Educause Security Discussion mailing list archives
Re: Web Kiosks
From: Dick Jacobson <Dick.Jacobson () NDSU NODAK EDU>
Date: Fri, 8 Aug 2003 11:37:13 -0500
On Fri, 8 Aug 2003, Steve Worona wrote: Our student union brought this to me a year ago. I don't know if the vendor is the same but the main idea was to provide gaming for our students. After discussions with them it became obvious they were going to do something; so our response was that the traffic could not touch our network and that the University could not be implicated in any way (by IP number or name). The vendor (I belive) made all the local contacts for wiring and addressing. I did hear of a problem shortly after they went active but the University was not implicated in the problem or involved in the solution (other than advising them to deal with the vendor). Basically, if the vendor wants it bad enough they will abide by any "resonable" restictions we impose.
"Outsiders" isn't necessarily synonymous with "the general public". Not
that open-access kiosks are a good solution to the problem, but whatever
the solution is must accommodate:
- Guests at the campus hotel
- Parents delivering/visiting their kids
- Students' brothers/sisters/girlfriends/boyfriends/chums up for the weekend
- Faculty colleagues visiting for the hour/day/week
- Small and large conferences bringing in 10 people or 500 people for a
day or a week
- etc.
Steve
-----
At 10:14 AM -0500 8/8/03, Dan Updegrove wrote:
Mark and colleagues,
I think we owe it to the Internet, to our overstressed ISO staffs, and
to our PR/legal departments to be very aggressive in protecting our
networks. Since most forward-thinking campuses have, or are pursuing:
- Authenticated kiosks in public locations, such as student unions
- Authenticated wireless clouds in similar locations for
laptop/PDA users
- Authenticated network jacks in classrooms, library carrels,
and reading rooms
there should be no lack of Internet/campus net access for our students,
faculty, and staff.
This leads me to conclude that the commercial kiosks are primarily for
outsiders to reach the Internet. Not clear to me why we should devote
any campus bandwidth or security management resources to the general
public, especially since we are having such a hard time managing both
bandwidth and security for our primary constituency!
I don't think it should be a Student Union's right to re-sell campus
network access. If the network is properly "owned" by the central IT
group, I can't imaging any rational IT group doing this.
My two cents,
Dan
At 10:00 AM 8/8/2003, Bruhn, Mark S. wrote:
Their claim is that it's easy (and it is, really) to
completely isolate these from the rest of the campus
network. They say that this is what most other campuses
that have installed them have done, but they haven't been
asked the questions we asked, or presented with the issues
we presented, before.
Isolating them from our network might protect our technical
infrastructure, but that doesn't address what might be done
from them against, say, UT-Austin, or deter fraud on e-Bay,
or whatever. Since they carry campus IPs, any abuse by
anyone would obviously come back to us.
The campus gets a flat payment from the vendor each year.
M.
--
Mark S. Bruhn, CISSP, CISM
Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking
Information Sharing and Analysis Center (ren-isac () iu edu)
Office of the Vice President for Information Technology and
CIO
Indiana University
812-855-0326
Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
-----Original Message-----
From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU]
Sent: Thursday, August 07, 2003 11:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Web Kiosks
Mark & colleagues,
Not clear to me why any campus would desire -- or permit --
such wide-open, unauthenticated (right?) access. Aside from
some sort of advertising revenue sharing (right?), this
looks like a total loser from a security and network
management perspective.
Dan
At 05:33 PM 8/7/2003, Bruhn, Mark S. wrote:
Specifically, kiosks accessible to anyone,
placed on campus, by a company called
Nanonation.
I just met with our Student Union folks, and
they have contracted with this company to place
5 or 6 of these in our Union. They allow web
access to anything, anywhere. It's a given
that we would isolate these from the rest of
our network. But, there are issues about what
people can do from these, using/against
external sites. When I described to the Union
staff what this could mean, in order to make
sure they know what they're getting into, they
also became very concerned. Especially when I
described that other areas have chosen to
install some level of authentication (such as
the Library), and that these devices will most
likely become the new haven for
nefarious-deed-doers (those that have migrated
to the county library as we installed
authentication on campus may migrate back!)
This company says they have 27 colleges and
universities as customers. They listed a few,
and will send me the rest -- I start with the
Big Ten campuses they mentioned: Michigan
State, Northwestern, Ohio State, Purdue is
apparently negotiating. Others were Penn and
Kansas.
I wondered if I could get a sense of 1) how
many security officers know about these types
of kiosks on their campuses, and 2) if so, do
you know what the thinking was related to
security and abuse? How were those concerns
handled or were they explicitly recognized and
accepted?
If you want to reply to me, I can sanitize and
summarize for the lists.
Thanks,
M.
--
Mark S. Bruhn, CISSP, CISM
Chief IT Security and Policy Officer
Interim Director, Research and Educational
Networking Information Sharing and Analysis
Center (ren-isac () iu edu)
Office of the Vice President for Information
Technology and CIO
Indiana University
812-855-0326
Incidents involving IU IT resources:
it-incident () iu edu
Complaints/kudos about OVPIT/UITS services:
itombuds () iu edu
VP for Information Technology Phone (512) 232-9610
The University of Texas at Austin Fax (512) 232-9607
FAC 248 (Mail code: G9800) d.updegrove () its utexas edu
P.O. Box 7407
http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407 ********** Participation and subscription
information for this EDUCAUSE Discussion Group discussion list can be
found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
-- ----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndsu NoDak edu ND HECN MultiUser Host SysAd office : IACC 206, NDSU NDUS IT Security Officer phone : 701-231-7385 ----------------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Web Kiosks Bruhn, Mark S. (Aug 07)
- <Possible follow-ups>
- Re: Web Kiosks Dan Updegrove (Aug 07)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Dan Updegrove (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Steve Worona (Aug 08)
- Re: Web Kiosks Jere Retzer (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks art (Aug 08)
- Re: Web Kiosks Dick Jacobson (Aug 08)
- Re: Web Kiosks Marty Hoag (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 08)
- Re: Web Kiosks Bruhn, Mark S. (Aug 11)
- Re: Web Kiosks David L. Wasley (Aug 11)
- Re: Web Kiosks Schmidt, Eric W (Aug 11)