Just my two Maple-y cents Up here the Copyrights laws require ISPs (under which we are, as “providers” of connectivity on campus) to be have sufficient information to be able to contact users should a copyright violation be recorded. Now there is a lot of blurred lines and room in the law itself and to my understanding nobody really had to go after users for “real” but since as higher ed we are a nice public target we decided we’d rather think twice about opening the valves to just about anyone just yet. We log enough so we can trace and prove due diligence.
Oh, and Jennifer thank you for being so passionate about WPA3, thank you for chiming in. Don’t hold back from preaching more on security. Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" <j...@scrippscollege.edu> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Wednesday, April 21, 2021 at 4:04 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? [Externe UL*] Jennifer, I would hope that the service itself has authorization/admittance controls vs relying on the user’s device and/or the particular network the device is in for permission. I’d also argue that there is enough breadcrumbs about any given device to determine the user without the need for them to authenticate to wireless. Then again, the device could just as easily be stolen, or the user’s account could have been compromised, and the attacker self-enrolls his/her machine/uses the credentials to gain access. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jennifer Minella Sent: Wednesday, April 21, 2021 12:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Oh my goodness. I forgot the biggest one – if you’re going to give that user or device access to internal resources/assets you probably want to know who it is – even if it’s printers, screen casting, etc. If the user or device has access to critical internal resources, then you definitely need to know who it is. From a infosec due diligence standpoint, it would be hard to argue a defense on that one if a significant event were to occur. ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922257999%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7BOh4xeArE0%2Bz3LA%2F0RNRkDIk5eOu8YuYxBTP4V14b4%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jennifer Minella <j...@cadinc.com<mailto:j...@cadinc.com>> Sent: Wednesday, April 21, 2021 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: RE: WPA3/OWE as campus solution? Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 😊 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance? This could be for security reasons, compliance with IP and digital rights, or other needs. One Uni org I’ve worked with successfully stopped a student from a suicide attempt when the student posted online- they physically located the person and saved them from what they were about to do… There are a lot of things to consider and every org is different. 7. Whether or not portal acceptable use and/or user ID/registration is needed is a hotly-debated topic and has a lot of “it depends”. I recently asked several CISOs, lawyers, auditors, and cyber security friends at the FBI. * The CISOs feel it’s “window dressing” except that per … * …Lawyers, there may be some legal protection if a user compromised while on your network comes after you (e.g. policy says “org not responsible for anything resulting from use of their network”). * The FBI says they need “something” to open a case and prosecute (e.g. Acceptable Use clause or access banner). * In Europe (I’m told) orgs providing public internet access fall under ISP laws, and therefore must be diligent about registration/acceptable use/etc. By policy/compliance they have stricter rules for requiring accountability and registration. ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922267948%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WrAzGZmuT%2BHLKJN2BXVxRh3nHQ4u6ylXyiwZR5omMbw%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Enfield, Chuck <cae...@psu.edu<mailto:cae...@psu.edu>> Sent: Friday, April 16, 2021 4:57 PM Subject: Re: WPA3/OWE as campus solution? I’ve been floating this idea to IT leadership for years, with no interest on their part. We implemented an open guest network with no rate limiting about 18 months ago, so now any student who doesn’t want to onboard doesn’t have to. I figured that would get the bosses asking why we bother to authenticate on the other SSID, but still no. It’s ironic that the people who constantly stress the importance of customer experience and regularly complain to me about the onboarding experience can’t be bothered to consider obvious alternatives. I wouldn’t be so disappointed if we discussed the pros and cons and they came to a different conclusion than I have, but it sounds so radical to them that they don’t even care to discuss it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 10:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] WPA3/OWE as campus solution? One more for you all- anyone contemplating ditching 802.1X for the BYOD side of your WLAN (not managed laptops and “business” clients) and simplifying with OWE/WPA3? Like… the open network that’s actually moderately secure leveraging the latest security options? Thanks, Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922267948%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eQA1dL5KD3pyCb2Dq%2BhkwIQ0loPmpPb5EvzXybRTWqk%3D&reserved=0> SYRACUSE UNIVERSITY syr.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922277914%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8l0eS0%2FA1TkBCnZ52thX9uKti6IswnPK%2FsZXbyEM2xk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922277914%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8l0eS0%2FA1TkBCnZ52thX9uKti6IswnPK%2FsZXbyEM2xk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922277914%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8l0eS0%2FA1TkBCnZ52thX9uKti6IswnPK%2FsZXbyEM2xk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CManon.Lessard%40dti.ulaval.ca%7C093a419de6a04bb4b7b308d90500b8f9%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637546322922287869%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=be%2B5eHt10FoF%2FzjDev4Zefx3E5QzZtJewixIi%2BgzQVM%3D&reserved=0> *ATTENTION : L’émetteur de ce courriel est externe à l’Université Laval. Évitez de cliquer sur un hyperlien, d’ouvrir une pièce jointe ou de transmettre des informations si vous ne connaissez pas l’expéditeur du courriel. En cas de doute, contactez l’équipe de soutien informatique de votre unité ou hameconn...@ulaval.ca. ________________________________ ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community