[AusNOG] Maximum users per AP

Scott Howard scott at doc.net.au
Sat Oct 27 13:43:48 EST 2012

On Fri, Oct 26, 2012 at 4:21 PM, Paul Gear <ausnog at libertysys.com.au> wrote:

> So what do you do for the scenario where you're providing service for BYOD
> or public networks (as the OP seemed to be) and have no authority to touch
> the end user's device?  When we tried this, we came to the conclusion that
> we would have to allow unfettered outbound HTTPS if we weren't to have
> massive user experience rage, and this basically eliminates the benefit of
> any filtering.

It depends on what you're trying to achieve.  If it's simply to block/allow
access to a site you can do this based on the certificate exchange alone.
The certificate sent during the initial SSL handshake includes the hostname
of the website (or at least some variation on hostname, wildcard hostname,
alternate names, etc) and is sent in clear-text, so the connection can be
blocked based on that hostname.

It's a very course solution as at best you can get to the host granularity
(not URL), you can't inspect the content at all (eg, anti-virus), and
there's numerous ways to get around this (think self-signed certs for
starters, but there's countless others) - but it'll stop at least the
average user.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121026/11a9fa7e/attachment.html>

More information about the AusNOG mailing list