On Dec 14, 2007 5:19 PM, Tirla Adrian <
tirlaadi@gmail.com> wrote:
hello Andradas,
On Dec 14, 2007 1:31 PM, Jonas Andradas <
j.andradas@gmail.com> wrote:
> Hello Adrian,
>
> I do not consider myself an expert, so maybe I shouldn't be replying to the
> whole list, but maybe my little knowledge can be completed by someone else.
>
>
> Maybe you could authenticate users through the proxy against an LDAP with
> user and password or even through certificates with a RADIUS server.
>
ok ... i`ll google it ...
if you have some tutorials that can keep me away from head aches i
would appreciate it also. Sorry if I'm asking but i want to know if
you have implemented such type of authentication on a small/medium
network because i'm interested also in any kind of down side of such a
system. Any change in the current authentication method is a little
bit bothering because the Internet is AIR for the students ... .
I currently have no tutorials on this particular implementation, but you can find it easily searching google (see reference URL [1] below). I am using this implementation currently in a fairly medium to large organization, and it works like a charm. Our squid uses authentication against an LDAP with user and password. We are not using certificates via a RADIUS server. The main concern in using this approach is if your users have access to network hubs, they can tamper with the switches, or a non-encrypted wireless network is deployed and used by the students, because if any of this situations is there, some malicious user could sniff network traffic and obtain usernames and passwords easily.
I also have to consider the fact that not all the students are experts
and know how to configure their internet connection and browsers so
IP+MAC+Static ARP+DHCP appeared as a great idea at a certain time.
The only thing they have to configure is a usename and password to access the Squid proxy. For protocols different than HTTP, though, you would need other proxies or another approach.
Another approach, if you can set it up (depends on your infrastructure, your willingness, your users, etc.), as Willi Mann points out, is to create VPNs between your users and the gateway servers. Thus, if the connection does *not* come through a valid VPN tunnel, you can deny it, and if it does (the user is a valid user) you can allow it. If it's HTTP, you can run it through a caching proxy transparently. The main drawback to this is that it is harder to implement and that you might find users that have hard time to configure their connection (or maybe even that they cannot do it) depending on their devices and operating system, and that the machine acting as the VPN terminator could be heavily loaded if it's not powerful enough to handle that many simultaneous VPN sessions.
OpenVPN [2] is a good option, is cross-platform, very robust, and not too hard to configure. Plus (for your users) there is even a GUI client [3] for Windows users and a client (not free of bugs yet) for PocketPC [4].
>
> When limiting access to only certain protocols, if the users have the
> interest it's very probable that they will start tunneling (which is what
> seems to be happening already) by using the means you talk about or, if they
> can install software on the computers, tunneling SSH by using Corkscrew.
> Once SSH is tunneled, almost anything can be tunneled through SSH.
>
Limiting access wasn't my idea to start. It was suggested (demanded
... my version) by my ISP. Yea ... i keep on learning new types of
tunneling day by day ... . I have nothing against it but it kills the
CPU and it creates latency and the "good" users complain. I can't
disconnect/drop the "malefic" users due to the policy of the
University.
>
> Maybe others can shed some more light on this, or even propose more adequate
> ideas and/or solutions.
>
> Best regards,
>
> Jonas Andradas
I just want to mention that my "dream" is to leave all ports open and
traffic shape all non http traffic. For this i need a better
authentication method to identify all users, due to possible attacks,
illegal downloads via P2P, etc.
I'll look into your suggestion. If you have some tutorials or links as
i mentioned above feel free to share :">.
Thank you for your time.
If you manage to "proxize" every single protocol you want to allow, or have some way to only allow access to internet to authenticated users (VPN, RADIUS, etc), you could leave those ports open.
Adrian TIRLA
ps: I reply in private because all the messages till now I've received
them in private. Don`t ask my why because I'm new to the mailing
lists.