On Dec 14, 2007 12:04 PM, Tirla Adrian <
tirlaadi@gmail.com> wrote:
Hello,
I`m currently one of the network administrators of a 3000+ students
and i have some issues maintaining security, authentication ... and
quality of service ...
Currently we're having 16 buildings each with its own network server
which does proxy caching (due to limited Internet Bandwidth) and NAT
for other services. Our network bandwidth is 20 Mbit (up to 150 Mbit
shared with the University), so the ISP suggested (actually demanded)
to allow only access to some services like http, https, smtp, pop3 and
to limit all others. Due to some network attacks it is required to
have network authentication which currently is made via MAC+IP (which
to me it looks very unhealthy due to spoofs). Each building has an
Ethernet network with unmanaged switches directly connected to 1
server.
I'm interested in a better authentication method than registering all
the MACs+IPs of all my users (which after all is just dust in the wind
...) using my current hardware (16 servers, 1 for at least 250
clients). I was thinking about ppp based authentication but it doesn't
look very scalable and secure ... am I wrong ?
Also due to the fact that my ISP doesn't agree with opening all ports
and traffic shaping due to possible attacks, most of my clients are
using tunneling methods like "your freedom" and "surf no limit", which
currently produce a high CPU usage on all the servers due to the
CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
I still believe that opening all ports and traffic shape them would be
the only solution ... but this would impose a high network security
... so i`m back to point 1 ... suggestions ?!
Thanks,
Adrian TIRLA
ps: this mail is forwarded also on debian-isp@lists.debian.org
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org