Fwd: large campus network ... sugestions

To: debian-security@lists.debian.org
Subject: Fwd: large campus network ... sugestions
From: "Tirla Adrian" <tirlaadi@gmail.com>
Date: Fri, 14 Dec 2007 21:15:39 +0200
Message-id: <[🔎] 446399850712141115m7252dd9fnbbb0f6bbf00bacce@mail.gmail.com>
In-reply-to: <446399850712140757j33ebc359ve265b7143f06f99d@mail.gmail.com>
References: <446399850712140157j7e237ec7l343598574614b3df@mail.gmail.com> <[🔎] 446399850712140304k1ef38b17t30737d62b1ec169b@mail.gmail.com> <f67028d40712140331i1fdf23bbrb7a75d61f9eb175b@mail.gmail.com> <446399850712140757j33ebc359ve265b7143f06f99d@mail.gmail.com>

hello,

On Dec 14, 2007 1:31 PM, Frederik Kriewitz <kontakt@kriewitz.eu> wrote:
> Certificate based authentication (clients have to reauth every few
> minutes, could be done via browser, automatic refresh...) or use
> certificate based VPN authentication.

Sounds very interesting. Sorry if I'm asking this but I want to know
if u have implemented such a system anywhere because a major change in
authentication even on a server gets me a lot of trouble due to the
"air" which is the internet for some students... . If you did so can
you tell me the overhead on the server usage (CPU, memory, network
load) ?

If you know a good tutorial it would be handy. I'll google it.
Appreciate it. Thanks

My "dream" is to authenticate any user independent on browser,OS (or
any other specific application). It has to be spoof free because i
want to open all ports, transparent proxy, and traffic shape all non
http ("dream"). Freedom to the world ... they should be happy ... but
i want also responsibility ... if you did something illegal ... it is
your problem.

I must take also into consideration the fact that not all users know
how to configure their browser and internet connection. That's why
MAC+IP, Static ARP, DHCP was a great idea at the beginning.

> Does the proxy allow all ports (using CONNECT)???
> That's a stupid idea, you just should allow the required ports to be
> used (probably just HTTP(S)).
> That probably should stop most of your students directly tunneling
> traffic through the proxy.

CONNECT is allowed only for 443 TCP, https.

> If they want to tunnel non HTTP(S) traffic through the proxy they'll
> have to use separate endpoint server (establish a tunnel (using the
> proxy) to a dedicated server listening on the HTTPS Port).

Most of the times they tunnel into their corporate networks (where they work).

> AFAIK there is no free service offering this feature. If the remaining
> students who are able to tunnel traffic through the proxy are still a
> problem just monitor the traffic/connection duration to all
> destination IP/Ports, shouldn't be to hard to find the tunnel endpoint
> servers and block them manually ;)

I never said that they don't pay accounts. They do so! I even had some
complaints that they are using paid services and they can't access
them ... can u beleive that ? I keep dropping servers from
your-freedom.net but they keep on changing them, also there is
surfnolimit bothering me... . IPP2P module for iptables works really
great ... i can see my proxy connecting to bittorrent trackers on port
80. I did some acl regex to prevent that ... and iptables drop on
proxy connections if they happen anyways.

>

Thank you.
I'll look into it and see how it works out for me.

Adrian TIRLA
ps: if you have some links that can keep me away from head aches i
appreciate it.

Reply to:

References:
- large campus network ... sugestions
  - From: "Tirla Adrian" <tirlaadi@gmail.com>

Prev by Date: Re: large campus network ... sugestions
Next by Date: large campus network ... sugestions
Previous by thread: large campus network ... sugestions
Next by thread: large campus network ... sugestions
Index(es):
- Date
- Thread