Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-security > 07 > 120397.html (Request Expert lists.debian.org Support)

Re: large campus network ... sugestions

From: Tirla Adrian <tirlaadi(at)gmail.com>
Date: Fri Dec 14 2007 - 14:59:04 EST


Hello Hernandez,

Yep ... currently I'm using L7 Filter Module ... it really works nice ... but I want to leave all ports open independently of the type of traffic. For this as I mentioned I need a better authentication method.

And replay to every thread of this discussion .... changing more than 150 switches of 24 ports to switches with management that know 802.1x is not an option ... . This was mainly the ISP solution.

Thanks.
Adrian TIRLA

On Dec 14, 2007 7:53 PM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:

> Willi Mann escribió:
>
> >> I'm interested in a better authentication method than registering all
> >> the MACs+IPs of all my users (which after all is just dust in the wind
> >> ...) using my current hardware (16 servers, 1 for at least 250
> >> clients). I was thinking about ppp based authentication but it doesn't
> >> look very scalable and secure ... am I wrong ?
> >
> > openvpn might be an easier solution.
> >
> >> Also due to the fact that my ISP doesn't agree with opening all ports
> >> and traffic shaping due to possible attacks, most of my clients are
> >> using tunneling methods like "your freedom" and "surf no limit", which
> >> currently produce a high CPU usage on all the servers due to the
> >> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
> >> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
> >> I still believe that opening all ports and traffic shape them would be
> >> the only solution ... but this would impose a high network security
> >> ... so i`m back to point 1 ... suggestions ?!
> >
> > Does that mean that you allow CONNECTs to all ports?
>
> If you want to permit HTTPS, you have to allow CONNECT to (at least)
> 443/tcp. So it's easy to tunnel through that port and get a "clean"
> internet connection.
>
> I don't know of any solution (level 7 filtering, etc) able to defeat this
> kind of tricks.
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
 > [Key ID: 0xEAD56742. Available at KeyServ]
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Received on Fri Dec 14 15:04:31 2007

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:32 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library