Re: Guest wireless restrictions

[David Curry <david.curry () NEWSCHOOL EDU>]

Thanks to everyone who responded to this query.

In summary, it looks like most respondents who are limiting accessible
ports are using a list that is basically HTTP/S, POP/IMAP, SMTPS, and VPN.
SSH and NTP were also mentioned. One individual provided the eduroam list
of recommended protocols (basically these protocols plus a couple of
others); that list can be found at https://www.eduroam.us/node/69.

As for bandwidth limiting, not too many people answered that (or they're
not doing it), but of the couple who did, limits were either 1 Mbps down/up
or 1 Mbps down and 384 Kbps up. In Googling around I've found a couple of
other schools at both of those levels, and one school that's doing 5 Mbps
down and 1 Mbps up. There are some other schools that limit things based on
amount of data transferred rather than "speed."

Thanks again to everyone who responded.

--Dave




--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu>wrote:

> We're (still) in the process of thinking about how we want to split our
> wireless network into two SSIDs, one for students/faculty/staff and one for
> "guests" (in quotes because students and staff may be allowed to use it
> too). We're thinking we want to do what a number of other schools have
> done, and limit the "guest" SSID to a few protocols:
>
>    - ICMP
>    - HTTP and HTTPS
>    - POP and IMAP in their SSL flavors only (no plaintext)
>    - SMTP in its SSL and TLS flavors only (no plaintext)
>    - VPN (IPSec, PPTP, L2TP)
>
> which after Googling around a bit seems to be a pretty common set (some
> also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors
> of chat/instant messaging).
>
> We'd also like (we think) to limit individual user bandwidth on the guest
> wireless, partly to cut down on the damage a "misbehaving" client can
> cause, and partly to encourage students/faculty/staff to move over to the
> "secure" SSID. Googling around on this topic, I've been able to find lots
> of schools doing this, but very few that document what their limits
> actually are.
>
> So, two questions:
>
>    1. If you limit the protocols on your guest wireless, is there
>    anything not in the list above that you've found it necessary to allow?
>    2. If you limit the bandwidth (speed) on your guest wireless, what are
>    your download/upload limits (speeds), and what does that allow/not allow
>    (e.g., streaming audio/video).
>
> Thanks,
>
> --Dave
>
>
> --
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
> +1 212 229-5300 x4728 • david.curry () newschool edu