Re: Guest wireless restrictions

[David Curry <david.curry () NEWSCHOOL EDU>]

We're planning to use sponsored access as well (no open access). But we
still want to limit it, both because many of the users are not
faculty/staff/students and they don't need unfettered access, and also
because we want to convince faculty/staff/students to use the "secure" SSID
and not the "guest" one.


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Mon, Apr 29, 2013 at 2:24 PM, randy <marchany () vt edu> wrote:

> The key to our guest wireless system is to assign the guests to a
> university "sponsor".  The sponsor has the ability to dictate the
> hours/days the guest can access the net.  We don't restrict protocol or
> bandwidth for guests as far as I know. The sponsor and the guest share
> responsibility for being good netizens.
>
> Our guest access FAQ page is at http://www.cns.vt.edu/data_guestFAQ.html.
>
> -Randy Marchany
> VA Tech IT Security Office & Lab
>
>
>
> On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu>wrote:
>
> > We're (still) in the process of thinking about how we want to split our
> > wireless network into two SSIDs, one for students/faculty/staff and one for
> > "guests" (in quotes because students and staff may be allowed to use it
> > too). We're thinking we want to do what a number of other schools have
> > done, and limit the "guest" SSID to a few protocols:
> >
> >    - ICMP
> >    - HTTP and HTTPS
> >    - POP and IMAP in their SSL flavors only (no plaintext)
> >    - SMTP in its SSL and TLS flavors only (no plaintext)
> >    - VPN (IPSec, PPTP, L2TP)
> >
> > which after Googling around a bit seems to be a pretty common set (some
> > also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors
> > of chat/instant messaging).
> >
> > We'd also like (we think) to limit individual user bandwidth on the guest
> > wireless, partly to cut down on the damage a "misbehaving" client can
> > cause, and partly to encourage students/faculty/staff to move over to the
> > "secure" SSID. Googling around on this topic, I've been able to find lots
> > of schools doing this, but very few that document what their limits
> > actually are.
> >
> > So, two questions:
> >
> >    1. If you limit the protocols on your guest wireless, is there
> >    anything not in the list above that you've found it necessary to allow?
> >    2. If you limit the bandwidth (speed) on your guest wireless, what
> >    are your download/upload limits (speeds), and what does that allow/not
> >    allow (e.g., streaming audio/video).
> >
> > Thanks,
> >
> > --Dave
> >
> >
> > --
> >
> > *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
> >
> > *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
> >
> > +1 212 229-5300 x4728 • david.curry () newschool edu