> What are your comments on beaconing the new SSID? Once there are clients using the SSID, it's in the air often enough to be picked up by tools like NetStumbler and Kismet. So not beaconing provides, IMHO, little security, and so I don't think you'll lose significantly by beaconing the second. [The concern vendors have expressed to us has been that *multiple* beaconed SSIDs cut into time available for actual traffic.]
> What are you thoughts on security and encryption? To do good encryption, a client probably needs a closer relationship to you (certificate, etc) than "guest" access probably implies. Our approach has been to limit what guests can do -- but read on. > Does a user that connects to our network have expectations of security and encryption? Probably -- but is that a *reasonable* expectation? Our policy forbids snooping on users, but retains the right for support personnel to sniff traffic as part of half a dozen necessary efforts such as troubleshooting. > Are we obligated to provide some sort of security and encryption to protect these guest users? It's a matter of perspective. Our current wireless security posture -- subject to review as we integrate better identity management solutions -- treats wireless guests as the THREAT and the network itself as the ASSET. Guests do benefit from our overall network defences, but we don't currently do anything extra to protect THEM. > At what point does administrative burden overcome security? In theory, where the cost of providing security outstrips the probable repair/replacement cost of the asset. Unless you have a reason to attach a big premium to guest access (we have a location which is dear to the heart of one of our presidents, for example), its value is probably fairly low and so only a relatively limited expense/effort is justified. (Protecting other network resources from guests, however, probably has value that will justify more effort (if needed). Your plan to provide them only with access to the Internet sounds good, although be aware that any damage they do there may be tracked back to your institution.) David Gillett ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
