large campus network ... sugestions

["Tirla Adrian" <tirlaadi@gmail.com>]

Hellow Willi,

On Dec 14, 2007 6:11 PM, Willi Mann <willi@wm1.at> wrote:
>
> > I'm interested in a better authentication method than registering all
> > the MACs+IPs of all my users (which after all is just dust in the wind
> > ...) using my current hardware (16 servers, 1 for at least 250
> > clients). I was thinking about ppp based authentication but it doesn't
> > look very scalable and secure ... am I wrong ?
>
> openvpn might be an easier solution.
>

i was thinking also openvpn ... but i believe it is going to kill my
CPUs of all my servers (at least 250 users per server) ... and if
openvpn (never tried to actualy use it) creates like all ppp daemons a
pppx tunnel which is encrypted ... my firewall is going to be a mess
... rules for all tunnels ? ...  or ... am i missing something ?

have you ever used openvpn with more than 200 clients/tunnels on the
same machine ? if you did can u tell my what kind of hardware did you
poses ?

> > Also due to the fact that my ISP doesn't agree with opening all ports
> > and traffic shaping due to possible attacks, most of my clients are
> > using tunneling methods like "your freedom" and "surf no limit", which
> > currently produce a high CPU usage on all the servers due to the
> > CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
> > shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
> > I still believe that opening all ports and traffic shape them would be
> > the only solution ... but this would impose a high network security
> > ... so i`m back to point 1 ... suggestions ?!
>
> Does that mean that you allow CONNECTs to all ports?
>

no, CONNECT method is allowed only for HTTPS, 443 TCP ... but they use
it all right for other things ....

> Willi
>
>

Thank you.

Adrian TIRLA