subject:"Servers on Guest Networks"

RE: Servers on Guest Networks

2016-06-13 Thread Mike Cunningham

Add Amazon Echo. We had the first one of those last Fall. 

Mike Cunningham
Penn College 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Monday, June 13, 2016 7:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Servers on Guest Networks

On our non-802.1x network, we have

Game consoles & handhelds (Sony, Microsoft, Nintendo) Windows phones Apple TV, 
Chromecast, Roku, etc.
Internet connected televisions
e-Readers

That is just a quick list from my memory.
 
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
 
(434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971


-Original Message-
From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu]
Sent: Wednesday, June 8, 2016 5:53 PM
Subject: Re: Servers on Guest Networks

Interesting Hunter,

Are the Xboxes the only use case causing you to look at this?  I'm trying to 
identify as many use cases as possible before we apply the inbound deny.  Let 
me know.

Thanks,

Curtis


On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote:
> We are looking at giving users the option to use a wide-open ESSID for 
> their Xboxes. The user would register the MAC, and we would put them 
> into a wide-open-inbound area with public addresses, for the best 
> experience. But we would limit some outgoing stuff (Google, our LMS,
> etc.) to try to nudge people toward eduroam (our 802.1X solution).
> None of this is in production but it's the direction I think we are 
> leaning when we discontinue our legacy PSK ESSIDs.
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville Systems and Infrastructure
>
>
> On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen 
> <curtis.k.lar...@utah.edu> wrote:
>> Hello,
>>
>> We're looking at a default deny inbound and possibly opening ports as 
>> required later on the guest wireless network.  If you have already 
>> done this I am curious to know what you and your user community defined as 
>> being required on the guest network.
>>
>> I think primary drivers might include devices that are not capable of 
>> WPA2-Enterprise *and* needing to run a service.  Google cloud 
>> printers come to mind, someone also mentioned multi-player Xbox?  Do 
>> you have other examples or use cases for allowing services like http/https 
>> from the internet to your guest wireless network?  If so, please share.
>>
>> Thanks,
>>
>> Curtis
>> **
>> Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Servers on Guest Networks

2016-06-13 Thread Osborne, Bruce W (Network Services)

On our non-802.1x network, we have

Game consoles & handhelds (Sony, Microsoft, Nintendo)
Windows phones 
Apple TV, Chromecast, Roku, etc.
Internet connected televisions
e-Readers

That is just a quick list from my memory.
 
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
 
(434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971


-Original Message-
From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu] 
Sent: Wednesday, June 8, 2016 5:53 PM
Subject: Re: Servers on Guest Networks

Interesting Hunter,

Are the Xboxes the only use case causing you to look at this?  I'm trying to 
identify as many use cases as possible before we apply the inbound deny.  Let 
me know.

Thanks,

Curtis


On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote:
> We are looking at giving users the option to use a wide-open ESSID for 
> their Xboxes. The user would register the MAC, and we would put them 
> into a wide-open-inbound area with public addresses, for the best 
> experience. But we would limit some outgoing stuff (Google, our LMS,
> etc.) to try to nudge people toward eduroam (our 802.1X solution).
> None of this is in production but it's the direction I think we are 
> leaning when we discontinue our legacy PSK ESSIDs.
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville Systems and Infrastructure
>
>
> On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen
> <curtis.k.lar...@utah.edu> wrote:
>> Hello,
>>
>> We're looking at a default deny inbound and possibly opening ports as 
>> required later on the
>> guest wireless network.  If you have already done this I am curious to know 
>> what you and your
>> user community defined as being required on the guest network.
>>
>> I think primary drivers might include devices that are not capable of 
>> WPA2-Enterprise *and*
>> needing to run a service.  Google cloud printers come to mind, someone also 
>> mentioned
>> multi-player Xbox?  Do you have other examples or use cases for allowing 
>> services like
>> http/https from the internet to your guest wireless network?  If so, please 
>> share.
>>
>> Thanks,
>>
>> Curtis
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list
>> can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Servers on Guest Networks

2016-06-09 Thread Thomas Carter

I have a couple of concerns with solutions like that. Why special treatment for 
Xboxes? Or would this be open to anything a student wanted to place on there? 
And are you setting up unrealistic expectations of workarounds for anything 
that doesn't play nice on the network? 

