Re: large campus network ... sugestions

From: Roman Medina-Heigl Hernandez <roman(at)rs-labs.com>
Date: Fri Dec 14 2007 - 12:53:06 EST

Willi Mann escribió:
>> I'm interested in a better authentication method than registering all
>> the MACs+IPs of all my users (which after all is just dust in the wind
>> ...) using my current hardware (16 servers, 1 for at least 250
>> clients). I was thinking about ppp based authentication but it doesn't
>> look very scalable and secure ... am I wrong ?

> 
> openvpn might be an easier solution.
> 

>> Also due to the fact that my ISP doesn't agree with opening all ports
>> and traffic shaping due to possible attacks, most of my clients are
>> using tunneling methods like "your freedom" and "surf no limit", which
>> currently produce a high CPU usage on all the servers due to the
>> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
>> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
>> I still believe that opening all ports and traffic shape them would be
>> the only solution ... but this would impose a high network security
>> ... so i`m back to point 1 ... suggestions ?!
>
> Does that mean that you allow CONNECTs to all ports?

If you want to permit HTTPS, you have to allow CONNECT to (at least) 443/tcp. So it's easy to tunnel through that port and get a "clean" internet connection.

I don't know of any solution (level 7 filtering, etc) able to defeat this kind of tricks.

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Fri Dec 14 13:26:51 2007