opinions?

Just looking for some opinions on a policy i want to enforce at the college campus i admin. heres a little background.
When I first started here, the admin before me didn't even have any security on the wireless access points around the campus. Safe to say that the first day i was working here, that changed immediately. Since then, i've been letting people bring in their home laptops and connect them up on wireless. I have a MAC filter on the APs and ive been documenting everyone i let connect. Also have a WEP key for added security. We do have two computer labs with guest domain accounts people can use. I've been contemplating on whether or not i should keep allowing people to bring their laptops in and connect to my network.
The simple policy i wanted to enforce was no one outside of the domain can connect their laptops to the network unless it directly affects their work.
What do you all think?

 

Hard to enforce, methinks. Especially the "unless it directly affects their work" part.

 

Too vague? I'm open to all suggestions...

 

Am not sure i understand you fully. Are there issues with the network being bogged down? Too much bandwidth demand? Or is there some other reason for limiting connectivity? Is this the campus general network? Depoartment specific network? Your personal Network???:confused

 

I agree with Sherpaprime, you have not given enough information for an educated opinion. From what you have stated I would suggest setting up the parameters to allow only registered students and faculty to have access to the network by using their registered username/passwords. Then if you wish to allow general public access you would need to setup a separate profile (network or actual vlan would do the trick) to allow access only to those portions of the network that affect their particular connection. You could restrict access to various services with an XACL or if you are running a Linux based server then just setup the proper usergroups with those permissions and restrictions. But then again, without knowing more about your topology and architecture I'm just shooting in the dark here.

Yours,
Jack

 

I prepare students laptops for a whole range of UK universities and colleges.

It's funny how there seems to be no standardisation, but they all seem to get along fine.

Some you can only log on on site and some only on their machines. Others are totally open, with unsecured wifi. Sophos is the preferred AV of academe and seems to work well. Others allow log on access through the internet, I know of students doing their work at Edinburgh University whilst on electives in South Africa and Nepal for instance.

Another worry for the over zealous administrator, especially in a large establishment with several, perhap 10,000+ students. That of policing and that each year the admin will have another 10,000 accounts to set up and sort out. And what about those 10,000 who have left, but may sneak back or 'pass on' security info every year?

A further complication is question of what do you mean by 'policy'. Some universities use an NT domain system, which means all their students have to have the pro or business version of Windows. Others have a more relaxed setup so home versions will suffice. Of course you can't set true policies on home versions anyway.

 

hi studiot. thats really the only reason im bringing this up. most people who bring in their laptops have a home version that is unable to connect to my domain. That, and i guess i just dont like the idea that someone has a computer connected to my network that could have all kinds of fun malware on it. im probably just being overly paranoid, but its my job i guess.

the topology is pretty simple. i have a core switch with a bunch of vlans on it. the aps are on their own vlan, but thats more for ease of management than security. ill look into setting up an isolated AP, with ACLs on the switch denying access to anything but the internet maybe for peoples home laptops. i really havent had any problems with peoples home laptops, so maybe ill hold off on this for a little bit.

and what i mean by policy is just something i can show to management so they will be behind what i choose to do. just a simple sentence or paragraph describing the choice and what it means.

thanks for the replies guys.

 

Long Version: You need two wifi networks. One which is a closed, and requires prior approval, which is the one that gets all the access permissions to staff and student only information, and then an open network which connects to the internet but is otherwise completely disconnected from any school computers, and therefore safe for general use.

This way your sentence and Short Version becomes: School Network is only available for school business. Community Network available for public internet access.

Keeps the admins happy since they don't know what it means, but it sounds very official.

 

The simple policy i wanted to enforce was no one outside of the domain can connect their laptops to the network unless it directly affects their work.
What do you all think?


That's exactly how I we have it set at the school district I work for.