Re: Guest wireless restrictions

["Carson, Larry" <larry.carson () UBC CA>]

Our guest wireless network is restricted to browsing, email, SSH and VPN.
Basically you can do any basic activities (securely) or VPN/SSH somewhere
else where you can become someone else's worry. In three years we've had one
complaint where a system was compromised and part of a botnet; we've had no
copyright compliance issues on this network. Details are here:
http://www.it.ubc.ca/service_catalogue/internet_telephone/wireless/visitor_w
ireless.html 

 

 

Regards,
Larry Carson
Associate Director, Information Security Management, UBC

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nathaniel Hall
Sent: April-29-13 8:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Guest wireless restrictions

 

I recommend allowing P2P traffic and similar protocols, but limiting them to
a measly 1k. This prevents them from jumping to other ports that are open or
use a next-gen type firewall like a Palo Alto.

DISCLAIMER: I work for a Palo Alto vendor. My company also sells similar
products, but Palo Alto is the product I am comfortable with.

--
Nathaniel Hall

On 4/29/2013 9:19 AM, David Curry wrote:

 

We're (still) in the process of thinking about how we want to split our
wireless network into two SSIDs, one for students/faculty/staff and one for
"guests" (in quotes because students and staff may be allowed to use it
too). We're thinking we want to do what a number of other schools have done,
and limit the "guest" SSID to a few protocols: 

*       ICMP
*       HTTP and HTTPS
*       POP and IMAP in their SSL flavors only (no plaintext)
*       SMTP in its SSL and TLS flavors only (no plaintext)
*       VPN (IPSec, PPTP, L2TP)

which after Googling around a bit seems to be a pretty common set (some also
allow unencrypted POP/IMAP/SMTP, and others also allow various flavors of
chat/instant messaging). 

 

We'd also like (we think) to limit individual user bandwidth on the guest
wireless, partly to cut down on the damage a "misbehaving" client can cause,
and partly to encourage students/faculty/staff to move over to the "secure"
SSID. Googling around on this topic, I've been able to find lots of schools
doing this, but very few that document what their limits actually are.

 

So, two questions:

1.      If you limit the protocols on your guest wireless, is there anything
not in the list above that you've found it necessary to allow?
2.      If you limit the bandwidth (speed) on your guest wireless, what are
your download/upload limits (speeds), and what does that allow/not allow
(e.g., streaming audio/video).

Thanks,

--Dave

 

--

DAVID A. CURRY, CISSP . DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL . 55 W. 13TH STREET . NEW YORK, NY 10011

+1 212 229-5300 x4728 . david.curry () newschool edu

Attachment: smime.p7s
Description: