[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: large campus network ... sugestions

On Fri, Dec 14, 2007 at 09:57:21PM +0200, Tirla Adrian wrote:
> Hellow Willi,
> On Dec 14, 2007 6:11 PM, Willi Mann <willi@wm1.at> wrote:
> >
> > > I'm interested in a better authentication method than registering all
> > > the MACs+IPs of all my users (which after all is just dust in the wind
> > > ...) using my current hardware (16 servers, 1 for at least 250
> > > clients). I was thinking about ppp based authentication but it doesn't
> > > look very scalable and secure ... am I wrong ?
> >
> > openvpn might be an easier solution.
> >
> i was thinking also openvpn ... but i believe it is going to kill my
> CPUs of all my servers (at least 250 users per server) ... and if
> openvpn (never tried to actualy use it) creates like all ppp daemons a
> pppx tunnel which is encrypted ... my firewall is going to be a mess
> ... rules for all tunnels ? ...  or ... am i missing something ?
> have you ever used openvpn with more than 200 clients/tunnels on the
> same machine ? if you did can u tell my what kind of hardware did you
> poses ?

[disclaimer: I work for INL, the company developing NuFW]

802.1x won't help (spoofable, and hard to deploy, nor openvpn (which
would kill your server).

You might want to have a look at NuFW [1], an authenticating firewall.
It is based on a client installed on workstations, to authenticate
connections. Unlike methods based on ip, mac address or whatever, it
does not make an association ip == user, so it can even differentiate
users on the same workstation, and apply different rules.
You can find a technical description [2], and a schema [3].
All packets can be logged with user information in a database.

NuFW is free (both in free beer and free speech), except for the windows
client. The other clients and tools for administration, NuFace [4] and
NuLog [5], are also free and opensource.


[1] http://www.nufw.org/
[2] http://www.nufw.org/Introduction,1.html
[3] http://www.nufw.org/Principles.html
[4] http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuFace2
[5] http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuLog2

Reply to: