Re: large campus network ... sugestions

To: debian-security@lists.debian.org
Subject: Re: large campus network ... sugestions
From: "Tirla Adrian" <tirlaadi@gmail.com>
Date: Fri, 14 Dec 2007 21:59:04 +0200
Message-id: <[🔎] 446399850712141159y72b284b8uf711125cc5d88fc0@mail.gmail.com>
In-reply-to: <446399850712141142w52362453see40667cf246ba3f@mail.gmail.com>
References: <446399850712140157j7e237ec7l343598574614b3df@mail.gmail.com> <[🔎] 446399850712140304k1ef38b17t30737d62b1ec169b@mail.gmail.com> <[🔎] 4762AB37.1030104@wm1.at> <[🔎] 4762C302.7080200@rs-labs.com> <446399850712141142w52362453see40667cf246ba3f@mail.gmail.com>

Hello Hernandez,

Yep ... currently I'm using L7 Filter Module ... it really works nice
... but I want to leave all ports open independently of the type of
traffic. For this as I mentioned I need a better authentication
method.

And replay to every thread of this discussion .... changing more than
150 switches of 24 ports to switches with management that know 802.1x
is not an option ... . This was mainly the ISP solution.

Thanks.
Adrian TIRLA

On Dec 14, 2007 7:53 PM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:

> Willi Mann escribió:
>
> >> I'm interested in a better authentication method than registering all
> >> the MACs+IPs of all my users (which after all is just dust in the wind
> >> ...) using my current hardware (16 servers, 1 for at least 250
> >> clients). I was thinking about ppp based authentication but it doesn't
> >> look very scalable and secure ... am I wrong ?
> >
> > openvpn might be an easier solution.
> >
> >> Also due to the fact that my ISP doesn't agree with opening all ports
> >> and traffic shaping due to possible attacks, most of my clients are
> >> using tunneling methods like "your freedom" and "surf no limit", which
> >> currently produce a high CPU usage on all the servers due to the
> >> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
> >> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
> >> I still believe that opening all ports and traffic shape them would be
> >> the only solution ... but this would impose a high network security
> >> ... so i`m back to point 1 ... suggestions ?!
> >
> > Does that mean that you allow CONNECTs to all ports?
>
> If you want to permit HTTPS, you have to allow CONNECT to (at least)
> 443/tcp. So it's easy to tunnel through that port and get a "clean"
> internet connection.
>
> I don't know of any solution (level 7 filtering, etc) able to defeat this
> kind of tricks.
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

References:
- large campus network ... sugestions
  - From: "Tirla Adrian" <tirlaadi@gmail.com>
- Re: large campus network ... sugestions
  - From: Willi Mann <willi@wm1.at>
- Re: large campus network ... sugestions
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>

Prev by Date: large campus network ... sugestions
Next by Date: Re: large campus network ... sugestions
Previous by thread: Re: large campus network ... sugestions
Next by thread: large campus network ... sugestions
Index(es):
- Date
- Thread