Maybe it boils down to fairness to me - spend time and energy (and IP space) 
for a subset of our students. Is that fair? I don't know, but it's something to 
think about.

Thomas Carter
Network & Operations Manager
Austin College

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Wednesday, June 8, 2016 4:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Servers on Guest Networks

We are looking at giving users the option to use a wide-open ESSID for their 
Xboxes. The user would register the MAC, and we would put them into a 
wide-open-inbound area with public addresses, for the best experience. But we 
would limit some outgoing stuff (Google, our LMS,
etc.) to try to nudge people toward eduroam (our 802.1X solution).
None of this is in production but it's the direction I think we are leaning 
when we discontinue our legacy PSK ESSIDs.

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen <curtis.k.lar...@utah.edu> 
wrote:
> Hello,
>
> We're looking at a default deny inbound and possibly opening ports as 
> required later on the guest wireless network.  If you have already done this 
> I am curious to know what you and your user community defined as being 
> required on the guest network.
>
> I think primary drivers might include devices that are not capable of 
> WPA2-Enterprise *and* needing to run a service.  Google cloud printers come 
> to mind, someone also mentioned multi-player Xbox?  Do you have other 
> examples or use cases for allowing services like http/https from the internet 
> to your guest wireless network?  If so, please share.
>
> Thanks,
>
> Curtis
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Servers on Guest Networks

2016-06-08 Thread Curtis K. Larsen

Interesting Hunter,

Are the Xboxes the only use case causing you to look at this?  I'm trying to 
identify as many use
cases as possible before we apply the inbound deny.  Let me know.

Thanks,

Curtis


On Wed, June 8, 2016 3:45 pm, Hunter Fuller wrote:
> We are looking at giving users the option to use a wide-open ESSID for
> their Xboxes. The user would register the MAC, and we would put them
> into a wide-open-inbound area with public addresses, for the best
> experience. But we would limit some outgoing stuff (Google, our LMS,
> etc.) to try to nudge people toward eduroam (our 802.1X solution).
> None of this is in production but it's the direction I think we are
> leaning when we discontinue our legacy PSK ESSIDs.
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
>
> On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen
>  wrote:
>> Hello,
>>
>> We're looking at a default deny inbound and possibly opening ports as 
>> required later on the
>> guest wireless network.  If you have already done this I am curious to know 
>> what you and your
>> user community defined as being required on the guest network.
>>
>> I think primary drivers might include devices that are not capable of 
>> WPA2-Enterprise *and*
>> needing to run a service.  Google cloud printers come to mind, someone also 
>> mentioned
>> multi-player Xbox?  Do you have other examples or use cases for allowing 
>> services like
>> http/https from the internet to your guest wireless network?  If so, please 
>> share.
>>
>> Thanks,
>>
>> Curtis
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list
>> can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Servers on Guest Networks

2016-06-08 Thread Hunter Fuller

We are looking at giving users the option to use a wide-open ESSID for
their Xboxes. The user would register the MAC, and we would put them
into a wide-open-inbound area with public addresses, for the best
experience. But we would limit some outgoing stuff (Google, our LMS,
etc.) to try to nudge people toward eduroam (our 802.1X solution).
None of this is in production but it's the direction I think we are
leaning when we discontinue our legacy PSK ESSIDs.

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

On Tue, Jun 7, 2016 at 6:34 PM, Curtis K. Larsen
 wrote:
> Hello,
>
> We're looking at a default deny inbound and possibly opening ports as 
> required later on the guest wireless network.  If you have already done this 
> I am curious to know what you and your user community defined as being 
> required on the guest network.
>
> I think primary drivers might include devices that are not capable of 
> WPA2-Enterprise *and* needing to run a service.  Google cloud printers come 
> to mind, someone also mentioned multi-player Xbox?  Do you have other 
> examples or use cases for allowing services like http/https from the internet 
> to your guest wireless network?  If so, please share.
>
> Thanks,
>
> Curtis
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Servers on Guest Networks

2016-06-08 Thread Curtis K. Larsen

Very good point Jeff.  I may be worrying for nothing.

