A mix of a few recent topics I wanted to comment on (HEOA tracking and Device nets).
Our lawyers and CISO have reviewed HEOA. We say that we are required to block illegal peer to peer and know who is using each IP address. We block all peer to peer with Procera appliances currently. With ~40,000 wireless clients on RFC1918 private IPs and 2 – 3 Gbps of NAT-ed traffic flows tracking to the individual user was no trivial task. I wasn’t comfortable logging that volume of traffic flow on our Check Point firewalls (though they might handle it). Instead we leveraged netflow on multiple boxes to provide the answers. We’ve also been working with CERT more recently to improve our hit rate on identifying the user (we were missing some). Our only open wireless is for onboarding (to SMS text message credentials to cell phone number we could potentially subpoena for records). We do this with Packet Fence today and Aruba Clearpass tomorrow (though Packet Fence worked tremendously for us). Both have a click here to provision yourself for our WPA2 enterprise SSID with proper certificate validations. The complaints are that it takes too long (3 – 5 minutes is average to figure it out), that you have to select your cell carrier and some are missing (which we are eliminating with an SMS gateway service), or that folks don’t have SMS text capable cell phones (but they want their iPad connected). In our residence halls we leverage Aruba Clearpass. There are two SSIDs (one WPA2 enterprise and one WPA2 PSK w/ mac authentication requirements). Students can workflow themselves through the process. We steer them to the WPA2 enterprise SSID and they just need to have their enterprise ldap credentials. If they have a computer (Windows or Mac currently), they are steered to a captive portal page serving them the Aruba Onguard agent. Once they have that it steers them to install our managed Symantec Endpoint Protection. After that they are connected (unless either of those requirements stops running). Smart devices like phones and tablets just need to authenticate and they are good. They have to hit a Clearpass page to add the mac address of their gaming systems before they work on the WPA2 PSK SSID. We have profiling of devices so we don’t allow the computers and smart devices to connect to the PSK network. 95% of devices are wireless, but we did enable 802.1x for all wired ports. It was a tremendous effort for us, but has been running terribly well with just about 1 access point per suite. Reach out if you care for more details. Adam [Adam T Ferrero] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel Sent: Tuesday, September 08, 2015 9:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey HEOA just requires that we provide an individual notices to students once per year that includes an explanation of copyright and our enforcement policies. Said policies must include technical measures to limit copyright infringement and a policy to promote legal alternatives, but I didn't see anything in there about data retention requiring us to keep logs relating IPs/MACs to users. [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603 jcoeho...@york.edu<mailto:jcoeho...@york.edu> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Mon, Sep 7, 2015 at 5:38 PM, Steve Bohrer <skboh...@simons-rock.edu<mailto:skboh...@simons-rock.edu>> wrote: Hi Jeff, Can you comment on how the Higher Education Opportunity Act (HEOA) fits into this? Our understanding is that HEOA, in addition to the opportunity of Pell grants, now also gives us the opportunity to provide specific annual user eduction about copyright, and to get involved with copyright enforcement. IANAL enough to discuss whether HEOA compliance requires more or less user identity info than DMCA compliance, but HEOA was historically one of the reasons we've tried to know who owns the devices on our wired and wireless networks. Are there Educause or other resources about HEOA similar to the one you cite for DMCA? Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645<tel:413-528-7645> > On Sep 4, 2015, at 5:28 PM, Jeffrey D. Sessler > <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote: > > Matthew, > > Under the DMCA, the ISP only has to, upon learning of the infringing > transmission, act quickly to remove or disable access to the infringing > transmission. We can carry that out with no knowledge of who’s behind the > device. That said, it only applies to resources owned by the institution. > > Here is some key info in case you’re interested. Some of it is sourced from > from an EDUCAUSE FAQ for DMCA designated agents in higher-ed. > > If your institution, after taking reasonable efforts to investigate and match > a user to the IP address designated in the DMCA notice, cannot, for technical > or other legitimate reasons, match a user to this IP address, the DMCA does > not specifically require any other action. > > The DMCA does not include a records retention requirement for logs. So, if > your record retention for radius, dhcp, etc. is only 7 days, and a DMCA > notice arrives for something that occurred 