Very good point Jeff. I may be worrying for nothing. Thanks,
Curtis On Wed, June 8, 2016 11:22 am, Jeffrey D. Sessler wrote: > Most of the IoT devices use external cloud services, where the device > establishes a connection > outbound with the external service. As such, your typical “established” rules > take care of the > rest. For something like the XBOX, the games tend to pick the best host for > multiplayer (if it’s > doing xbox<->xbox communications), so it will take the one that’s wide open > vs one that is > blocking all inbound connections (MS calls it strict NAT). Pretty much any > XBOX on a home network > is going to use UPnP to open up all the necessary ports, allowing a “strict > NAT” XBOX to connect > to it. > > Even for something like Google Cloud Print – the device e.g. Printer, opens > an outbound connection > to Google, and communication happens over that persistent connection. Again, > as long as your > firewall/ACL has an allow for established connections, this works as it > should. It’s always the > device establishing the outbound connection rather than the external service > trying to establish > an inbound connection. > > If anything, the need to poke holes is diminishing. Device/service companies > realize that the > average person isn’t going to know how to poke holes in their router, and a > corporation is > unlikely to do so at all. Thus, everything is about the device establishing > the connection > outbound, and communication occurring on that persistent connection. > > > Jeff > > On 6/8/16, 8:37 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Curtis > K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of > curtis.k.lar...@utah.edu> wrote: > > So today we have the 1x student, faculty, staff network, and the open guest > network only. So > essentially the "guest" network doubles as the non-1x option. We are > contemplating a PSK network > that could accommodate registered non-1x devices for students in student > housing areas for > example > and that could solve some of these problems, but that is farther out and not > the main point of my > post. > > My original question was for those that do have the default deny inbound > already (and it sounds > like the majority are doing this). What are the top requests that you get > for exceptions to the > rule, if any? We want to forecast a little and understand what might break > when we add the deny > inbound. And, yes we've been looking at flow data and AVC dat from the WLC. > > My concern is that particularly in housing areas (but also some on campus) > the number of devices > that act like a server in some way, requiring inbound connections is probably > growing. The > multi-player xbox explanation is interesting. Any other common examples > you've seen? > > Thanks, > > Curtis > > > On Wed, June 8, 2016 7:59 am, Thomas Carter wrote: >> What do you consider a "guest" network? I ask, because we have a "guest" >> network that is just >> for >> use by people not directly associated with the college (i.e. not faculty, >> staff, or a student). >> Saying that, we don't have enough public IP space to give out public IPs or >> even 1-1 nat, so >> all >> traffic (guest and internal) uses traditional NAT with default deny inbound. >> The only real >> issues >> we've had are related to Xbox multiplayer; the person on campus cannot host >> the game, but can >> join >> someone else's game. With so many free/cheap cloud options, things like >> physical "servers" run >> by >> students seems to be a thing of the past. >> >> Thomas Carter >> Network & Operations Manager >> Austin College >> >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen >> Sent: Tuesday, June 7, 2016 6:34 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: [WIRELESS-LAN] Servers on Guest Networks >> >> Hello, >> >> We're looking at a default deny inbound and possibly opening ports as >> required later on the >> guest >> wireless network. If you have already done this I am curious to know what >> you and your user >> community defined as being required on the guest network. >> >> I think primary drivers might include devices that are not capable of >> WPA2-Enterprise *and* >> needing to run a service. Google cloud printers come to mind, someone also >> mentioned >> multi-player >> Xbox? Do you have other examples or use cases for allowing services like >> http/https from the >> internet to your guest wireless network? If so, please share. >> >> Thanks, >> >> Curtis >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list >> can >> be found at http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list >> can >> be found at http://www.educause.edu/groups/. >> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.