Re: Residential (Dorm) Network

["Foerst, Daniel P." <FOERST () CUA EDU>]

We are operating in a similar manner.
Our residence halls each have their own dedicated wired VLAN. Each
building is connected to residential core routers which has connectivity
back to our core network. We use ACLs to prohibit dorm-to-dorm
communication (which significantly reduces virus and malware outbreaks),
except where necessary, and firewall ACLs in our core to allow
connectivity to public services. We operate two large wireless LANs
(VLANs) that cover several residence halls for our residents; each WLAN
communicates to the same residence core routers. Like the wired LAN the
core is firewalled to allow public service requests from our WLANs.
Tracking down an IP in a WLAN is a little more work as we cannot
identify what building they are in by subnet address, instead we use our
wireless system to identify the access point the device is connected to.

Plans have existed (but not yet implemented due to time and other
projects)for some time to provide our residences Internet connectivity
as a DMZ off our edge firewall through one pipe and use the existing
pipe for on campus communication only. This would provide redundancy in
the event that should the connecting up stream router ever go down their
network connectivity would remain. This was decided for planned
maintenance periods where the majority of campus is not using the
network except students, e.g. weekends or late nights. Additionally
should there ever exist a time that we need to disabled connectivity
between the core and the residence network we could do so without
disabling Internet connectivity. 

Daniel Foerst
Manager, Networks & Security
The Catholic University of America
Washington, DC 20064 
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn
Sent: Thursday, September 04, 2008 12:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Residential (Dorm) Network

Daniel Bennett wrote:
> I am interested in hearing how your University handles their 
> Residential Network.  Is it isolated through Firewalls, ACLS?  Does it

> have dedicated bandwidth?  How do users access internal College
resources?
> Do they access resources through a VPN?

Our residence halls are on their own VLANs. We use ACLs to limit access
to the general campus network. However, a default permit policy is in
effect and very few services are blocked. Instead, student address
ranges are blocked at the resources they are not to access.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security