Re: [WIRELESS-LAN] Open-Free Access wireless
We currently register all devices on our network, however, there really isn't a way to track people doing illicit activities unless they are actively using the network at that time. To mitigate risks we have a NetEnforcer to throttle certain types of traffic and it does a good job of it. After setting up the policies on the device we rarely get DMCA notices. To handle guests we setup a conference ID in NetReg so even if we have an issue we at least can account for the MAC of the device and what event allowed access to the network. If your campus truly wants a wireless network that is both free to use and open (by which I believe you mean no registration, no authentication, and no encryption) then they would need to be made aware that it could possibly open them up to a host of security and possible liability issues. I would suggest if you were asked to proceed that you segregate this wireless network from the rest of your network as much as possible (ACLs and limited routing). Heath Scott Powell wrote: I’ve read some responses on how to handle guest access, but I’m being asked a slightly different question by my campus. We are considering providing “free”/”open” wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We’ve been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the “unthinkable” activity over our wireless network. If it is “open”, I don’t know how I’ll be able to identify who did what if at all. Any feedback will be appreciated. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edu mailto:spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.edu http://www.wittenberg.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heath Barnhart Asst. Systems and Networking Admin Information Systems and Services Washburn University Topeka, KS 66621 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Open-Free Access wireless
You could probably mitigate some of the risks of providing a free/open wireless service, if it was heavily restrictive on what ports were open and if you used deep packet inspection to block common p-2-p ports and service types. You would still potentially have an issue with traffic going in and out of your network encrypted which you couldn't deep packet inspect, but in that situation you can genuinely say you have made every technical effort possible and I guess the RIAA would have difficulty proving it was copyrighted material. Many Thanks Peter Peter Methven. MBCS, BENG (Hons) Network Specialist Computer Centre (The Allen McTernan Building) Heriot-Watt University Edinburgh EH14 4AS Telephone: +44 (0)131 4513516 / 07774 427548 Email p.j.meth...@hw.ac.uk mailto:p.j.meth...@hw.ac.uk From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell Sent: 05 August 2009 19:33 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open-Free Access wireless I've read some responses on how to handle guest access, but I'm being asked a slightly different question by my campus. We are considering providing free/open wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We've been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the unthinkable activity over our wireless network. If it is open, I don't know how I'll be able to identify who did what if at all. Any feedback will be appreciated. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heriot-Watt University is a Scottish charity registered under charity number SC000278. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Open-Free Access wireless
Randy, Thanks for the comments. You state that your wireless has been open from the beginning. How have you handled the copyright notices (if any) to date?We saw a substantial increase in notices last school year over previous. I’ve got a reasonable process in place for handling “known” offenders. I have no clue how to handle “unknown” . Scott Powell Network Manager Wittenberg University spow...@wittenberg.edumailto:spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.eduhttp://www.wittenberg.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge Sent: Wednesday, August 05, 2009 10:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open-Free Access wireless We actually are going the other way. Our wireless has been 'open' since day one, but due to all the issues mentioned and the changes in the legal landscape (or possible changes) we are in the process of securing our wireless. We will be requiring daily users to use our Safe Connect platform which also has the ability for our help desk ( and in the future, other departments) to create guest accounts. We have had multiple RIAA notices with users on wireless with no way to track them down which was one factor in deciding to secure the wireless. Randy Ethridge Information Services Eastern Illinois University - Original Message - From: Hector J Rios hr...@lsu.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Scott, I think you answered your own question. We actually considered the idea at some point, strictly because we wanted to make it as easy as possible for everybody to connect to our wireless network. But in the end we decided that the cons were just too many. You’ve mentioned a few already. And the answer to your question as to how you identify who did what, is simply that you won’t be able to. You might be able to map an IP to a MAC address, but then you will still have the tedious task of finding the physical device. I think the only advantage that a wide open network will give you is that you will be able to sniff the traffic. But so will the bad guys, and you won’t know who they are. We’ve made it really easy for our guests to get on our wireless network by obtaining guest accounts that can be created by their hosts (a faculty or staff member) on a web application. We then authenticate them via Cisco’s web auth. Responding to DMCA notices and the like still involves a little digging around, but you do everything from your computer. Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell Sent: Wednesday, August 05, 2009 1:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open-Free Access wireless I’ve read some responses on how to handle guest access, but I’m being asked a slightly different question by my campus. We are considering providing “free”/”open” wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We’ve been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the “unthinkable” activity over our wireless network. If it is “open”, I don’t know how I’ll be able to identify who did what if at all. Any feedback will be appreciated. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edumailto:spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.eduhttp://www.wittenberg.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Open-Free Access wireless
