Well stated Peter. Could you imagine the outrage if ISP's started requiring their residential customers to on-board their systems? If you couldn't pass a bit of traffic without registering first, applying patches, etc. What if starbucks or others did the same? It's what we are effectively doing in EDU, and I struggle to find data saying it's effective. Same goes for those still trying to manage/shape/block file sharing protocols, but that's a different story. I question the need for admin encryption as well, but when you own the devices, it's less work to support it. I think you could extend that thought to what our environments may look like in another 5-10 years. With the push toward cloud-based services, and those services using encrypted transports by default, will we eventually come back full circle to open wifi? Jeff
>>> On Friday, January 23, 2015 at 11:42 AM, in message <be09b41edf9c42df8404a864d90e0...@ex13-mbx-12.ad.syr.edu>, Peter P Morrissey <ppmor...@syr.edu> wrote: “Don't assume I'm counter to what we've traditionally been doing in EDU, but I'm constantly reevaluating if some of these "best practices" have outlived their usefulness.” I think that is a very healthy approach. We shouldn’t do things just because we’ve always done them a certain way or because we have some vague sense that we have to because it is somehow more secure. We stopped doing NAC a few years ago for this reason. The vendor we were using caused way to many issues for our students, extra expenses and labor us supporting them. Given that OS’s tend to have auto updates and firewalls turned on by default now, the gain we got from enforcing it for those who did not was not measurable. Not to mention we are essentially an ISP for the students. Do ISP’s ever require this? Our students don’t know what it is like to not have a computer and they seemed to survive just fine before they got here, so do we need to enforce behaviors that weren’t enforced at home? So far no one has been able to demonstrate any measurable advantage to do the posture checking component of NAC. I have a much longer, involved justification on that that I will spare you reading right now. We get authentication and thus historical retribution from 802.1x by default, which is also considered NAC by some definitions. This is handy. We also get encryption, although I’m with you on questioning that as well. Nowadays, it is hard to come up with an application that needs to be secured that doesn’t already add its own encryption. So why do we need encryption at layer 2? I seriously could be missing something on this, and would welcome further input. And if you really want to go wild here, do we even need it for the admin side? Just asking. Don’t judge me. J Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler Sent: Friday, January 23, 2015 2:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention Our environments have _some_ data security concerns like a hospital, but when you really drill down and look at what those are, they are more exception then rule. In cases were we need to provide a greater level of security, we typically have full control (and ownership) of the device. Show me in HIPPA where it's a requirement that a student be provided an encrypted WiFi connection to their own device when accessing the medical records your campus holds? There isn't such a requirement, and they could access them from starbucks' open wifi if they wished. As for on-boarding these "internet of things" devices, I always ask the same question... why? What are we gaining by the on-board process? Are our wlans so poorly designed that an unpatched system with no anti-virus poses a greater threat then if it was reaching services from outside our network? Don't assume I'm counter to what we've traditionally been doing in EDU, but I'm constantly reevaluating if some of these "best practices" have outlived their usefulness. Jeff >>> On Friday, January 23, 2015 at 10:36 AM, in message <70a4ca525a32ff42bbb8d79eec55b3bb41e19...@wmxd04p.sscad.salemstate.edu>, Brian Helman <bhel...@salemstate.edu> wrote: But our environments are unique in the sense that we have many of the same data security concerns that a hospital has, but unlike their tenants, ours are 1) largely irresponsible children, 2) using systems we have to maintain (I’ve never seen a hospital help a patient fix a laptop) and 3) live on site for long periods of time. Your points regarding media/game systems are well taken and appreciated by everyone on here who has resident students though. I say this over and over .. it’s really not the “rule” that is the problem, it’s the exceptions. And those “Internet of things” devices (far beyond “BYOD”) are becoming more and more prevalent everywhere on campus… and very few of them support “enterprise” wireless configurations. As far as the onboarding headaches, I’m still surprised at how difficult this is. The closest I’ve seen to a good process is from a (very expensive) cloud *cough* provider. But is that expense warranted? Or better asked, WHY do we STILL NEED that expense when we’re now 4-5 generations (depending on how you count 11n) into mainstream wireless? My fear is that we are going to start seeing proprietary ‘standards’ for on-boarding similar to how Ethernet drivers worked 20 years ago or NAC-type interfaces built in to some supplicant-like application that each wifi vendor packages with their equipment (ie an enterprise version of WPS). -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler Sent: Friday, January 23, 2015 1:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention I think you could accomplish the same consumer friendly setup in classrooms, labs, etc. and still provide meet your goals including regulatory compliance. I see this sort of hybrid approach today in hospital settings, so I'm not sure why it can't be accomplished in EDU. The new Kaiser hospital in my area has free WiFi everywhere, secure wifi for all their mobile computer stations (one per room), EKGs, pumps, etc. mesh-based location solution with tags on everything, and cellular distribution. I would also question setting highest performance as a goal. What you want is a solution that provides the user what they need at the moment they need it. I didn't deploy 802.11n or 802.11ac so that I could win unrealistic max performance claims. I deployed those technologies to support more efficient access to a finite amount of spectrum. And if performance is a goal, it's going to be more difficult to attain if the access to the service is complex enough to make the typical user reach for their MiFi device. Jeff >>> On Friday, January 23, 2015 at 9:44 AM, in message <7c623f076ece4354b6039ec505e9c...@ex13-mbx-10.ad.syr.edu>, Lee H Badman <lhbad...@syr.edu> wrote: No easy answer. The dorms could be set up “consumer style” with a different operational profile, SSID, etc and don’t HAVE to be run like the rest of campus. But in classrooms, labs and meeting rooms there is now way to deliver highest performance, regulatory compliance, and accommodation of crap devices all at the same time without hyper complexity, and then at the physics level you still have problems. Even if every issue can’t be fixed in one fell swoop, there are a number of easy tweaks that device makers could provide if they pulled their heads out of 2004. Lee Badman Wireless/Network Architect ITS, Syracuse University 315.443.3003 (Blog: http://wirednot.wordpress.com) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler Sent: Friday, January 23, 2015 12:39 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention I don't know Lee, in my mind is it the device maker's requirements to work in both consumer and enterprise environment, or does the enterprise wlan market need to figure out how to look more like a consumer wlan? Is this a problem EDU's have created because of some desire to provide a service that's more complex or invasive to use then it has to be? Is there really a need to on-board devices and have them associate using WPA2 Ent, or could we support the bulk of our users (especially students) using something more consumer friendly? Take residential (dorm) wifi as an example. If you had a model with an open or PSK-emulated wireless network coupled with location-based service filtering, the user gets on with every device out there, and they can see their chromecast, appletv, etc. and any others on that AP or 1 adjacent. Pretty much gives you the consumer feel. Jeff >>> On Thursday, January 22, 2015 at 11:47 AM, in message <432756068f5346b59e108b825efca...@ex13-mbx-10.ad.syr.edu>, Lee H Badman <lhbad...@syr.edu> wrote: I know self-promotion is in poor taste, but wanted to share this http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718? and encourage anyone of like (or opposing) mind to add comments. I'm told that the Alliance is at least reading along, FWIW. -Lee Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.