Re: large campus network ... sugestions

Hello Adrian,

I do not consider myself an expert, so maybe I shouldn't be replying to the whole list, but maybe my little knowledge can be completed by someone else.

Maybe you could authenticate users through the proxy against an LDAP with user and password or even through certificates with a RADIUS server.

When limiting access to only certain protocols, if the users have the interest it's very probable that they will start tunneling (which is what seems to be happening already) by using the means you talk about or, if they can install software on the computers, tunneling SSH by using Corkscrew. Once SSH is tunneled, almost anything can be tunneled through SSH.

Maybe others can shed some more light on this, or even propose more adequate ideas and/or solutions.

Best regards,

Jonas Andradas

On Dec 14, 2007 12:04 PM, Tirla Adrian <tirlaadi@gmail.com> wrote:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

> Hello,
>
> I`m currently one of the network administrators of a 3000+ students
> and i have some issues maintaining security, authentication ... and
> quality of service ...
>
> Currently we're having 16 buildings each with its own network server
> which does proxy caching (due to limited Internet Bandwidth) and NAT
> for other services. Our network bandwidth is 20 Mbit (up to 150 Mbit
> shared with the University), so the ISP suggested (actually demanded)
> to allow only access to some services like http, https, smtp, pop3 and
> to limit all others. Due to some network attacks it is required to
> have network authentication which currently is made via MAC+IP (which
> to me it looks very unhealthy due to spoofs). Each building has an
> Ethernet network with unmanaged switches directly connected to 1
> server.
>
> I'm interested in a better authentication method than registering all
> the MACs+IPs of all my users (which after all is just dust in the wind
> ...) using my current hardware (16 servers, 1 for at least 250
> clients). I was thinking about ppp based authentication but it doesn't
> look very scalable and secure ... am I wrong ?
>
> Also due to the fact that my ISP doesn't agree with opening all ports
> and traffic shaping due to possible attacks, most of my clients are
> using tunneling methods like "your freedom" and "surf no limit", which
> currently produce a high CPU usage on all the servers due to the
> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
> I still believe that opening all ports and traffic shape them would be
> the only solution ... but this would impose a high network security
> ... so i`m back to point 1 ... suggestions ?!
>
> Thanks,
> Adrian TIRLA
>
> ps: this mail is forwarded also on debian-isp@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org