RE: Wireless onboarding and security posturing

2017-08-30 Thread Turner, Ryan H 
We have been extremely happy with SecureW2.  Outstanding support.  No major 
issues with large amounts of TLS onboardings over several years.  We moved to 
SecureW2 from Cloudpath ES.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, August 30, 2017 8:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless onboarding and security posturing

A few years ago we worked to move away from NAC (Bradford Campus Manager) to 
801.1X authentication without NAC. We ended up purchasing Aruba ClearPass but 
purchased (& did not use) some OnGuard NAC licenses to appease some management 
that we could deploy NAC if needed. He have not needed that.

We have been onboarding with the deprecated CloudPath Wizard product for 
several years. We are now evaluating onboarding (non-NAC) alternatives. So far 
the best choice appears to be SecureW2 when pricing & features are considered.

I asked CloudPath ES, like Wizard has a one-time onboarding NAC-like feature. 
Apparently, SecureW2 had similar features but removed them due to non-use. 
Pricing appeatrs to be much better than Aruba’s offering.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Curtis L. Parish [mailto:curtis.par...@mtsu.edu]
Sent: Tuesday, August 29, 2017 12:08 PM
Subject: Wireless onboarding and security posturing

Greetings

Looking for philosophy (policy?) as well as what products you are using to 
implement your solutions.

Currently we use a NAC agent as a part of our onboarding procedure for windows 
computers connecting via NAC.   Agents of course add a whole layer of support 
woes to the help desk.  As the percentage (not necessarily number) of windows 
devices on wireless networks decreases, the effectiveness of deploying an agent 
seems to have decreasing returns.   At the same time windows has increased 
their security posture over the years  (nagging you to  do updates and to turn 
on the firewall  and virus protection) other devices have been added to the 
mix, like IOT, that  have little or no protection built in.   Spending so  of 
our  time supporting an agent that only protects a decreasing percentage of the 
devices on the network  may not be the best policy.   There is the argument 
that windows devices can cause the most problems,  but do we spend the time 
focused on the single problem solution (windows agent) as opposed to   
implementing and supporting a more holistic solution that can recognize and 
respond to threats  across platforms.


We have talked to universities that run their wireless networks as wide open 
public access networks  and choose  only to defend with firewalls.   We on the 
other end  are more offensive and require  user registration, NAC agents and  
MAC registration,  along with the separation of the wireless network from the 
campus network.

So, how do you provide and protect your wireless networks?


Curtis


Curtis Parish
 615.494.8861
Senior Network Engineer
[wordmark_web]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless onboarding and security posturing

2017-08-30 Thread Osborne, Bruce W (Network Operations) 
A few years ago we worked to move away from NAC (Bradford Campus Manager) to 
801.1X authentication without NAC. We ended up purchasing Aruba ClearPass but 
purchased (& did not use) some OnGuard NAC licenses to appease some management 
that we could deploy NAC if needed. He have not needed that.

We have been onboarding with the deprecated CloudPath Wizard product for 
several years. We are now evaluating onboarding (non-NAC) alternatives. So far 
the best choice appears to be SecureW2 when pricing & features are considered.

I asked CloudPath ES, like Wizard has a one-time onboarding NAC-like feature. 
Apparently, SecureW2 had similar features but removed them due to non-use. 
Pricing appeatrs to be much better than Aruba’s offering.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Curtis L. Parish [mailto:curtis.par...@mtsu.edu]
Sent: Tuesday, August 29, 2017 12:08 PM
Subject: Wireless onboarding and security posturing

Greetings

Looking for philosophy (policy?) as well as what products you are using to 
implement your solutions.

Currently we use a NAC agent as a part of our onboarding procedure for windows 
computers connecting via NAC.   Agents of course add a whole layer of support 
woes to the help desk.  As the percentage (not necessarily number) of windows 
devices on wireless networks decreases, the effectiveness of deploying an agent 
seems to have decreasing returns.   At the same time windows has increased 
their security posture over the years  (nagging you to  do updates and to turn 
on the firewall  and virus protection) other devices have been added to the 
mix, like IOT, that  have little or no protection built in.   Spending so  of 
our  time supporting an agent that only protects a decreasing percentage of the 
devices on the network  may not be the best policy.   There is the argument 
that windows devices can cause the most problems,  but do we spend the time 
focused on the single problem solution (windows agent) as opposed to   
implementing and supporting a more holistic solution that can recognize and 
respond to threats  across platforms.


We have talked to universities that run their wireless networks as wide open 
public access networks  and choose  only to defend with firewalls.   We on the 
other end  are more offensive and require  user registration, NAC agents and  
MAC registration,  along with the separation of the wireless network from the 
campus network.

So, how do you provide and protect your wireless networks?


Curtis


Curtis Parish
 615.494.8861
Senior Network Engineer
[wordmark_web]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.