4

I've been battling bureaucracy at my community college for months on this issue; a few months ago, they changed security on the SSID for students;

It used to use EAP, allowing students to enter their academic credentials once in their native Wi-Fi client. Now the network is open, with a redirect to a secure browser page that authenticates credentials.

I am meeting with the vice chancellor of my college in two weeks and want to make sure my case to encrypt the student network again is solid. Trying to explain the difference between authentication and encryption to somebody with no technical knowledge is enough of a pain;

beyond explaining that the network is, in fact, open, I have to convince them that an open network is a significant risk, especially given the high volume and low technical literacy of the student body (it's a large community college).

Finally, the IT admins have claimed that the basis for switching was device compatibility -- that they could no longer support all student devices on the network.

Given that the staff still has an encrypted network, and likely uses the same variety of devices as the students, I suspect this is an excuse. Certainly on the front end EAP is a pretty well established standards. I have no clue what things look like on the back end, though.

EDIT: I have no "threat model", and I am not asking about some idealized form of security. Please understand the context of my question and answer in a manner relevant to that context. I need an reasonably actionable IT policy to advocate for, and I need to be able to present some concept of risk vs cost to the Vice Chancellor.

Is there any merit to what IT has been claiming? And am I right to be agitating for encryption for the student body?

Aaron Rosenfeld
  • 49
  • 4
  • 2
    Have you heard of [eduroam](http://en.wikipedia.org/wiki/Eduroam)? You should propose this, it enables the students to use the WiFi all around the world, and lets guests simply use their home credentials. You can have two networks: one eduroam (encrypted) and one unencrypted for compatibility. – user10008 Nov 19 '14 at 23:14
  • 1
    Could you clarify your question and add a threat model? What do you mean with "backend" and "frontend"? – user10008 Nov 20 '14 at 03:38
  • 1
    Do the staff and students have the same level of access to the college network via the wireless service? Or do students only have access to the Internet and maybe some web apps presented from the college network? – R15 Nov 20 '14 at 11:42
  • I have no threat model. We had an encrypted connection, then an open one. That is it. So far as I know staff access is the same. I'm not sure why Web apps are relevant; Blackboard et al are just as accessible remotely as they are on the network. There's no network printing or file sharing on either WiFi network to my knowledge, just Internet access. Regarding front vs back end, I was simply wondering if there was any particular burden in supporting many devices not visible to the end user. Is IT just being lazy here? – Aaron Rosenfeld Nov 21 '14 at 03:24
  • 2
    If you have no threat model, then you have no basis for any argument. Someone "took away" your encryption, and now you seem upset, it seems like you are upset mostly because you think you lost something of value. And you keep arguing against people who are trying to help you understand why it's not as important to the end users; and now you are even blaming "IT for being lazy." Please go reread all the posts with a fresh eye. – John Deters Nov 22 '14 at 04:57

4 Answers4

4

I think you are worrying about the wrong thing. You should have no reason to trust the local network any more than you would for any data you'd send over the public internet. If you want to send a password, it's your responsibility to ensure you're using a connection protected by TLS. Trusting the local WiFi to protect your data is essentially excluding only the hackers within eyesight, and thinking that somehow keeps you safe.

You are responsible for your security on your own machine, and any network connections you make.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • I think you're completely missing the boat here. I'm concerned about ALL students on the network; I'm actually transferring out very soon, but for the sake of the student body I want this matter sorted. So let's approach this situation from the admin side, instead of the student side; what IT policy should I advocate for? – Aaron Rosenfeld Nov 20 '14 at 00:19
  • 1
    I'm not missing what you're asking, I'm saying that what you're asking for provides only a false sense of security. – John Deters Nov 20 '14 at 00:20
  • So... you think WiFi encryption is only a fig leaf? – Aaron Rosenfeld Nov 20 '14 at 00:25
  • 1
    WiFi encryption protects the local network from rogue connections, and local-to-local packets from being viewed. It protects the clients from packet sniffing on the WiFi segment, but offers no protection beyond that. Someone on the campus' network, the campus' ISP, or anyone else on the internet can potentially sniff it at any other point. It's like an armored fig leaf that doesn't prevent viewing from the wrong angles. – John Deters Nov 20 '14 at 03:13
  • Right now I have a fairly binary policy choice: open or encrypted. I need to know what to advocate for. When you qualify my Fig leaf metaphor, you make it clear that there are benefits (also that the metaphor isn't applicable, but that's neither here nor there). I appreciate your taking the time to explain these things, and like learning about them for my own personal benefits, but I'm trying to make value judgments within a specific context. – Aaron Rosenfeld Nov 21 '14 at 03:32
2

First, a comment; sometimes (read "almost always") I get a cool new toy, app, technology and I try to fit it in in every possible place. Even in places that don't work, I enjoy figuring out why. It's a learning experience.

The term "Threat Model" may sound either overly theoretical, or dismissive of your case. The purpose is for the security consultant to give you a proper solution.

In this case, it doesn't sound like you want a proper solution to protect against a security hole, but you see an intuitive feature (wifi encryption) that should be turned on because it "seems better". I would agree. You're doing proper due diligence coming here and asking for support. Good thought, but this audience is now mostly security consultants who want to fix a problem.

What does enabling encryption for wifi give you? It gives the students privacy for any non-SSL website. Anytime a student uses a website without SSL, you can assume that a nosy visitor, consultant, or nearby person can read that information (google searches, social media, etc). This can be the basis for your argument.

