Re: large campus network ... sugestions

To: debian-security@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: large campus network ... sugestions
From: Lars Schimmer <l.schimmer@cgv.tugraz.at>
Date: Mon, 17 Dec 2007 17:51:06 +0100
Message-id: <[🔎] 4766A8FA.8020907@cgv.tugraz.at>
In-reply-to: <[🔎] 446399850712140304k1ef38b17t30737d62b1ec169b@mail.gmail.com>
References: <446399850712140157j7e237ec7l343598574614b3df@mail.gmail.com> <[🔎] 446399850712140304k1ef38b17t30737d62b1ec169b@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tirla Adrian wrote:
> Hello,
> 
> I`m currently one of the network administrators of a 3000+ students
> and i have some issues maintaining security, authentication ... and
> quality of service ...
> 
> Currently we're having 16 buildings each with its own network server
> which does proxy caching (due to limited Internet Bandwidth) and NAT
> for other services. Our network bandwidth is 20 Mbit (up to 150 Mbit
> shared with the University), so the ISP suggested (actually demanded)
> to allow only access to some services like http, https, smtp, pop3 and
> to limit all others. Due to some network attacks it is required to
> have network authentication which currently is made via MAC+IP (which
> to me it looks very unhealthy due to spoofs). Each building has an
> Ethernet network with unmanaged switches directly connected to 1
> server.
> 
> I'm interested in a better authentication method than registering all
> the MACs+IPs of all my users (which after all is just dust in the wind
> ...) using my current hardware (16 servers, 1 for at least 250
> clients). I was thinking about ppp based authentication but it doesn't
> look very scalable and secure ... am I wrong ?
> 
> Also due to the fact that my ISP doesn't agree with opening all ports
> and traffic shaping due to possible attacks, most of my clients are
> using tunneling methods like "your freedom" and "surf no limit", which
> currently produce a high CPU usage on all the servers due to the
> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic
> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables.
> I still believe that opening all ports and traffic shape them would be
> the only solution ... but this would impose a high network security
> ... so i`m back to point 1 ... suggestions ?!

Don't know exact specs, but consider using ldap/krb5/OpenAFS.
Maybe some VMWare images and and and...
Its far a lot of stuff to be considered.


> Thanks,
> Adrian TIRLA
> 
> ps: this mail is forwarded also on debian-isp@lists.debian.org
> 
> 


MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHZqj6mWhuE0qbFyMRAuRYAJ4wPP6Rmwa3NhWnLc4YPtAmjJtNRQCeN4Hk
rYHyNz6Pz8WeoLQnd90H99k=
=Gcs6
-----END PGP SIGNATURE-----

Reply to:

References:
- large campus network ... sugestions
  - From: "Tirla Adrian" <tirlaadi@gmail.com>

Prev by Date: Squirrelmail archive compromission and version 1.4.9a-2 (in etch)
Next by Date: Re: Squirrelmail archive compromission and version 1.4.9a-2 (in etch)
Previous by thread: Re: large campus network ... sugestions
Next by thread: Manipulated squirrelmail download archives - how to detect such cases automatically in the Debian packaging process?
Index(es):
- Date
- Thread