Re: [WIRELESS-LAN] Wireless Router Policy
Greg - Can you detail where this information is stored on CCA layer 2 mismatches? Can you access it via the CAM's web interface in the Event logs section, or do you need to be logging to an external syslog server? Thanks. Walt On Sep 5, 2008, at 8:35 AM, Scholz, Greg wrote: CCA has had some level of NAT restriction and what they call strict L2 whereby the server checks the MAC in the header of the users authentication/assessment packet against the MAC reported by the CCA client written in the payload of the authentication packet. If the MAC of the header is different than the MAC in the payload it is restricted from getting on. There are 2 problems with this. 1) many consumer grade routers/wireless units clone the first mac/ip that go through it so the unauthorized device looks just like the computer and it is allowed through. 2) when it does clone that first device and they work fine, what happens to the unsuspecting next door neighbor who's wireless card finds the offenders router and attempts to go through it? Even though it is imperfect we are still using this feature and finding mixed results. Most importantly though the syslogs (not the gui logs) do show when the event occurs with a fairly detailed entry of what the packet looked like (e.g. header mac and all client reported macs) so we can find them on the network. Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Mark Berman Sent: Friday, September 05, 2008 7:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy This is basically our position as well. The prohibition is in our Computing Ethics and Responsibilities policy, which, along with the Privacy Policy constitute our AUP. The wording is in the section on tampering and says: You may not modify residential computing network services or wiring or extend those beyond the area of their intended use. This applies to all network wiring, hardware, and cluster and in-room jacks. Gateways and firewalls designed for home use, such as Cable/DSL routers and Wireless Access Points, can disrupt the normal operation of the Williams network and are not allowed. A recent upgrade of our Impulse Point policy enforcement appliance gave us the ability to locate and automatically shut down NAT gateways and we're about to turn that function on. - Mark -- Mark Berman, Director for Networks Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message -Original Message- From: Tony Fellows [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2008 10:58 AM Subject: Re: Wireless Router Policy Hi, I picked up on this issue because some years ago, I too had a problem with our small university college and the reluctance of management to prohibit rogue device connectivity to the central network. So rather than create a new policy I modified the AUP (acceptable Use Policy) - which every student and staff member signs up to (electronically) each new academic year. I submitted clauses in the policy banning any device from being connected to the central network - which isn't the property of the university - which hasn't been vetted for use - or which is deemed unsuitable by IT Services staff. It is pointed out that disciplinary action will be taken if any device is found to be illegally connected. To support these clauses - the security and integrity of the network was the main mission. To manage data traffic and ensure a level of bandwidth throttling which is sustainable for all users and services. I think a previous contributor from Georgia State - Charles - was spot on when he implied that without certain controls, central networks would quickly become unreliable, unruly and unfit for purpose. Tony Fellows BSc (Binftech) CITP MBCS Head of IT Services Newman University College Birmingham B32 3NT Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Tel: 0121 476 1181 ext. 2223 Mob: 07887 902999 From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Phillips, Chris Sent: Thu 04/09/2008 3:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy Mike, We are vetting a new Residence Network Policy that, if approved, would make student routers not acceptable and subject to sanctions including losing network authentication. Chris Phillips Ass't V.P., Technology Univ. of Maryland, Baltimore From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Martin Jr., D. Michael Sent: Thursday, September 04, 2008 8:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Router Policy As we prepare to expand our wireless coverage into our residence halls, I would like
RE: [WIRELESS-LAN] Wireless Router Policy