14 days ago, then you are under no > obligation to do more. > > Resources owned by an institution—such as faculty, staff, or computer lab > computers—fall under 17 U.S.C. Section 512(c). This section provides a safe > harbor for an ISP so that it is not liable for monetary damages for > infringing materials on its servers provided it does not have “actual > knowledge” of the infringing material, does not receive a direct financial > benefit from the infringement, and, when notified, responds “expeditiously” > to remove the infringing material or disable access to such material. > > Most student and guest activity on university networks occurs through > personally owned equipment and thus falls under 17 U.S.C. Section 512(a). > This section provides immunity to the ISP for information that simply > transits the ISP’s networks, with no direction, input, or interference from > the ISP itself, and is not stored anywhere on the ISP’s network. Notably, no > additional proactive steps are required for an ISP to avail itself of this > immunity. However, for a variety of reasons, some institutions have made a > policy decision to treat these notices as if they fall under Section 512(c), > terminating users from the network unless and until the infringing content is > removed. Often such activity is handled through a student affairs process, > rather than as a legal or IT matter, so as to seize upon a “teachable moment” > for students. > > If you’re interested, here is the link: > http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/intellectual-property/dmca-faq > > > Jeff > > > > On 9/4/15, 1:58 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Williams, Matthew" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > on behalf of mwill...@kent.edu<mailto:mwill...@kent.edu>> wrote: > >> Jeff, >> >> Without knowing who is behind the device, how do you handle copyright issues? >> >> Respectfully, >> >> Matthew Williams >> Manager, Network and Telecommunications Services >> Kent State University >> Office: (330) 672-7246<tel:%28330%29%20672-7246> >> Mobile: (330) 469-0445<tel:%28330%29%20469-0445> >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] >> On Behalf Of Jeffrey D. Sessler >> Sent: Friday, September 4, 2015 4:24 PM >> To: >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the >> dorms- quick Survey >> >> Frans, >> >> Why do you care who’s behind the device? If you were to treat student >> wireless in the same regard as Starbucks treats a device connecting to >> theirs, what possible policies would you be concerned with? If you could >> block the device and be done with it, what else do you want to do? >> >> Liability - Risk management is a decision that is higher up the chain, and >> if user’s are satisfied with the risk while at a Starbucks, why would their >> expectation be different when consuming free WiFi at their college? Would >> the college actually be at greater risk if, for example, they promote >> WPA/802.1x enabled SSIDs as “Secure” when it’s adding only one layer? >> >> Open Network - I’m not suggesting this, I’m saying, what’s the middle >> ground? Is a modified WPA-PSK system better, where the on boarding is using >> the student’s ID as the WPA-PSK password? Is that “Good Enough” to eliminate >> the hassles of WPA-Ent? >> >> So again, I think it’s worth having the conversation. If the process is >> overly complicated or restrictive e.g. My chrome cast is on the device-lan, >> but my laptop isn’t allowed cause it does 802.1x, then what have we solved? >> >> Jeff >> >> >> >> >> >> On 9/4/15, 12:09 PM, "The EDUCAUSE Wireless Issues Constituent Group >> Listserv on behalf of Frans Panken" >> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> on behalf of frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote: >> >>> Jeff, >>> >>> Jeffrey D. Sessler schreef op 04/09/15 om 20:55: >>>> Just to turn this on it’s ear a bit... >>>> >>>> Why not go back to an open network for student devices, with the same EULA >>>> as they’d get be it at a Starbucks, McDonalds, hotel, or convention >>>> center? Why are we (my self included) so hell bent on student devices >>>> connecting via WPA-Ent and all the challenges associated with >>>> accommodating devices that can’t? >>> Basically, because you do not know who is behind the device if this >>> user does something that conflicts with any of the policies (e.g., >>> security to name one). >>>> >>>> >>>> Does data exist that shows all of this overhead we’ve created has had any >>>> measurable benefit (for the cost), especially when the same users aren’t >>>> concerned about over-the-air security when at the above mentioned places? >>> Regardless of the numbers, I will tell you it was worth it. >>> >>> Inmagine the blames your institute copes with if some one decides to >>> put a rogue access point in between that cathes all kinds of privacy data? >>> The end-user will blame the institue because it happended there! >>> >>> Note that there are easy out-of-the-box tools that are dedicated for >>> these kind of attacks and easy to set-up, even for a 12 year old. For >>> example, have a look at pineapple: https://www.wifipineapple.com/ (very >>> usefull to play with!) >>> >>> Or Nethunter, that uses Linux Kali and is installed on a simple phone >>> or tablet (http://www.nethunter.com/). >>> >>>> >>>> Why do we care so much? Is there some middle-ground that is “good enough” >>>> but provides almost the same experience as at home? >>> Seriously, you have an open network at home?? You login with your bank? >>> Ever hear of SSL strip (if not, I recommend to Google it and watch that >>> little slot in your browser continously) >>> >>>> >>>> Would our efforts be better spent implementing other beneficial >>>> technologies such location-aware WiFi, where after the student connects >>>> all their AppleTV, TimeMachine, and Chromecast devices, the network is >>>> smart enough to provide them visibility of only those devices when in/near >>>> the same location e.g. Location-aware bonjour? >>> I hope the arguments above convinced you. If not, I think I can think >>> of some more... >>> >>> -Frans >>>> >>>> >>>> >>>> Jeff >>>> >>>> >>>> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group >>>> Listserv on behalf of Lee H Badman" >>>> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >>>> on behalf of lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote: >>>> >>>>> Where it gets interesting- broadcast and single class C required. But- >>>>> this is a great summary of requirements. >>>>> >>>>> Lee Badman | Network Architect >>>>> Information Technology Services >>>>> 206 Machinery Hall >>>>> 120 Smith Drive >>>>> Syracuse, New York 13244 >>>>> t 315.443.3003<tel:315.443.3003> f 315.443.4325<tel:315.443.4325> e >>>>> lhbad...@syr.edu<mailto:lhbad...@syr.edu> w >>>>> its.syr.edu<http://its.syr.edu> >>>>> SYRACUSE UNIVERSITY >>>>> syr.edu<http://syr.edu> >>>>> >>>>> -----Original Message----- >>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] >>>>> On Behalf Of Johnson, >>>>> Neil M >>>>> Sent: Friday, September 04, 2015 10:46 AM >>>>> To: >>>>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >>>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" >>>>> in the dorms- quick Survey >>>>> >>>>> Here is my first pass at requirements: >>>>> >>>>> 1. The service must prevent or discourage devices that ARE capable of >>>>> using 802.1x authentication from using the service. >>>>> >>>>> 2. The service should provide some sort of traceability of devices >>>>> back to their owners. >>>>> >>>>> 3. The service must provide some method to deny access to an >>>>> individual device. >>>>> >>>>> 4. The service must be easy enough to use that the average student >>>>> can connect a device to the network in 10-15 minutes without requiring >>>>> assistance from ITS. >>>>> >>>>> 5. The service must restrict access to only authorized University >>>>> customers. >>>>> >>>>> 6. In the residence Halls, the service must support most the most >>>>> common consumer devices that students might bring to campus >>>>> >>>>> >>>>> We are also looking at a “Device Net” for campus for other devices that >>>>> may not do 802.1X (freezer monitors, digital signage, instrumentation, >>>>> etc.). >>>>> >>>>> For the residence hall device net we are thinking about blocking all >>>>> access to campus resources and just allowing internet access. >>>>> >>>>> For the campus device net we thinking about RFC 1918 space restricting >>>>> the deivces to on campus resources only. >>>>> >>>>> -- >>>>> Neil Johnson >>>>> Network Engineer >>>>> The University of Iowa >>>>> Phone: 319 384-0938 >>>>> Fax: 319 335-2951 >>>>> E-Mail: neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu> >>>>> >>>>> >>>>> >>>>>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) >>>>>> <bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote: >>>>>> >>>>>> What are you calling a Device Net? >>>>>> >>>>>> We have an open SSID with a custom captive portal using the ClearPass >>>>>> eTIPS API. >>>>>> >>>>>> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect >>>>>> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with >>>>>> AirGroup device registration for Apple-TV) and for permitting non-802.1X >>>>>> network access, blocking out internal web server & blackboard servers. >>>>>> If devices try to go to these sites, they are redirected to Cloudpath >>>>>> XpressConnect Wizard. >>>>>> >>>>>> I am leaving on vacation for a week, so it may take me a while to >>>>>> resond further >>>>>> >>>>>> Bruce Osborne >>>>>> Wireless Engineer >>>>>> IT Infrastructure & Media Solutions >>>>>> >>>>>> (434) 592-4229<tel:%28434%29%20592-4229> >>>>>> >>>>>> LIBERTY UNIVERSITY >>>>>> Training Champions for Christ since 1971 >>>>>> >>>>>> -----Original Message----- >>>>>> From: Johnson, Neil M >>>>>> [mailto:neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>] >>>>>> Sent: Thursday, September 3, 2015 12:08 PM >>>>>> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- >>>>>> quick Survey >>>>>> >>>>>> We are investigating a device net at UofI so, >>>>>> >>>>>> I would be interested in hearing from anyone who has implemented a >>>>>> Device Net with