Re: Guest wireless restrictions

[David Curry <david.curry () NEWSCHOOL EDU>]

Thanks, Wole. To answer your questions:

1. What is the CALEA implication for your "guest" SSID?

The "guest" SSID will require authentication, either with NetID/password
(student/faculty/staff if we allow them) or a guest username and password
(created in a guest management system), so we should be okay CALEA-wise.

2. Where does your Wireless Access stand viz the rest of your network
architecture?

> From the standpoint of firewall rules and whatnot, re're thinking the
"secure" SSID will be a "trusted" network (although we haven't decided all
the specifics of this trust yet) and the "guest" SSID will be an
"untrusted" network.

--Dave



--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Mon, Apr 29, 2013 at 10:37 AM, Dr. Wole Akpose <wole.akpose () morgan edu>wrote:

> David,
>
> As you think this through, you may want to consider the following:
>
> 1. What is the CALEA implication for your "guest" SSID?
> 2. Where does your Wireless Access stand viz the rest of your network
> architecture?
>
>
> *W. Akpose
> *
> *
> *
>
>
> On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu>wrote:
>
> > We're (still) in the process of thinking about how we want to split our
> > wireless network into two SSIDs, one for students/faculty/staff and one for
> > "guests" (in quotes because students and staff may be allowed to use it
> > too). We're thinking we want to do what a number of other schools have
> > done, and limit the "guest" SSID to a few protocols:
> >
> >    - ICMP
> >    - HTTP and HTTPS
> >    - POP and IMAP in their SSL flavors only (no plaintext)
> >    - SMTP in its SSL and TLS flavors only (no plaintext)
> >    - VPN (IPSec, PPTP, L2TP)
> >
> > which after Googling around a bit seems to be a pretty common set (some
> > also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors
> > of chat/instant messaging).
> >
> > We'd also like (we think) to limit individual user bandwidth on the guest
> > wireless, partly to cut down on the damage a "misbehaving" client can
> > cause, and partly to encourage students/faculty/staff to move over to the
> > "secure" SSID. Googling around on this topic, I've been able to find lots
> > of schools doing this, but very few that document what their limits
> > actually are.
> >
> > So, two questions:
> >
> >    1. If you limit the protocols on your guest wireless, is there
> >    anything not in the list above that you've found it necessary to allow?
> >    2. If you limit the bandwidth (speed) on your guest wireless, what
> >    are your download/upload limits (speeds), and what does that allow/not
> >    allow (e.g., streaming audio/video).
> >
> > Thanks,
> >
> > --Dave
> >
> >
> > --
> >
> > *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
> >
> > *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
> >
> > +1 212 229-5300 x4728 • david.curry () newschool edu