We treat all student traffic as un-trusted. So they receive the same access as someone coming in from our internet pipe. On the wireless side we do not allow client to client communication. We span one wireless subnet across the campus for our students so the decision to not allow client to client traffic is as much a performance decision as a security decision. Most of our access filtering internally is done with VLAN ACLs on our core Cisco 6500 on ingress traffic. We are a mostly Cisco shop. The only difference between our wired student connections and the wireless student connection is that on the wired side we do allow client to client traffic between student networks, but any traffic from student VLANs to campus resources receives the same access privileges as an internet user coming in.
Thank you, Brian Kellogg Network Services Manager St. Bonaventure University 716-375-4092 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Barros, Jacob Sent: Friday, July 17, 2009 9:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: blocking specific ports or protocols We were recently reviewing our policies on our Aruba wireless controller and I am curious what ports or protocols others are blocking for student wireless connections. For example, guest wireless connections are straightforward: HTTP, SSL, DNS. Student connections are much more complicated in my mind. Can anyone share an overall philosophy and some specifics on how you manage student wireless connections? Jacob Barros Network Administrator Grace College and Seminary ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