In support of your IT Staff, supporting end user devices is difficult, especially considering the multitude of devices out there. If you're a community college, chances are you're dealing with old hand me down equipment, and demanding students.

In an era where colleges have to cater (too much so) to students for revenue, I would suspect your IT staff has a compelling argument. Perhaps you can have a "middle ground" where the access point serves "WPA-2 Enterprise (iOS)" or WPA in addition to no authentication. Then you can recommend something for the security conscious users, and still have a catch-all service for students with bad hardware.

user10008 suggests telling the students to use the existing,encrypted faculty one. Assuming the faculty Wifi contains confidential / PII data, I would discourage this. It opens the door for many attacks against professors on the same connection.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I'm glad you appreciate the broader context of my question. I think the applicable phrase is, "when you have a hammer, everything looks like a nail." As stated previously, the student network used to be "separate but equal"regarding encryption, and this is the state to which I think it should be reverted. I just want a fuller understanding of the costs of implementation and the risks of not implementing, as well as any other reasonable suggestions I can make regarding IT policy to better protect the student body. – Aaron Rosenfeld Nov 21 '14 at 04:52
  • @AaronRosenfeld I know first hand that most Universities are willing or eager to discuss their experiences, wants and desires with other schools. Community colleges are different, if they have the staff, depth of technical knowledge, and time, they too will freely share designs that work. – makerofthings7 Nov 21 '14 at 04:55
  • Costs: different authentication + encryption costs different amounts. It may or may not require hardware replacements. Support will cost more no doubt. Risks: Anything not encrypted over SSL/HTTPS can potentially be seen. Is this a problem? depends on the content. If your internal sites (Blackboard) don't use SSL, then that is a problem. – makerofthings7 Nov 21 '14 at 05:02
1

Having once worked at an edu, it was our goal to make things as seamless and painless for the clients (students) of the University. As a professional, there were many things that we championed for especially when it came to security. For example, we opposed P2P network, because traffic patterns at the time pointed to students downloading music (back then Napster was in fashion). We opposed it because it saturated the network for others, but it also led to cesspools of viruses and infections (malware) that further disrupted the network. We put forth a proposal that was challenged tooth and nail by the clients (students), which ultimately led to P2P being allowed, but NAC being thrown up so we could babysit our clients (students) and play their personal "computer clean up crew."

The answer they gave you, was likely spot on. Clients (students - notice the repeat of this term - Clients - because at the end of the day, they pay the bills with their tuition) are all going to have a smorsgasbord of devices. There are likely clients (people who are paying a bill via tuition) who have devices that have devices that don't play well with EAP. Some students may have barebones older machines that support the ultimate barebones basic protocols. What do you do, tell those paying clients: "you need to pay more to connect, by purchasing a new laptop/phone/iPad/tablet?

Your concerned via an "open" network versus a "closed" one is kind of lopsided. How do you know that once you authenticate, you're not sending data via say a proxied network (sslvpn or so). It's like saying: "When I go to check into a hotel, I can't believe I am having to log in via an open network."

munkeyoto
  • 8,682
  • 16
  • 31
  • First of all, there is an open guest network, so there are options; but I'm curious as to how many devices there really are out there that don't support EAP. Looking at the WiFi Alliance page, it seems like this has been a standard for close to a decade. Additionally, you're making a burden of proud fallacy. I have no reason to believe there's a secure proxy for the open network. I've been nagging IT for months, and it never came up. – Aaron Rosenfeld Nov 21 '14 at 04:47
  • You state: "I'm curious as to how many devices there really are out there that don't support EAP" even if there is only one, they must accommodate the paying customer. – munkeyoto Nov 21 '14 at 13:23
0

As the traffic leaves the university it sets on a long long journey across the globe until it reaches the server it was meant for. During that it passes lots of countries and uses lots of people's datacenters. They all can spy on you. You need strong end-to-end (TLS) protection to be safe from those people. With encrypted WiFi you can protect from others around, but if you already have stronger protection in-place, you are already protected by that.

However, the world isn't as shiny as it seems. Non-technical people can set up their private printers, public shares, or they can ignore certificate warnings. If the WiFi is encrypted, staff can manage these issues. If the WiFi is unencrypted, the students themselves have to avoid such mistakes.

Its nice to have good encryption on the first step, but not neccessary.

You have mentioned that staff still gets encrypted WiFi. A good option would be to allow Students to use that, too. If there are problems with devices on the encrypted network, staff can point to the unencrypted alternative.

user10008
  • 4,315
  • 21
  • 33
  • Please read the question. I think this is one of those cases of better being the enemy of good. I'm specifically asking for the students to have the same encryption as staff. I made that very clear. Let's not get preoccupied with esoteric ideals of security. This is not a question about a technically literate individual maximizing their security. This is a matter of implementing an IT policy that minimizes risks to it's users. – Aaron Rosenfeld Nov 20 '14 at 03:06
  • 2
    We have different threat models. If the threat you want to protect from is the skiddie student with wireshark that sais "cool, I can see my neighbour is home again", then yes open WiFi is bad. If you want to protect your universities WiFi from technically skilled outsiders to enter, then yes open WiFi is bad. But if you want to protect students from the dangers of the internet, open WiFi doesn't change much. – user10008 Nov 20 '14 at 03:37