Educause Security Discussion mailing list archives

Re: Pervasive Campus Wireless

From: Josh Richard <jrichar4 () D UMN EDU>
Date: Mon, 26 Jan 2009 10:26:44 -0600

Hello,

1. Yes 

2. No layer 2 encryption policies.  Outbound HTTP/HTTPS/DNS only.
Entire guest wireless deployment is behind a NAT box and disjoint from
general wireless.  Rate limits applied at NAT filter (10M aggregate SFQ)
[1].  AUP page through Cisco WiSM, everything else done (DHCP, dot1q
etc) using GNU/Linux [2].  Finally, we implemented scavenger QOS on the
traffic to give it less than best effort priority on the LAN.

3. No.

4. Risk has been accepted.  A design constraint was imposed which
required us to be able to discern a MAC address inside the NAT for a
given timestamp and URL/dst host.  The requirement was satisfied using
softflowd [3] to determine the IP of the inside host, and MAC filtering
on the WiSMs.  So far, we had had no need to use the flow data.

Cheers,

Josh

[1] http://www.opalsoft.net/qos/DS-25.htm 
[2] http://www.gnu.org , http://www.debian.org
[3] http://www.mindrot.org/projects/softflowd/ 

--
Josh Richard
University of Minnesota Duluth


On Thu, 2009-01-22 at 18:35 -0800, Hugh Burley wrote:

Jerry Sell <Jerry_Sell () BYU EDU> 22/01/2009 12:20 pm >>>

My superiors are interested in gathering some data concerning what
other universities are providing open access guest wireless services
on their campuses.  It would be helpful to us if we could enlist your
input on the following questions.

 

1. Does your university provide an open access Wifi system for guests
on campus?

We provide login for faculty, staff, students, and all visiting
members of institutions participating in Eduroam.  

2. If so, does it have encryption of any kind setup?

WPA

3.  Do you use a third-party subscription service such as Boingo, or
do you have your own subscription service, or no subscription
required?

Eduroam http://www.tru.ca/its/eduroam.html is a collaborative network
that allows students, staff and faculty to access wireless services at
cooperating universities without the need for obtaining a guest
account. It allows a user visiting another institution to login using
the same credentials they would at home.

4. If you don't require any authentication/subscription, how does your
University feel about the risk of providing an anonymous platform that
can be used for illegal activity?  Have they accepted the risk?  Do
they not feel the risk is great enough to mitigate?

 This was considered to present an unacceptable risk.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Pervasive Campus Wireless, (continued)
- Re: Pervasive Campus Wireless Dergenski, Todd A. (Jan 22)
- Re: Pervasive Campus Wireless Alex (Jan 22)
- Re: Pervasive Campus Wireless Randy Marchany (Jan 22)
- Re: Pervasive Campus Wireless Hugh Burley (Jan 22)
- Re: Pervasive Campus Wireless Dick Jacobson (Jan 23)
- Re: Pervasive Campus Wireless Barros, Jacob (Jan 23)
- Re: Pervasive Campus Wireless Basgen, Brian (Jan 23)
- Re: Pervasive Campus Wireless Kevin Lanning (Jan 23)
- Re: Pervasive Campus Wireless Eme Ejike (Jan 23)
- Re: Pervasive Campus Wireless Avdagic, Indir (Jan 23)
- Re: Pervasive Campus Wireless Josh Richard (Jan 26)