 
you use?

3.)    Do you outsource wifi?  If so how has it gone?  Any particular thoughts/caveats?

4.)    Has anyone operated a hybrid style agreements where you host the SSID/AP's etc (as part of a larger system) and 
simply hand off the authentication and network traffic to a third party? (i.e. we don't want to have third party radios 
in our buildings due to spectrum management etc).

Thanks so much, I appreciate any discussion around this topic.

Take care,
Jeff Perry

--------------------------------------------
Jeff Perry, CISSP
Deputy Technology Officer
Information Technology
The University of Kansas
Direct +1 785-864-0489
Fax    +1 785-864-0485
Email perry () ku edu<mailto:perry () ku edu>
--------------------------------------------


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.