Reminds of this quote for Eugene Stafford: "Secure web servers [cryptographically enabled web servers] are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police."
-- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 E-Mail: neil-john...@uiowa.edu > On Nov 1, 2016, at 3:54 PM, Chuck Enfield <chu...@psu.edu> wrote: > > "If we can agree that most applications today (including ones that involve > FERPA or PII) are web-based (let’s toss in cloud too), and a user can access > them from any location including at home on a PSK protected SSID (or > cellular connection, or open network at Starbucks), does forcing WPA2-Ent at > the campus actually result in reduced risk? Is there cost justification for > the infrastructure (staff, hardware, software) necessary to implement > EAP-TLS (or alternatives)?" > > Where's the like button? FWIW, I still like enterprise encryption and > authentication for keeping people off of my network. I's nevertheless > useful to remind ourselves of precisely what the value is, and it's not > protecting the data. > > Chuck > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler > Sent: Tuesday, November 01, 2016 4:41 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > > Curtis, > > If we can agree that most applications today (including ones that involve > FERPA or PII) are web-based (let’s toss in cloud too), and a user can access > them from any location including at home on a PSK protected SSID (or > cellular connection, or open network at Starbucks), does forcing WPA2-Ent at > the campus actually result in reduced risk? Is there cost justification for > the infrastructure (staff, hardware, software) necessary to implement > EAP-TLS (or alternatives)? > > Our Admissions process starts with getting Common App (filled out by > student/parents at home on a website and includes a lot of sensitive info), > that data feeds into Slate (another cloud-based Admissions package), then > feeds into financial-aid and the SiS (again web-based for the users). The > bulk of the PII/FERPA items have then been collected outside of the college > envirnoment, from connections that may have Starbucks level of protection. > I’m > trying to see the justification of WPA2-Ent, but it’s a hard sell – sure, I > know there can be advantages, but are they necessary and/or justified? Is > PPSK good enough for everyone. Is it good enough for students and their > devices? > > Jeff > > On 11/1/16, 8:56 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > on behalf of curtis.k.lar...@utah.edu> wrote: > > I personally would *not* prefer PPSK for devices that are WPA2-Ent. > (EAP-TLS) capable. PPSK has a nice niche in the IoT device category for > devices that do not support WPA2-Ent. (EAP-TLS) in my opinion, and we'll be > anxious to use it there when our vendor delivers ...but the same > vulnerabilities around a regular WPA2-PSK are still there (de-auths, brute > forcing). So, for IoT in student housing (game consoles, and roku devices > that only do PSK) maybe PPSK is the appropriate new level of security > because sensitive data is unlikely, but for the most common devices (Phone, > Laptop, Tablet, etc.) where users are more likely to access and transmit > FERPA, PHI, etc. WPA2-Enterprise with EAP-TLS seems more appropriate. From > what I can tell it is probably easier to implement EAP-TLS than PPSK amongst > the fully-managed portion of that device class anyway (thinking GPO here). > In my ideal world I would have 3 SSID's One Guest SSID unencrypted, One > PPSK SSID that accommodates all of the non-dot1x capable devices that are > not guest users, and one dot1x WPA2-Ent (EAP-TLS) SSID for traditional > Student/Faculty/Staff devices (Phone, Laptop, Tablet). Then someday in the > future Hotspot 2.0/802.11u would convert many of the un-encrypted guests > over to encrypted without any captive portal interaction. > > > -- > Curtis K. Larsen > Senior Network Engineer > University of Utah IT/CIS > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Coehoorn, Joel > <jcoeho...@york.edu> > Sent: Tuesday, November 1, 2016 8:33 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] TLS Onboarding Vendors > >> If those using or considering TLS had the option of PPSK (personal > pre-shared key), would you opt for PPSK instead? > > Definitely. I think it's a much more user-friendly option, while > providing similar control and security as TLS. > > > > > [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] > > > Joel Coehoorn > Director of Information Technology > 402.363.5603 > jcoeho...@york.edu<mailto:jcoeho...@york.edu> > > > > > The mission of York College is to transform lives through > Christ-centered education and to equip students for lifelong service to God, > family, and society > > On Tue, Nov 1, 2016 at 9:12 AM, Jeffrey D. Sessler > <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote: > Just curious. If those using or considering TLS had the option of PPSK > (personal pre-shared key), would you opt for PPSK instead? > > Jeff > > On 10/31/16, 9:27 AM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Bruce Boardman" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > > on behalf of board...@syr.edu<mailto:board...@syr.edu>> wrote: > > We are using Cloud Path for onboarding, but we are considering other > options if and when we go to EAP TLS. We may get it baked in if we use ISE > or Clear Pass but I considering other standalone options as well. Anybody > have experience or thoughts they'd like to share. Thanks > > Bruce Boardman Networking Syracuse University 315 > 412-4156<tel:315%20412-4156> Skype board...@syr.edu<mailto:board...@syr.edu> > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
