Re: Guest wireless restrictions

[Derek Diget <derek.diget+educause-security () WMICH EDU>]

On Apr 29, 2013 at 10:19 -0400, David Curry wrote:
=>We're (still) in the process of thinking about how we want to split our
=>wireless network into two SSIDs, one for students/faculty/staff and one for
=>"guests" (in quotes because students and staff may be allowed to use it
=>too). We're thinking we want to do what a number of other schools have
=>done, and limit the "guest" SSID to a few protocols:
=>
=>   - ICMP
=>   - HTTP and HTTPS
=>   - POP and IMAP in their SSL flavors only (no plaintext)

What are you going to do for sites that offer with IMAP on 143 with 
LOGINDISABLED and STARTTLS?  It isn't any less "secure" than IMAP on 993 
with SSL.


=>   - SMTP in its SSL and TLS flavors only (no plaintext)

How do you tell the difference with a message submission over 587 that 
does not require STARTTLS before any SMTP AUTH and one that does?


=>   - VPN (IPSec, PPTP, L2TP)
=>
=>which after Googling around a bit seems to be a pretty common set (some
=>also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors
=>of chat/instant messaging).

I think that XMPP has the same issue in that you can do clear text or 
STARTTLS on the same port.  Same for LDAP (mail clients doing address 
book lookups).


So how can you really restrict "no plaintext" on protocols/ports that 
implement a STARTTLS type command?  OK, there might be some firewalls 
that can do it, but it brings back memories of PIX's fixup problems.  
Not ones that I would want to relive.



-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************