Educause Security Discussion mailing list archives
Re: Guest wireless restrictions
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Tue, 30 Apr 2013 11:24:46 -0400
Thanks to everyone who responded to this query. In summary, it looks like most respondents who are limiting accessible ports are using a list that is basically HTTP/S, POP/IMAP, SMTPS, and VPN. SSH and NTP were also mentioned. One individual provided the eduroam list of recommended protocols (basically these protocols plus a couple of others); that list can be found at https://www.eduroam.us/node/69. As for bandwidth limiting, not too many people answered that (or they're not doing it), but of the couple who did, limits were either 1 Mbps down/up or 1 Mbps down and 384 Kbps up. In Googling around I've found a couple of other schools at both of those levels, and one school that's doing 5 Mbps down and 1 Mbps up. There are some other schools that limit things based on amount of data transferred rather than "speed." Thanks again to everyone who responded. --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu>wrote:
We're (still) in the process of thinking about how we want to split our wireless network into two SSIDs, one for students/faculty/staff and one for "guests" (in quotes because students and staff may be allowed to use it too). We're thinking we want to do what a number of other schools have done, and limit the "guest" SSID to a few protocols: - ICMP - HTTP and HTTPS - POP and IMAP in their SSL flavors only (no plaintext) - SMTP in its SSL and TLS flavors only (no plaintext) - VPN (IPSec, PPTP, L2TP) which after Googling around a bit seems to be a pretty common set (some also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors of chat/instant messaging). We'd also like (we think) to limit individual user bandwidth on the guest wireless, partly to cut down on the damage a "misbehaving" client can cause, and partly to encourage students/faculty/staff to move over to the "secure" SSID. Googling around on this topic, I've been able to find lots of schools doing this, but very few that document what their limits actually are. So, two questions: 1. If you limit the protocols on your guest wireless, is there anything not in the list above that you've found it necessary to allow? 2. If you limit the bandwidth (speed) on your guest wireless, what are your download/upload limits (speeds), and what does that allow/not allow (e.g., streaming audio/video). Thanks, --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu
Current thread:
- Re: Guest wireless restrictions, (continued)
- Re: Guest wireless restrictions David Curry (Apr 29)
- Re: Guest wireless restrictions Roger A Safian (Apr 29)
- Re: Guest wireless restrictions Ken Connelly (Apr 29)
- Re: Guest wireless restrictions Dewitt Latimer (Apr 29)
- Re: Guest wireless restrictions Ken Connelly (Apr 29)
- Re: Guest wireless restrictions Eric C. Lukens (Apr 29)
- Re: Guest wireless restrictions Palmer, Kevin J. (Apr 29)
- Re: Guest wireless restrictions Dewitt Latimer (Apr 29)
- Re: Guest wireless restrictions Roger A Safian (Apr 29)
- Re: Guest wireless restrictions David Curry (Apr 29)
- Re: Guest wireless restrictions Roger A Safian (Apr 29)
- Re: Guest wireless restrictions Karl Bernard (Apr 30)
- Re: Guest wireless restrictions Patrick Gorsuch (Apr 30)
- Re: Guest wireless restrictions David Curry (Apr 30)
- Re: Guest wireless restrictions Valdis Kletnieks (Apr 30)
- Re: Guest wireless restrictions Rich Graves (Apr 30)