Page 3 of 3 FirstFirst 123
Results 21 to 21 of 21
  1. #21
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,935

    Default

    We keep our wireless on a separate subnet from the wired network. We also have other subnets to separate the student connections in the dorms and labs from the administrative networks. The reasoning here isn't just security, but also performance - it limits the broadcast domains to reasonable sizes. This is especially important for the wireless. You don't want all of your access points transmitting a new set of broadcasts packets every time someone on the administration side starts up their computer and asks for an IP address. You can really kill wireless throughput that way.

    Once you've done this, you can set up capture rules in the captive portal that only target student machines and leave your university-owned computers alone.

    I tried the "log and nuke" approach myself in the way you described, and it doesn't work. The problem is that the port selection is essentially random, so blocking ports after the fact doesn't really help you. What some schools have done is block the entire range of ports >1024, and then make students ask you to open specific ports for games, instant messaging, etc, but imo that's just annoying both for the students and yourself.
    Last edited by jcoehoorn; 11-30-2010 at 09:35 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

Page 3 of 3 FirstFirst 123

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2