Thanks,

Curtis


On Wed, June 8, 2016 11:22 am, Jeffrey D. Sessler wrote:
> Most of the IoT devices use external cloud services, where the device 
> establishes a connection
> outbound with the external service. As such, your typical “established” rules 
> take care of the
> rest. For something like the XBOX, the games tend to pick the best host for 
> multiplayer (if it’s
> doing xbox<->xbox communications), so it will take the one that’s wide open 
> vs one that is
> blocking all inbound connections (MS calls it strict NAT). Pretty much any 
> XBOX on a home network
> is going to use UPnP to open up all the necessary ports, allowing a “strict 
> NAT” XBOX to connect
> to it.
>
> Even for something like Google Cloud Print – the device e.g. Printer, opens 
> an outbound connection
> to Google, and communication happens over that persistent connection. Again, 
> as long as your
> firewall/ACL has an allow for established connections, this works as it 
> should. It’s always the
> device establishing the outbound connection rather than the external service 
> trying to establish
> an inbound connection.
>
> If anything, the need to poke holes is diminishing. Device/service companies 
> realize that the
> average person isn’t going to know how to poke holes in their router, and a 
> corporation is
> unlikely to do so at all. Thus, everything is about the device establishing 
> the connection
> outbound, and communication occurring on that persistent connection.
>
>
> Jeff
>
> On 6/8/16, 8:37 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Curtis
> K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
> curtis.k.lar...@utah.edu> wrote:
>
> So today we have the 1x student, faculty, staff network, and the open guest 
> network only.  So
> essentially the "guest" network doubles as the non-1x option.  We are 
> contemplating a PSK network
> that could accommodate registered non-1x devices for students in student 
> housing areas for
> example
> and that could solve some of these problems, but that is farther out and not 
> the main point of my
> post.
>
> My original question was for those that do have the default deny inbound 
> already (and it sounds
> like the majority are doing this).  What are the top requests that you get 
> for exceptions to the
> rule, if any?  We want to forecast a little and understand what might break 
> when we add the deny
> inbound.  And, yes we've been looking at flow data and AVC dat from the WLC.
>
> My concern is that particularly in housing areas (but also some on campus) 
> the number of devices
> that act like a server in some way, requiring inbound connections is probably 
> growing.  The
> multi-player xbox explanation is interesting.  Any other common examples 
> you've seen?
>
> Thanks,
>
> Curtis
>
>
> On Wed, June 8, 2016 7:59 am, Thomas Carter wrote:
>> What do you consider a "guest" network? I ask, because we have a "guest" 
>> network that is just
>> for
>> use by people not directly associated with the college (i.e. not faculty, 
>> staff, or a student).
>> Saying that, we don't have enough public IP space to give out public IPs or 
>> even 1-1 nat, so
>> all
>> traffic (guest and internal) uses traditional NAT with default deny inbound. 
>> The only real
>> issues
>> we've had are related to Xbox multiplayer; the person on campus cannot host 
>> the game, but can
>> join
>> someone else's game. With so many free/cheap cloud options, things like 
>> physical "servers" run
>> by
>> students seems to be a thing of the past.
>>
>> Thomas Carter
>> Network & Operations Manager
>> Austin College
>>
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
>> Sent: Tuesday, June 7, 2016 6:34 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Servers on Guest Networks
>>
>> Hello,
>>
>> We're looking at a default deny inbound and possibly opening ports as 
>> required later on the
>> guest
>> wireless network.  If you have already done this I am curious to know what 
>> you and your user
>> community defined as being required on the guest network.
>>
>> I think primary drivers might include devices that are not capable of 
>> WPA2-Enterprise *and*
>> needing to run a service.  Google cloud printers come to mind, someo

Re: [WIRELESS-LAN] Servers on Guest Networks

2016-06-08 Thread Curtis K. Larsen

So today we have the 1x student, faculty, staff network, and the open guest 
network only.  So
essentially the "guest" network doubles as the non-1x option.  We are 
contemplating a PSK network
that could accommodate registered non-1x devices for students in student 
housing areas for example
and that could solve some of these problems, but that is farther out and not 
the main point of my
post.

