Educause Security Discussion mailing list archives
Re: Guest wireless restrictions
From: Derek Diget <derek.diget+educause-security () WMICH EDU>
Date: Tue, 30 Apr 2013 12:26:47 -0400
On Apr 29, 2013 at 10:19 -0400, David Curry wrote: =>We're (still) in the process of thinking about how we want to split our =>wireless network into two SSIDs, one for students/faculty/staff and one for =>"guests" (in quotes because students and staff may be allowed to use it =>too). We're thinking we want to do what a number of other schools have =>done, and limit the "guest" SSID to a few protocols: => => - ICMP => - HTTP and HTTPS => - POP and IMAP in their SSL flavors only (no plaintext) What are you going to do for sites that offer with IMAP on 143 with LOGINDISABLED and STARTTLS? It isn't any less "secure" than IMAP on 993 with SSL. => - SMTP in its SSL and TLS flavors only (no plaintext) How do you tell the difference with a message submission over 587 that does not require STARTTLS before any SMTP AUTH and one that does? => - VPN (IPSec, PPTP, L2TP) => =>which after Googling around a bit seems to be a pretty common set (some =>also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors =>of chat/instant messaging). I think that XMPP has the same issue in that you can do clear text or STARTTLS on the same port. Same for LDAP (mail clients doing address book lookups). So how can you really restrict "no plaintext" on protocols/ports that implement a STARTTLS type command? OK, there might be some firewalls that can do it, but it brings back memories of PIX's fixup problems. Not ones that I would want to relive. -- *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ ***********************************************************************
Current thread:
- Re: Guest wireless restrictions, (continued)
- Re: Guest wireless restrictions Ken Connelly (Apr 29)
- Re: Guest wireless restrictions Dewitt Latimer (Apr 29)
- Re: Guest wireless restrictions Ken Connelly (Apr 29)
- Re: Guest wireless restrictions Eric C. Lukens (Apr 29)
- Re: Guest wireless restrictions Palmer, Kevin J. (Apr 29)
- Re: Guest wireless restrictions Dewitt Latimer (Apr 29)
- Re: Guest wireless restrictions Roger A Safian (Apr 29)
- Re: Guest wireless restrictions Roger A Safian (Apr 29)
- Re: Guest wireless restrictions Karl Bernard (Apr 30)
- Re: Guest wireless restrictions Patrick Gorsuch (Apr 30)
- Re: Guest wireless restrictions David Curry (Apr 30)
- Re: Guest wireless restrictions Valdis Kletnieks (Apr 30)
- Re: Guest wireless restrictions Rich Graves (Apr 30)