Re: Guest WiFi Access

[markm196 () netscape net <markm196 () NETSCAPE NET>]

No it is like time noted..  Each port is tied to a single mac address or several mac addresses in some areas..  Also 
called port security.  

Sent from myTouch 4G

----- Reply message -----
From: "Foerst, Daniel P." <FOERST () CUA EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Guest WiFi Access
Date: Thu, Sep 8, 2011 1:01 pm
Hi Mark,

When you say port locking, do you mean a physical device that prevents removal of an Ethernet cable by anyone from the 
wall?

What about at the workstation level? Dave indicated that students just snip cable ties, if you are locking at the wall, 
how are you preventing users from taking
a wire from the workstation? 
I suspect many students are not likely to be carrying around Ethernet cables, although they may on a campus with limit 
wireless. Do you have cable locks in
office spaces where students may bring their own laptops? Heck, the vast majority of our students do not know what an 
Ethernet cable is, they have been so indoctrinated to wireless that they seemingly do not know of anything else.


We once used cable locks on our workstations that not only secure the workstation, but the mouse, keyboard, and 
Ethernet together. I am not sure why those aren’t
used anymore (they may be as I have not really surveyed a lab/user area in sometime).

This whole thread is very interesting. Thank you for whomever initiated it!

-dan

Daniel Foerst
Assistant Director, Networks & Security

The Catholic University of America
Washington, DC 20064



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]
On Behalf Of Mark Monroe

Sent: Thursday, September 08, 2011 1:04 PM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: Re: [SECURITY] Guest WiFi Access



We have port locking enabled on all wired ports on campus including labs/classes and offices.. This prevents the unplug 
option...



As for guests, I have an app, that faculty and staff can use to "vouch" for a guest and create an account for them that 
lasts 1, 3 or 7 days, the account is tied back to the creator, which is who I send the FBI to when they come calling.. 
the account only has
permission to register their system on the guest wireless network (own firewall segment away from campus) and cannot 
auth on any campus computers or systems..




We use Bradford as our nac for wireless and all wired ports to do the registration.. if that matters..






Mark Monroe
Information Security Officer
University Of Missouri St. Louis
(314)516-4859






On 9/8/2011 11:41 AM, David Gillett wrote: 
Dave Koontz wrote:


Students, guests, and others can just plug themselves into any wired jack

without IT knowledge (in most

organizations)... and they often do.  We find people unplugging lab

computers, printers, etc. and patching

into the jack.


This is a recurring issue for us, too.  We do have a couple of small areas
where wired jacks are deliberately provided for visitors to plug into, but
I'm talking about students who walk into a lab, unplug a computer provided
by the college, and plug their own device in instead.  Oh, and if they have
to cut a plastic tie-strap to do that, it barely slows them down.



I don't believe CALEA has separate rules as to how someone accesses a

campus network or the internet, be it

wired or wireless.  Someone please correct me if I am wrong.


I don't believe the questioner was asking about provisions of CALEA per
se, but about the FCC's ruling (early 2009 if I recall correctly) that
providers of *public* Internet access are bound by CALEA -- i.e., must have
resources in place to allow easy/prompt intercept and recording of voice
(VOIP) traffic.  My impression is that most higher-ed institutions have
chosen to shield themselves from this requirement by ensuring that their
networks are *private*, with the possible exception of areas where they
qualify for exemptions to the FCC ruling -- in libraries, for instance..

(We had an incident on one campus where an instructional assistant decided
to "fix" the limited coverage of our guest wireless by putting up his own
router, using our guest SSID, in an area that did not qualify....  If he had
simply reported the disappointing coverage, we would have explained to him
the legal constraint under which we operate.)

David Gillett, CISSP CCNP
Sr, Security Engineer
Foothill-De Anza College District