Since we couldn't find them we would block their MAC address from joining the network, give the Help desk the information. When the user called about not being able to connect the Help desk would check the MAC and notify the user why they couldn't connect. This was the process but it was easily defeated by spoofing which is leading us to authenticating our wireless users. Randy Ethridge Network Engineer V Information Services Eastern Illinois University rlethri...@eiu.edu - Original Message - From: Scott Powell spow...@wittenberg.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, August 6, 2009 6:32:12 AM GMT -06:00 US/Canada Central Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Randy, Thanks for the comments. You state that your wireless has been open from the beginning. How have you handled the copyright notices (if any) to date? We saw a substantial increase in notices last school year over previous. I’ve got a reasonable process in place for handling “known” offenders. I have no clue how to handle “unknown” . Scott Powell Network Manager Wittenberg University spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge Sent: Wednesday, August 05, 2009 10:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open-Free Access wireless We actually are going the other way. Our wireless has been 'open' since day one, but due to all the issues mentioned and the changes in the legal landscape (or possible changes) we are in the process of securing our wireless. We will be requiring daily users to use our Safe Connect platform which also has the ability for our help desk ( and in the future, other departments) to create guest accounts. We have had multiple RIAA notices with users on wireless with no way to track them down which was one factor in deciding to secure the wireless. Randy Ethridge Information Services Eastern Illinois University - Original Message - From: Hector J Rios hr...@lsu.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Scott, I think you answered your own question. We actually considered the idea at some point, strictly because we wanted to make it as easy as possible for everybody to connect to our wireless network. But in the end we decided that the cons were just too many. You’ve mentioned a few already. And the answer to your question as to how you identify who did what, is simply that you won’t be able to. You might be able to map an IP to a MAC address, but then you will still have the tedious task of finding the physical device. I think the only advantage that a wide open network will give you is that you will be able to sniff the traffic. But so will the bad guys, and you won’t know who they are. We’ve made it really easy for our guests to get on our wireless network by obtaining guest accounts that can be created by their hosts (a faculty or staff member) on a web application. We then authenticate them via Cisco’s web auth. Responding to DMCA notices and the like still involves a little digging around, but you do everything from your computer. Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell Sent: Wednesday, August 05, 2009 1:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open-Free Access wireless I’ve read some responses on how to handle guest access, but I’m being asked a slightly different question by my campus. We are considering providing “free”/”open” wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We’ve been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the “unthinkable” activity over our wireless network. If it is “open”, I don’t know how I’ll be able to identify who did what if at all. Any feedback will be appreciated. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups
RE: [WIRELESS-LAN] Open-Free Access wireless
Thanks Randy. This is exactly what we’ve talked about internally. I guess our thought process is in line with reality. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edumailto:spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.eduhttp://www.wittenberg.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge Sent: Thursday, August 06, 2009 7:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Since we couldn't find them we would block their MAC address from joining the network, give the Help desk the information. When the user called about not being able to connect the Help desk would check the MAC and notify the user why they couldn't connect. This was the process but it was easily defeated by spoofing which is leading us to authenticating our wireless users. Randy Ethridge Network Engineer V Information Services Eastern Illinois University rlethri...@eiu.edu - Original Message - From: Scott Powell spow...@wittenberg.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, August 6, 2009 6:32:12 AM GMT -06:00 US/Canada Central Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Randy, Thanks for the comments. You state that your wireless has been open from the beginning. How have you handled the copyright notices (if any) to date?We saw a substantial increase in notices last school year over previous. I’ve got a reasonable process in place for handling “known” offenders. I have no clue how to handle “unknown” . Scott Powell Network Manager Wittenberg University spow...@wittenberg.edumailto:spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.eduhttp://www.wittenberg.edu/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge Sent: Wednesday, August 05, 2009 10:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open-Free Access wireless We actually are going the other way. Our wireless has been 'open' since day one, but due to all the issues mentioned and the changes in the legal landscape (or possible changes) we are in the process of securing our wireless. We will be requiring daily users to use our Safe Connect platform which also has the ability for our help desk ( and in the future, other departments) to create guest accounts. We have had multiple RIAA notices with users on wireless with no way to track them down which was one factor in deciding to secure the wireless. Randy Ethridge Information Services Eastern Illinois University - Original Message - From: Hector J Rios hr...