Educause Security Discussion mailing list archives

Re: Web Kiosks

From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Fri, 8 Aug 2003 10:30:56 -0500

This pretty much summarizes the conversation that Tom Davis and I had
here just 5 minutes ago.  We're information gathering here right now, so
we know what kinds of ammo to load (figuratively, of course).  I will
probably steal some language directly from what you say here.  
 
M.

-- 
Mark S. Bruhn, CISSP, CISM 

Chief IT Security and Policy Officer 
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu) 

Office of the Vice President for Information Technology and CIO 
Indiana University 
812-855-0326 

Incidents involving IU IT resources: it-incident () iu edu 
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 


-----Original Message-----
From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU] 
Sent: Friday, August 08, 2003 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Web Kiosks


Mark and colleagues,

I think we owe it to the Internet, to our overstressed ISO staffs, and
to our PR/legal departments to be very aggressive in protecting our
networks. Since most forward-thinking campuses have, or are pursuing: 

        - Authenticated kiosks in public locations, such as student
unions 
        - Authenticated wireless clouds in similar locations for
laptop/PDA users 
        - Authenticated network jacks in classrooms, library carrels,
and reading rooms

there should be no lack of Internet/campus net access for our students,
faculty, and staff. 

This leads me to conclude that the commercial kiosks are primarily for
outsiders to reach the Internet. Not clear to me why we should devote
any campus bandwidth or security management resources to the general
public, especially since we are having such a hard time managing both
bandwidth and security for our primary constituency! 

I don't think it should be a Student Union's right to re-sell campus
network access. If the network is properly "owned" by the central IT
group, I can't imaging any rational IT group doing this.

My two cents,
Dan


At 10:00 AM 8/8/2003, Bruhn, Mark S. wrote:


        Their claim is that it's easy (and it is, really) to completely
isolate these from the rest of the campus network.  They say that this
is what most other campuses that have installed them have done, but they
haven't been asked the questions we asked, or presented with the issues
we presented, before.
         
        Isolating them from our network might protect our technical
infrastructure, but that doesn't address what might be done from them
against, say, UT-Austin, or deter fraud on e-Bay, or whatever.  Since
they carry campus IPs, any abuse by anyone would obviously come back to
us.
         
        The campus gets a flat payment from the vendor each year.
         
        M.
         
        
        -- 
        Mark S. Bruhn, CISSP, CISM 
        
        Chief IT Security and Policy Officer 
        Interim Director, Research and Educational Networking
Information Sharing and Analysis Center (ren-isac () iu edu) 
        
        Office of the Vice President for Information Technology and CIO 
        Indiana University 
        812-855-0326 
        
        Incidents involving IU IT resources: it-incident () iu edu 
        Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 
        
        -----Original Message-----
        From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU] 
        Sent: Thursday, August 07, 2003 11:53 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Web Kiosks
        
        Mark & colleagues,
        
        Not clear to me why any campus would desire -- or permit -- such
wide-open, unauthenticated (right?) access. Aside from some sort of
advertising revenue sharing (right?), this looks like a total loser from
a security and network management perspective.
        
        Dan
        
        
        At 05:33 PM 8/7/2003, Bruhn, Mark S. wrote:
        
        

                Specifically, kiosks accessible to anyone, placed on
campus, by a company called Nanonation. 
                
                I just met with our Student Union folks, and they have
contracted with this company to place 5 or 6 of these in our Union.
They allow web access to anything, anywhere.  It's a given that we would
isolate these from the rest of our network.  But, there are issues about
what people can do from these, using/against external sites.  When I
described to the Union staff what this could mean, in order to make sure
they know what they're getting into, they also became very concerned.
Especially when I described that other areas have chosen to install some
level of authentication (such as the Library), and that these devices
will most likely become the new haven for nefarious-deed-doers (those
that have migrated to the county library as we installed authentication
on campus may migrate back!)
                
                This company says they have 27 colleges and universities
as customers.  They listed a few, and will send me the rest -- I start
with the Big Ten campuses they mentioned:  Michigan State, Northwestern,
Ohio State, Purdue is apparently negotiating.  Others were Penn and
Kansas.
                
                I wondered if I could get a sense of  1) how many
security officers know about these types of kiosks on their campuses,
and 2)  if so, do you know what the thinking was related to security and
abuse?  How were those concerns handled or were they explicitly
recognized and accepted?
                
                If you want to reply to me, I can sanitize and summarize
for the lists. 
                
                Thanks, 
                M. 
                
                -- 
                Mark S. Bruhn, CISSP, CISM 
                
                Chief IT Security and Policy Officer 
                Interim Director, Research and Educational Networking
Information Sharing and Analysis Center (ren-isac () iu edu) 
                
                Office of the Vice President for Information Technology
and CIO 
                Indiana University 
                812-855-0326 
                
                Incidents involving IU IT resources: it-incident () iu edu 
                Complaints/kudos about OVPIT/UITS services:
itombuds () iu edu 


VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407                                   http://
<http://wnt.utexas.edu/~danu/> wnt.utexas.edu/~danu/
<http://wnt.utexas.edu/~danu/> 
Austin, TX 78713-7407 ********** Participation and subscription
information for this EDUCAUSE Discussion Group discussion list can be
found at http://www.educause.edu/cg/. 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Web Kiosks Bruhn, Mark S. (Aug 07)
- <Possible follow-ups>
- Re: Web Kiosks Dan Updegrove (Aug 07)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Dan Updegrove (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Steve Worona (Aug 08)
- Re: Web Kiosks Jere Retzer (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks art (Aug 08)
- Re: Web Kiosks Dick Jacobson (Aug 08)
- Re: Web Kiosks Marty Hoag (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 11)
- Re: Web Kiosks David L. Wasley (Aug 11)

(Thread continues...)