My original question was for those that do have the default deny inbound 
already (and it sounds
like the majority are doing this).  What are the top requests that you get for 
exceptions to the
rule, if any?  We want to forecast a little and understand what might break 
when we add the deny
inbound.  And, yes we've been looking at flow data and AVC dat from the WLC.

My concern is that particularly in housing areas (but also some on campus) the 
number of devices
that act like a server in some way, requiring inbound connections is probably 
growing.  The
multi-player xbox explanation is interesting.  Any other common examples you've 
seen?

Thanks,

Curtis

On Wed, June 8, 2016 7:59 am, Thomas Carter wrote:
> What do you consider a "guest" network? I ask, because we have a "guest" 
> network that is just for
> use by people not directly associated with the college (i.e. not faculty, 
> staff, or a student).
> Saying that, we don't have enough public IP space to give out public IPs or 
> even 1-1 nat, so all
> traffic (guest and internal) uses traditional NAT with default deny inbound. 
> The only real issues
> we've had are related to Xbox multiplayer; the person on campus cannot host 
> the game, but can join
> someone else's game. With so many free/cheap cloud options, things like 
> physical "servers" run by
> students seems to be a thing of the past.
>
> Thomas Carter
> Network & Operations Manager
> Austin College
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
> Sent: Tuesday, June 7, 2016 6:34 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Servers on Guest Networks
>
> Hello,
>
> We're looking at a default deny inbound and possibly opening ports as 
> required later on the guest
> wireless network.  If you have already done this I am curious to know what 
> you and your user
> community defined as being required on the guest network.
>
> I think primary drivers might include devices that are not capable of 
> WPA2-Enterprise *and*
> needing to run a service.  Google cloud printers come to mind, someone also 
> mentioned multi-player
> Xbox?  Do you have other examples or use cases for allowing services like 
> http/https from the
> internet to your guest wireless network?  If so, please share.
>
> Thanks,
>
> Curtis
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Servers on Guest Networks

2016-06-08 Thread Danny Eaton

We do not allow servers on the wireless network, guest or the 802.1X SSID's.
Our wireless is all IPv4 private addressing, with NAT, and our Juniper SRX
firewall does not allow inbound connections.  

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Tuesday, June 07, 2016 6:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Servers on Guest Networks

Hello,

We're looking at a default deny inbound and possibly opening ports as
required later on the guest wireless network.  If you have already done this
I am curious to know what you and your user community defined as being
required on the guest network.

I think primary drivers might include devices that are not capable of
WPA2-Enterprise *and* needing to run a service.  Google cloud printers come
to mind, someone also mentioned multi-player Xbox?  Do you have other
examples or use cases for allowing services like http/https from the
internet to your guest wireless network?  If so, please share.

Thanks,

Curtis
**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

!DSPAM:911,57575a2728022110920739!

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Servers on Guest Networks

2016-06-07 Thread Curtis K. Larsen

Hello,

We're looking at a default deny inbound and possibly opening ports as required 
later on the guest wireless network.  If you have already done this I am 
curious to know what you and your user community defined as being required on 
the guest network.

I think primary drivers might include devices that are not capable of 
WPA2-Enterprise *and* needing to run a service.  Google cloud printers come to 
mind, someone also mentioned multi-player Xbox?  Do you have other examples or 
use cases for allowing services like http/https from the internet to your guest 
wireless network?  If so, please share.

Thanks,

Curtis
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Servers on Guest Networks

RE: Servers on Guest Networks

RE: [WIRELESS-LAN] Servers on Guest Networks

Re: [WIRELESS-LAN] Servers on Guest Networks

Re: [WIRELESS-LAN] Servers on Guest Networks

Re: [WIRELESS-LAN] Servers on Guest Networks

Re: [WIRELESS-LAN] Servers on Guest Networks

RE: [WIRELESS-LAN] Servers on Guest Networks

Servers on Guest Networks

9 matches

Site Navigation

Mail list logo

Footer information