Clearpass. >>>>>> >>>>>> Thanks. >>>>>> -Neil >>>>>> >>>>>> -- >>>>>> Neil Johnson >>>>>> Network Engineer >>>>>> The University of Iowa >>>>>> Phone: 319 384-0938<tel:319%20384-0938> >>>>>> Fax: 319 335-2951<tel:319%20335-2951> >>>>>> E-Mail: neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu> >>>>>> >>>>>> >>>>>> >>>>>>> On Sep 3, 2015, at 7:24 AM, Lee H Badman >>>>>>> <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote: >>>>>>> >>>>>>> There is an elegance in your wisdom, Chuck. >>>>>>> >>>>>>> >>>>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>>>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] >>>>>>> On Behalf Of Chuck >>>>>>> Enfield >>>>>>> Sent: Wednesday, September 02, 2015 5:54 PM >>>>>>> To: >>>>>>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >>>>>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" >>>>>>> in the dorms- quick Survey >>>>>>> >>>>>>> Don’t tell me. Ignorance is bliss. Man, am I happy! >>>>>>> >>>>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>>>>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] >>>>>>> On Behalf Of David R. >>>>>>> Morton >>>>>>> Sent: Wednesday, September 02, 2015 5:41 PM >>>>>>> To: >>>>>>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >>>>>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" >>>>>>> in the dorms- quick Survey >>>>>>> >>>>>>> Lee, >>>>>>> >>>>>>> Are you going to share the results of this survey as well? >>>>>>> >>>>>>> David >>>>>>> >>>>>>> >>>>>>> David Morton >>>>>>> >>>>>>> Director, Mobile Communications >>>>>>> Service Owner: Wi-Fi, Mobile & HuskyTV University of Washington >>>>>>> dmor...@u.washington.edu<mailto:dmor...@u.washington.edu> tel >>>>>>> 206.221.7814<tel:206.221.7814> >>>>>>> >>>>>>> On Sep 2, 2015, at 9:50 AM, Lee H Badman >>>>>>> <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote: >>>>>>> >>>>>>> As we look forward in how we service our residential spaces for >>>>>>> Wi-Fi, I’ve put together a quick survey on if/what other schools >>>>>>> are doing (and not doing) for supporting the perplexing gadgets >>>>>>> (TVs, games, entertainment dongles, etc) over Wi-Fi. Please >>>>>>> consider contributing at >>>>>>> >>>>>>> https://www.quicksurveys.com/s/Wc92H >>>>>>> >>>>>>> I’ll run this for two weeks, will post just a couple more invites on >>>>>>> each list in that period (so you know to expect a couple more… kind of >>>>>>> advance spam warning) and will open the results page up for both lists >>>>>>> at the end. I know I’m not the only one contemplating these questions. >>>>>>> Should take minutes to sail through, but decent participation could >>>>>>> really help others in their own thoughts about this challenging >>>>>>> paradigm. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks in advance! >>>>>>> >>>>>>> >>>>>>> >>>>>>> Lee Badman | Network Architect >>>>>>> Information Technology Services >>>>>>> 206 Machinery Hall >>>>>>> 120 Smith Drive >>>>>>> Syracuse, New York 13244 >>>>>>> t 315.443.3003<tel:315.443.3003> f 315.443.4325<tel:315.443.4325> e >>>>>>> lhbad...@syr.edu<mailto:lhbad...@syr.edu> w >>>>>>> its.syr.edu<http://its.syr.edu> >>>>>>> SYRACUSE UNIVERSITY >>>>>>> syr.edu<http://syr.edu> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ********** Participation and subscription information for this EDUCAUSE >>>>>>> Constituent Group discussion list can be found at >>>>>>> http://www.educause.edu/groups/. >>>>>>> >>>>>>> ********** Participation and subscription information for this EDUCAUSE >>>>>>> Constituent Group discussion list can be found at >>>>>>> http://www.educause.edu/groups/. >>>>>>> ********** Participation and subscription information for this EDUCAUSE >>>>>>> Constituent Group discussion list can be found at >>>>>>> http://www.educause.edu/groups/. >>>>>>> ********** Participation and subscription information for this EDUCAUSE >>>>>>> Constituent Group discussion list can be found at >>>>>>> http://www.educause.edu/groups/. >>>>>> >>>>>> ********** >>>>>> Participation and subscription information for this EDUCAUSE Constituent >>>>>> Group discussion list can be found at http://www.educause.edu/groups/. >>>>>> >>>>>> >>>>>> ********** >>>>>> Participation and subscription information for this EDUCAUSE Constituent >>>>>> Group discussion list can be found at http://www.educause.edu/groups/. >>>>>> >>>>> >>>>> ********** >>>>> Participation and subscription information for this EDUCAUSE Constituent >>>>> Group discussion list can be found at http://www.educause.edu/groups/. >>>>> >>>>> >>>>> ********** >>>>> Participation and subscription information for this EDUCAUSE Constituent >>>>> Group discussion list can be found at http://www.educause.edu/groups/. >>>>> >>>> ********** >>>> Participation and subscription information for this EDUCAUSE Constituent >>>> Group discussion list can be found at http://www.educause.edu/groups/. >>>> >>> >>> ********** >>> Participation and subscription information for this EDUCAUSE Constituent >>> Group discussion list can be found at http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
<<attachment: Adam T Ferrero.vcf>>