I misspoke the first time. We did not find it in syslog. At this time we can't determine if it is in syslog or the web manager's event log but we stumbled on it in the CAS logs. You would think that since Strict layer 2 is a configurable feature one should be able to view whether or not it is happening in reasonably accessible logs. Thanks Cisco. You can find it on each CAS: go to cd /perfigo/logs directory then look at perfigo-redirect-log0.log.0 file At this point if you grep for NAT you'll see the following entries .. Ex; [EMAIL PROTECTED] logs]# grep NAT perfigo-redirect-log0.log.0 Example: Aug 31, 2008 8:52:09 AM com.perfigo.wlan.web.Util logEvent SEVERE: Possible NAT/Router in path User IP 158.65.scrubbed, User Name scrubbed, Router MAC 00:17:3F:F3:37:81, User MAC 00:14:A5:AE:74:E6,00:16:D4:0E:83:65 Hope it helps, Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Walt Howd Sent: Friday, September 05, 2008 10:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy Greg - Can you detail where this information is stored on CCA layer 2 mismatches? Can you access it via the CAM's web interface in the Event logs section, or do you need to be logging to an external syslog server? Thanks. Walt On Sep 5, 2008, at 8:35 AM, Scholz, Greg wrote: CCA has had some level of NAT restriction and what they call strict L2 whereby the server checks the MAC in the header of the users authentication/assessment packet against the MAC reported by the CCA client written in the payload of the authentication packet. If the MAC of the header is different than the MAC in the payload it is restricted from getting on. There are 2 problems with this. 1) many consumer grade routers/wireless units clone the first mac/ip that go through it so the unauthorized device looks just like the computer and it is allowed through. 2) when it does clone that first device and they work fine, what happens to the unsuspecting next door neighbor who's wireless card finds the offenders router and attempts to go through it? Even though it is imperfect we are still using this feature and finding mixed results. Most importantly though the syslogs (not the gui logs) do show when the event occurs with a fairly detailed entry of what the packet looked like (e.g. header mac and all client reported macs) so we can find them on the network. Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Mark Berman Sent: Friday, September 05, 2008 7:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy This is basically our position as well. The prohibition is in our Computing Ethics and Responsibilities policy, which, along with the Privacy Policy constitute our AUP. The wording is in the section on tampering and says: You may not modify residential computing network services or wiring or extend those beyond the area of their intended use. This applies to all network wiring, hardware, and cluster and in-room jacks. Gateways and firewalls designed for home use, such as Cable/DSL routers and Wireless Access Points, can disrupt the normal operation of the Williams network and are not allowed. A recent upgrade of our Impulse Point policy enforcement appliance gave us the ability to locate and automatically shut down NAT gateways and we're about to turn that function on. - Mark -- Mark Berman, Director for Networks Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message -Original Message- From: Tony Fellows [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2008 10:58 AM Subject: Re: Wireless Router Policy Hi, I picked up on this issue because some years ago, I too had a problem with our small university college and the reluctance of management to prohibit rogue device connectivity to the central network. So rather than create a new policy I modified the AUP (acceptable Use Policy) - which every student and staff member signs up to (electronically) each new academic year. I submitted clauses in the policy banning any device from being connected to the central network - which isn't the property of the university - which hasn't been vetted for use - or which is deemed unsuitable by IT Services staff. It is pointed out that disciplinary action will be taken if any device is found to be illegally connected. To support these clauses - the security and integrity of the network was the main mission. To manage data traffic and ensure a level of bandwidth throttling which is sustainable for all users and services. I think a previous contributor from Georgia State - Charles - was spot on when he implied that without
Re: [WIRELESS-LAN] Wireless Router Policy
We do, but it is hard to enforce. Finding rouge locations takes a bit of time. -- Heath Barnhart Student Network Technician Information Systems and Services Washburn University Topeka, Kansas ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Router Policy
Martin, Here at Georgia State we run a centrally managed and controlled network. Meaning that the campus IT staff is responsible for all network connectivity from the faceplate in the offices on back. Because of this we are also able to have a policy that prohibits the attachment of any Networking Device to the campus network by all campus users. Now enforcement of this policy is not all that it could or should be. However, it does allow us to have the support of policy when these devices start causing issues. But in my opinion it's not reasonable to make the assumption that you can operate a reliable or secure network, which is everyone's expectation these days, on your campus if you allow users to randomly change the design, interaction, and security model of your network at their own discretion. Which is precisely what you are doing if you allow users to place Networking Devices on your network. When I use the term Networking Devices on your network, I mean any device that impacts or has the potential for impacting the normal flow of network traffic from one endpoint to another endpoint. I am not talking about the regulation of the endpoints themselves, servers and