Re: large campus network ... sugestions

To: "Roman Medina-Heigl Hernandez" <roman@rs-labs.com>
Cc: debian-security@lists.debian.org
Subject: Re: large campus network ... sugestions
From: "Jonas Andradas" <j.andradas@gmail.com>
Date: Fri, 14 Dec 2007 19:54:20 +0100
Message-id: <[🔎] 690ef5850712141054sb13275apc5154515bceb0a52@mail.gmail.com>
In-reply-to: <[🔎] 4762C302.7080200@rs-labs.com>
References: <446399850712140157j7e237ec7l343598574614b3df@mail.gmail.com> <[🔎] 446399850712140304k1ef38b17t30737d62b1ec169b@mail.gmail.com> <[🔎] 4762AB37.1030104@wm1.at> <[🔎] 4762C302.7080200@rs-labs.com>

For Layer-7 filtering, you could check

Application Layer Packet Classifier for Linux:
http://l7-filter.sourceforge.net/

Kernel Iptables Layer 7:  http://l7-filter.sourceforge.net/HOWTO-kernel

Best regards,

Jonas Andradas.


On Dec 14, 2007 6:53 PM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:
> Willi Mann escribió:
>
> >> I'm interested in a better authentication method than registering all
> >> the MACs+IPs of all my users (which after all is just dust in the wind
> >> ...) using my current hardware (16 servers, 1 for at least 250
> >> clients). I was thinking about ppp based authentication but it doesn't
> >> look very scalable and secure ... am I wrong ?
> >
> > openvpn might be an easier solution.
> >
> >> Also due to the fact that my ISP doesn't agree with opening all ports
> >> and traffic shaping due to possible attacks, most of my clients are
> >> using tunneling methods like "your freedom" and "surf no limit", which
> >> currently produce a high CPU usage on all the servers due to the
> >> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
> >> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
> >> I still believe that opening all ports and traffic shape them would be
> >> the only solution ... but this would impose a high network security
> >> ... so i`m back to point 1 ... suggestions ?!
> >
> > Does that mean that you allow CONNECTs to all ports?
>
> If you want to permit HTTPS, you have to allow CONNECT to (at least)
> 443/tcp. So it's easy to tunnel through that port and get a "clean"
> internet connection.
>
> I don't know of any solution (level 7 filtering, etc) able to defeat this
> kind of tricks.
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: large campus network ... sugestions
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>

References:
- large campus network ... sugestions
  - From: "Tirla Adrian" <tirlaadi@gmail.com>
- Re: large campus network ... sugestions
  - From: Willi Mann <willi@wm1.at>
- Re: large campus network ... sugestions
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>

Prev by Date: Re: large campus network ... sugestions
Next by Date: Re: large campus network ... sugestions
Previous by thread: Re: large campus network ... sugestions
Next by thread: Re: large campus network ... sugestions
Index(es):
- Date
- Thread