Educause Security Discussion mailing list archives
Re: Pervasive Campus Wireless
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Mon, 26 Jan 2009 10:26:44 -0600
Hello, 1. Yes 2. No layer 2 encryption policies. Outbound HTTP/HTTPS/DNS only. Entire guest wireless deployment is behind a NAT box and disjoint from general wireless. Rate limits applied at NAT filter (10M aggregate SFQ) [1]. AUP page through Cisco WiSM, everything else done (DHCP, dot1q etc) using GNU/Linux [2]. Finally, we implemented scavenger QOS on the traffic to give it less than best effort priority on the LAN. 3. No. 4. Risk has been accepted. A design constraint was imposed which required us to be able to discern a MAC address inside the NAT for a given timestamp and URL/dst host. The requirement was satisfied using softflowd [3] to determine the IP of the inside host, and MAC filtering on the WiSMs. So far, we had had no need to use the flow data. Cheers, Josh [1] http://www.opalsoft.net/qos/DS-25.htm [2] http://www.gnu.org , http://www.debian.org [3] http://www.mindrot.org/projects/softflowd/ -- Josh Richard University of Minnesota Duluth On Thu, 2009-01-22 at 18:35 -0800, Hugh Burley wrote:
Jerry Sell <Jerry_Sell () BYU EDU> 22/01/2009 12:20 pm >>>My superiors are interested in gathering some data concerning what other universities are providing open access guest wireless services on their campuses. It would be helpful to us if we could enlist your input on the following questions. 1. Does your university provide an open access Wifi system for guests on campus? We provide login for faculty, staff, students, and all visiting members of institutions participating in Eduroam. 2. If so, does it have encryption of any kind setup? WPA 3. Do you use a third-party subscription service such as Boingo, or do you have your own subscription service, or no subscription required? Eduroam http://www.tru.ca/its/eduroam.html is a collaborative network that allows students, staff and faculty to access wireless services at cooperating universities without the need for obtaining a guest account. It allows a user visiting another institution to login using the same credentials they would at home. 4. If you don't require any authentication/subscription, how does your University feel about the risk of providing an anonymous platform that can be used for illegal activity? Have they accepted the risk? Do they not feel the risk is great enough to mitigate? This was considered to present an unacceptable risk.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Pervasive Campus Wireless, (continued)
- Re: Pervasive Campus Wireless Dergenski, Todd A. (Jan 22)
- Re: Pervasive Campus Wireless Alex (Jan 22)
- Re: Pervasive Campus Wireless Randy Marchany (Jan 22)
- Re: Pervasive Campus Wireless Hugh Burley (Jan 22)
- Re: Pervasive Campus Wireless Dick Jacobson (Jan 23)
- Re: Pervasive Campus Wireless Barros, Jacob (Jan 23)
- Re: Pervasive Campus Wireless Basgen, Brian (Jan 23)
- Re: Pervasive Campus Wireless Kevin Lanning (Jan 23)
- Re: Pervasive Campus Wireless Eme Ejike (Jan 23)
- Re: Pervasive Campus Wireless Avdagic, Indir (Jan 23)
- Re: Pervasive Campus Wireless Josh Richard (Jan 26)