workstations, which is an entirely different discussion, but one more and more schools are also finding necessary. This issue becomes even more critical when you start deploying converged applications on your campus. Today that doesn't just mean Voice and Video, but building HVAC management systems, elevator controls and monitoring, fire alarm controls, emergency announcement systems, access control systems, vending systems, security systems, and all kinds of other critical systems that all expect the network to be rock solid reliable. Frankly, while we all look at old films of the Wild Wild West with fondness we all know those days of freedom and anarchy don't work in a modern society and the same thing applies to a modern network. Martin Jr., D. Michael [EMAIL PROTECTED] 9/4/2008 8:34 AM As we prepare to expand our wireless coverage into our residence halls, I would like to poll this list to see how many of you have policies prohibiting the use of student (or other) routers in your environments? My institution, the University of Montevallo, is a small public liberal arts university which historically has been reluctant to *prohibit* almost anything in the past, so we have no current policies in place to prevent the installation of such devices. In fact, our Helpdesk manager even approached me yesterday about assisting students in the setup and configuration of their routers. Any advice any of you could give on such matters would be greatly appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Router Policy
Mike, We are vetting a new Residence Network Policy that, if approved, would make student routers not acceptable and subject to sanctions including losing network authentication. Chris Phillips Ass't V.P., Technology Univ. of Maryland, Baltimore From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Martin Jr., D. Michael Sent: Thursday, September 04, 2008 8:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Router Policy As we prepare to expand our wireless coverage into our residence halls, I would like to poll this list to see how many of you have policies prohibiting the use of student (or other) routers in your environments? My institution, the University of Montevallo, is a small public liberal arts university which historically has been reluctant to prohibit almost anything in the past, so we have no current policies in place to prevent the installation of such devices. In fact, our Helpdesk manager even approached me yesterday about assisting students in the setup and configuration of their routers. Any advice any of you could give on such matters would be greatly appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Router Policy
Hi, I picked up on this issue because some years ago, I too had a problem with our small university college and the reluctance of management to prohibit rogue device connectivity to the central network. So rather than create a new policy I modified the AUP (acceptable Use Policy) - which every student and staff member signs up to (electronically) each new academic year. I submitted clauses in the policy banning any device from being connected to the central network - which isn't the property of the university - which hasn't been vetted for use - or which is deemed unsuitable by IT Services staff. It is pointed out that disciplinary action will be taken if any device is found to be illegally connected. To support these clauses - the security and integrity of the network was the main mission. To manage data traffic and ensure a level of bandwidth throttling which is sustainable for all users and services. I think a previous contributor from Georgia State - Charles - was spot on when he implied that without certain controls, central networks would quickly become unreliable, unruly and unfit for purpose. Tony Fellows BSc (Binftech) CITP MBCS Head of IT Services Newman University College Birmingham B32 3NT Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Tel: 0121 476 1181 ext. 2223 Mob: 07887 902999 From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Phillips, Chris Sent: Thu 04/09/2008 3:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy Mike, We are vetting a new Residence Network Policy that, if approved, would make student routers not acceptable and subject to sanctions including losing network authentication. Chris Phillips Ass't V.P., Technology Univ. of Maryland, Baltimore From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Martin Jr., D. Michael Sent: Thursday, September 04, 2008 8:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Router Policy As we prepare to expand our wireless coverage into our residence halls, I would like to poll this list to see how many of you have policies prohibiting the use of student (or other) routers in your environments? My institution, the University of Montevallo, is a small public liberal arts university which historically has been reluctant to prohibit almost anything in the past, so we have no current policies in place to prevent the installation of such devices. In fact, our Helpdesk manager even approached me yesterday about assisting students in the setup and configuration of their routers. Any advice any of you could give on such matters would be greatly appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
