-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tirla Adrian wrote: > Hello, > > I`m currently one of the network administrators of a 3000+ students > and i have some issues maintaining security, authentication ... and > quality of service ... > > Currently we're having 16 buildings each with its own network server > which does proxy caching (due to limited Internet Bandwidth) and NAT > for other services. Our network bandwidth is 20 Mbit (up to 150 Mbit > shared with the University), so the ISP suggested (actually demanded) > to allow only access to some services like http, https, smtp, pop3 and > to limit all others. Due to some network attacks it is required to > have network authentication which currently is made via MAC+IP (which > to me it looks very unhealthy due to spoofs). Each building has an > Ethernet network with unmanaged switches directly connected to 1 > server. > > I'm interested in a better authentication method than registering all > the MACs+IPs of all my users (which after all is just dust in the wind > ...) using my current hardware (16 servers, 1 for at least 250 > clients). I was thinking about ppp based authentication but it doesn't > look very scalable and secure ... am I wrong ? > > Also due to the fact that my ISP doesn't agree with opening all ports > and traffic shaping due to possible attacks, most of my clients are > using tunneling methods like "your freedom" and "surf no limit", which > currently produce a high CPU usage on all the servers due to the > CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic > shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables. > I still believe that opening all ports and traffic shape them would be > the only solution ... but this would impose a high network security > ... so i`m back to point 1 ... suggestions ?!
Don't know exact specs, but consider using ldap/krb5/OpenAFS. Maybe some VMWare images and and and... Its far a lot of stuff to be considered. > Thanks, > Adrian TIRLA > > ps: this mail is forwarded also on [EMAIL PROTECTED] > > MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [EMAIL PROTECTED] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHZqj6mWhuE0qbFyMRAuRYAJ4wPP6Rmwa3NhWnLc4YPtAmjJtNRQCeN4Hk rYHyNz6Pz8WeoLQnd90H99k= =Gcs6 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
