[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: large campus network ... sugestions

Hello Adrian,

I do not consider myself an expert, so maybe I shouldn't be replying to the whole list, but maybe my little knowledge can be completed by someone else.

Maybe you could authenticate users through the proxy against an LDAP with user and password or even through certificates with a RADIUS server.

When limiting access to only certain protocols, if the users have the interest it's very probable that they will start tunneling (which is what seems to be happening already) by using the means you talk about or, if they can install software on the computers, tunneling SSH by using Corkscrew.  Once SSH is tunneled, almost anything can be tunneled through SSH.

Maybe others can shed some more light on this, or even propose more adequate ideas and/or solutions.

Best regards,

Jonas Andradas

On Dec 14, 2007 12:04 PM, Tirla Adrian < tirlaadi@gmail.com> wrote:

I`m currently one of the network administrators of a 3000+ students
and i have some issues maintaining security, authentication ... and
quality of service ...

Currently we're having 16 buildings each with its own network server
which does proxy caching (due to limited Internet Bandwidth) and NAT
for other services. Our network bandwidth is 20 Mbit (up to 150 Mbit
shared with the University), so the ISP suggested (actually demanded)
to allow only access to some services like http, https, smtp, pop3 and
to limit all others. Due to some network attacks it is required to
have network authentication which currently is made via MAC+IP (which
to me it looks very unhealthy due to spoofs). Each building has an
Ethernet network with unmanaged switches directly connected to 1

I'm interested in a better authentication method than registering all
the MACs+IPs of all my users (which after all is just dust in the wind
...) using my current hardware (16 servers, 1 for at least 250
clients). I was thinking about ppp based authentication but it doesn't
look very scalable and secure ... am I wrong ?

Also due to the fact that my ISP doesn't agree with opening all ports
and traffic shaping due to possible attacks, most of my clients are
using tunneling methods like "your freedom" and "surf no limit", which
currently produce a high CPU usage on all the servers due to the
CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
I still believe that opening all ports and traffic shape them would be
the only solution ... but this would impose a high network security
... so i`m back to point 1 ... suggestions ?!

Adrian TIRLA

ps: this mail is forwarded also on debian-isp@lists.debian.org

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: