Hosting Provided By

Re: large campus network ... sugestions

From: Pierre Chifflier <p.chifflier(at)inl.fr>
Date: Fri Dec 14 2007 - 15:21:17 EST

On Fri, Dec 14, 2007 at 09:57:21PM +0200, Tirla Adrian wrote:
> Hellow Willi,
>
> On Dec 14, 2007 6:11 PM, Willi Mann <willi@wm1.at> wrote:
> >
> > > I'm interested in a better authentication method than registering all
> > > the MACs+IPs of all my users (which after all is just dust in the wind
> > > ...) using my current hardware (16 servers, 1 for at least 250
> > > clients). I was thinking about ppp based authentication but it doesn't
> > > look very scalable and secure ... am I wrong ?
> >
> > openvpn might be an easier solution.
> >
>
> i was thinking also openvpn ... but i believe it is going to kill my
> CPUs of all my servers (at least 250 users per server) ... and if
> openvpn (never tried to actualy use it) creates like all ppp daemons a
> pppx tunnel which is encrypted ... my firewall is going to be a mess
> ... rules for all tunnels ? ... or ... am i missing something ?
>
> have you ever used openvpn with more than 200 clients/tunnels on the
> same machine ? if you did can u tell my what kind of hardware did you
> poses ?
>

[disclaimer: I work for INL, the company developing NuFW]

802.1x won't help (spoofable, and hard to deploy, nor openvpn (which would kill your server).

You might want to have a look at NuFW [1], an authenticating firewall. It is based on a client installed on workstations, to authenticate connections. Unlike methods based on ip, mac address or whatever, it does not make an association ip == user, so it can even differentiate users on the same workstation, and apply different rules. You can find a technical description [2], and a schema [3]. All packets can be logged with user information in a database.

NuFW is free (both in free beer and free speech), except for the windows client. The other clients and tools for administration, NuFace [4] and NuLog [5], are also free and opensource.

Regards,
Pierre

[1] 
http://www.nufw.org/
[2] 
http://www.nufw.org/Introduction,1.html
[3] 
http://www.nufw.org/Principles.html
[4] 
http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuFace2
[5] 
http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuLog2

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Fri Dec 14 15:40:29 2007

This message: [ Message body ]
Next message: Florian Weimer: "Re: large campus network ... sugestions"
Previous message: Tirla Adrian: "Re: large campus network ... sugestions"
In reply to: Tirla Adrian: "large campus network ... sugestions"
Next in thread: Jason Healy: "Re: large campus network ... sugestions"
Reply: Jason Healy: "Re: large campus network ... sugestions"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:33 EDT