Educause Security Discussion mailing list archives

Re: Web Kiosks

From: art <stgeorge () UNM EDU>
Date: Fri, 8 Aug 2003 10:04:12 -0600

I'd be interested in hearing from ASU if they are on this list. The
Nanonation web site uses Arizona State University as  a case study and
says that the university contacted Nanonation because "University officials
contacted Nanonation after deciding to provide students, faculty and staff
access to new technologies." I'm curious about why these anonymous
university officials didn't contact their IT organization about new
technologies which perhaps could have been provided within the context of
the IT security plan. Having said this, I understand the pressures
involved: wwe have a recently remodeled student union building and the
management of that building has explicitly said that a principal reason for
the remodeling was to compete for conference business. We are currently
working with them to make sure we will be the ISP provider of choice,
including wireless access,  when the time comes.

Art St. George

--On Friday, August 08, 2003 9:51 AM -0600 Steve Worona
<sworona () EDUCAUSE EDU> wrote:


"Outsiders" isn't necessarily synonymous with "the general public".  Not
that open-access kiosks are a good solution to the problem, but whatever
the solution is must accommodate:


- Guests at the campus hotel
- Parents delivering/visiting their kids
- Students' brothers/sisters/girlfriends/boyfriends/chums up for the
weekend  - Faculty colleagues visiting for the hour/day/week
- Small and large conferences bringing in 10 people or 500 people for a
  day or a week
- etc.


Steve


-----
At 10:14 AM -0500 8/8/03, Dan Updegrove wrote:

Mark and colleagues,

I think we owe it to the Internet, to our overstressed ISO staffs, and to
our PR/legal departments to be very aggressive in protecting our
networks. Since most forward-thinking campuses have, or are pursuing:

    - Authenticated kiosks in public locations, such as student unions
      - Authenticated wireless clouds in similar locations for laptop/PDA
users        - Authenticated network jacks in classrooms, library
carrels, and reading rooms

there should be no lack of Internet/campus net access for our students,
faculty, and staff.

This leads me to conclude that the commercial kiosks are primarily for
outsiders to reach the Internet. Not clear to me why we should devote any
campus bandwidth or security management resources to the general public,
especially since we are having such a hard time managing both bandwidth
and security for our primary constituency!

I don't think it should be a Student Union's right to re-sell campus
network access. If the network is properly "owned" by the central IT
group, I can't imaging any rational IT group doing this.

My two cents,
Dan


At 10:00 AM 8/8/2003, Bruhn, Mark S. wrote:

Their claim is that it's easy (and it is, really) to completely isolate
these from the rest of the campus network.  They say that this is what
most other campuses that have installed them have done, but they haven't
been asked the questions we asked, or presented with the issues we
presented, before.
Isolating them from our network might protect our technical
infrastructure, but that doesn't address what might be done from them
against, say, UT-Austin, or deter fraud on e-Bay, or whatever.  Since
they carry campus IPs, any abuse by anyone would obviously come back to
us.
The campus gets a flat payment from the vendor each year.

M.


--
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information Sharing
and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu

-----Original Message-----
From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU]
Sent: Thursday, August 07, 2003 11:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Web Kiosks

Mark & colleagues,

Not clear to me why any campus would desire -- or permit -- such
wide-open, unauthenticated (right?) access. Aside from some sort of
advertising revenue sharing (right?), this looks like a total loser from
a security and network management perspective.

Dan


At 05:33 PM 8/7/2003, Bruhn, Mark S. wrote:

Specifically, kiosks accessible to anyone, placed on campus, by a company
called Nanonation.

I just met with our Student Union folks, and they have contracted with
this company to place 5 or 6 of these in our Union.  They allow web
access to anything, anywhere.  It's a given that we would isolate these
from the rest of our network.  But, there are issues about what people
can do from these, using/against external sites.  When I described to the
Union staff what this could mean, in order to make sure they know what
they're getting into, they also became very concerned.  Especially when I
described that other areas have chosen to install some level of
authentication (such as the Library), and that these devices will most
likely become the new haven for nefarious-deed-doers (those that have
migrated to the county library as we installed authentication on campus
may migrate back!)



This company says they have 27 colleges and universities as customers.
They listed a few, and will send me the rest -- I start with the Big Ten
campuses they mentioned:  Michigan State, Northwestern, Ohio State,
Purdue is apparently negotiating.  Others were Penn and Kansas.

I wondered if I could get a sense of  1) how many security officers know
about these types of kiosks on their campuses, and 2)  if so, do you know
what the thinking was related to security and abuse?  How were those
concerns handled or were they explicitly recognized and accepted?

If you want to reply to me, I can sanitize and summarize for the lists.

Thanks,
M.

--
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information Sharing
and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu





VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin           Fax (512) 232-9607
FAC 248 (Mail code: G9800)            d.updegrove () its utexas edu
P.O. Box 7407                                 http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407 ********** Participation and subscription
information for this EDUCAUSE Discussion Group discussion list can be
found at http://www.educause.edu/cg/.



********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Web Kiosks Bruhn, Mark S. (Aug 07)
- <Possible follow-ups>
- Re: Web Kiosks Dan Updegrove (Aug 07)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Dan Updegrove (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Steve Worona (Aug 08)
- Re: Web Kiosks Jere Retzer (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks art (Aug 08)
- Re: Web Kiosks Dick Jacobson (Aug 08)
- Re: Web Kiosks Marty Hoag (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 11)
- Re: Web Kiosks David L. Wasley (Aug 11)
- Re: Web Kiosks Schmidt, Eric W (Aug 11)