@lsu.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Scott, I think you answered your own question. We actually considered the idea at some point, strictly because we wanted to make it as easy as possible for everybody to connect to our wireless network. But in the end we decided that the cons were just too many. You’ve mentioned a few already. And the answer to your question as to how you identify who did what, is simply that you won’t be able to. You might be able to map an IP to a MAC address, but then you will still have the tedious task of finding the physical device. I think the only advantage that a wide open network will give you is that you will be able to sniff the traffic. But so will the bad guys, and you won’t know who they are. We’ve made it really easy for our guests to get on our wireless network by obtaining guest accounts that can be created by their hosts (a faculty or staff member) on a web application. We then authenticate them via Cisco’s web auth. Responding to DMCA notices and the like still involves a little digging around, but you do everything from your computer. Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell Sent: Wednesday, August 05, 2009 1:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open-Free Access wireless I’ve read some responses on how to handle guest access, but I’m being asked a slightly different question by my campus. We are considering providing “free”/”open” wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We’ve been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the “unthinkable” activity over our wireless network. If it is “open”, I don’t know how I’ll be able
RE: [WIRELESS-LAN] Open-Free Access wireless
Scott, I think you answered your own question. We actually considered the idea at some point, strictly because we wanted to make it as easy as possible for everybody to connect to our wireless network. But in the end we decided that the cons were just too many. You've mentioned a few already. And the answer to your question as to how you identify who did what, is simply that you won't be able to. You might be able to map an IP to a MAC address, but then you will still have the tedious task of finding the physical device. I think the only advantage that a wide open network will give you is that you will be able to sniff the traffic. But so will the bad guys, and you won't know who they are. We've made it really easy for our guests to get on our wireless network by obtaining guest accounts that can be created by their hosts (a faculty or staff member) on a web application. We then authenticate them via Cisco's web auth. Responding to DMCA notices and the like still involves a little digging around, but you do everything from your computer. Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell Sent: Wednesday, August 05, 2009 1:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open-Free Access wireless I've read some responses on how to handle guest access, but I'm being asked a slightly different question by my campus. We are considering providing free/open wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We've been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the unthinkable activity over our wireless network. If it is open, I don't know how I'll be able to identify who did what if at all. Any feedback will be appreciated. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Open-Free Access wireless
We actually are going the other way. Our wireless has been 'open' since day one, but due to all the issues mentioned and the changes in the legal landscape (or possible changes) we are in the process of securing our wireless. We will be requiring daily users to use our Safe Connect platform which also has the ability for our help desk ( and in the future, other departments) to create guest accounts. We have had multiple RIAA notices with users on wireless with no way to track them down which was one factor in deciding to secure the wireless. Randy Ethridge Information Services Eastern Illinois University - Original Message - From: Hector J Rios hr...@lsu.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central Subject: Re: [WIRELESS-LAN] Open-Free Access wireless Scott, I think you answered your own question. We actually considered the idea at some point, strictly because we wanted to make it as easy as possible for everybody to connect to our wireless network. But in the end we decided that the cons were just too many. You’ve mentioned a few already. And the answer to your question as to how you identify who did what, is simply that you won’t be able to. You might be able to map an IP to a MAC address, but then you will still have the tedious task of finding the physical device. I think the only advantage that a wide open network will give you is that you will be able to sniff the traffic. But so will the bad guys, and you won’t know who they are. We’ve made it really easy for our guests to get on our wireless network by obtaining guest accounts that can be created by their hosts (a faculty or staff member) on a web application. We then authenticate them via Cisco’s web auth. Responding to DMCA notices and the like still involves a little digging around, but you do everything from your computer. Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell Sent: Wednesday, August 05, 2009 1:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open-Free Access wireless I’ve read some responses on how to handle guest access, but I’m being asked a slightly different question by my campus. We are considering providing “free”/”open” wireless access on campus. I can think of a myriad of issues, but I need to find out if anyone else has done this and any comments you might have. We’ve been registering our user base, and then they access the real network via a webvpn. Guests were handled via the web auth in the Cisco WLC. My biggest concerns are how to handle RIAA and Movie industry copyright notices, CALEA, as well as the “unthinkable” activity over our wireless network. If it is “open”, I don’t know how I’ll be able to identify who did what if at all. Any feedback will be appreciated. Scott Powell Network Manager Wittenberg University spow...@wittenberg.edu 937-525-3821 937-327-7372 fax www.wittenberg.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
