Educause Security Discussion mailing list archives

Re: Guest wireless restrictions

From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Mon, 29 Apr 2013 10:21:26 -0500

I recommend allowing P2P traffic and similar protocols, but limitingthem to a measly 1k. This prevents them from jumping to other ports thatare open or use a next-gen type firewall like a Palo Alto.

DISCLAIMER: I work for a Palo Alto vendor. My company also sells similarproducts, but Palo Alto is the product I am comfortable with.


--
Nathaniel Hall

On 4/29/2013 9:19 AM, David Curry wrote:

We're (still) in the process of thinking about how we want to splitour wireless network into two SSIDs, one for students/faculty/staffand one for "guests" (in quotes because students and staff may beallowed to use it too). We're thinking we want to do what a number ofother schools have done, and limit the "guest" SSID to a few protocols:
  * ICMP
  * HTTP and HTTPS
  * POP and IMAP in their SSL flavors only (no plaintext)
  * SMTP in its SSL and TLS flavors only (no plaintext)
  * VPN (IPSec, PPTP, L2TP)
which after Googling around a bit seems to be a pretty common set(some also allow unencrypted POP/IMAP/SMTP, and others also allowvarious flavors of chat/instant messaging).
We'd also like (we think) to limit individual user bandwidth on theguest wireless, partly to cut down on the damage a "misbehaving"client can cause, and partly to encourage students/faculty/staff tomove over to the "secure" SSID. Googling around on this topic, I'vebeen able to find lots of schools doing this, but very few thatdocument what their limits actually are.
So, two questions:

 1. If you limit the protocols on your guest wireless, is there
    anything not in the list above that you've found it necessary to
    allow?
 2. If you limit the bandwidth (speed) on your guest wireless, what
    are your download/upload limits (speeds), and what does that
    allow/not allow (e.g., streaming audio/video).

Thanks,

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
+1 212 229-5300 x4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>

Current thread:

Guest wireless restrictions David Curry (Apr 29)
- Re: Guest wireless restrictions Kevin Hayes (Apr 29)
- Re: Guest wireless restrictions Julian Y Koh (Apr 29)
- Re: Guest wireless restrictions Jeff Kell (Apr 29)
- Re: Guest wireless restrictions Dr. Wole Akpose (Apr 29)
  - Re: Guest wireless restrictions David Curry (Apr 29)
- Re: Guest wireless restrictions Roger A Safian (Apr 29)
- Re: Guest wireless restrictions Nathaniel Hall (Apr 29)
  - Re: Guest wireless restrictions Carson, Larry (Apr 29)
- Re: Guest wireless restrictions randy (Apr 29)
  - Re: Guest wireless restrictions David Curry (Apr 29)
    - Re: Guest wireless restrictions Roger A Safian (Apr 29)
  - Re: Guest wireless restrictions Ken Connelly (Apr 29)
  - Re: Guest wireless restrictions Dewitt Latimer (Apr 29)
    - Re: Guest wireless restrictions Ken Connelly (Apr 29)
    - Re: Guest wireless restrictions Eric C. Lukens (Apr 29)
    - Re: Guest wireless restrictions Palmer, Kevin J. (Apr 29)
    - Re: Guest wireless restrictions Dewitt Latimer (Apr 29)

(Thread continues...)