Hi,
 
 Ok here's our problems. Mostly pertaining to tracking down who is this user 
eating up our bandwidth or who is this user flooding our network.
 
 1. Users when they want to plug a machine to the network... let's say their 
own testbeds, they will choose whatever ip they want possibly stealing used 
ip's. 
 
 2. Users workstations are mixed Windows and *nixes. Most windows machines are 
getting infected with worm from time to time... Some of them are not so 
skillful enough to clean their own workstations. Given an unmanaged ip 
allocation, it would also be hard to trace which machines are causing the 
network congestion.
 
 3. Some users with public workstations and testbeds are eating up bandwidth 
through file sharing...Still hard to trace this without proper ip allocation 
management.
 

 
 
 
 
 Erik Nørgaard <[EMAIL PROTECTED]> wrote: 
I once set up such a solution in a student house with about 120 users. 
People had their own private pcs so we couldn't just take away their 
admin rights on their own pc.

Now, question to ask:

- Are all users legitimate users? Do users have friends coming in and 
connect to the network? is it wired or do you have neighbors trying to 
use the net also?

- What is the benefit of stealing another users ip? Do you have 
limitations on access such as download? Is it to hide behind another user?

In our case we had a wired network, so all users was legitimate users, 
but we had a limitation on download so some users would try to use their 
neighbors ip to get more quota.

What we did was:

1) Static ip assigned with dhcp - people wouldn't need to learn to 
configure their computer.

2) Static arp table on router, to spoof, one would have to spoof 
mac-address.

3) Require registration of all hosts owned by the user: To hold users 
accountable for their hosts.

4) Count traffic per host, up and download, this was done with ipfilter.

5) Make current usage visible, the users could always check their quota 
and knew when they hit the limit. That way they didn't get surprises and 
annoyed.

This actually worked fine. It was sufficiently complicated to spoof that 
people wouldn't bother.

A different and possibly better way around this would be to limit 
bandwidth for ports higher than 1023, this is where most file sharing 
takes place. You can do that with packet filter, I still haven't figured 
how to effectively implement traffic quotas on packet filter as 
accounting is not so easy.

If your concerns are people trying to hide behind others identity, or 
unauthorized access such as if you have a wireless lan, then there are 
two good options:

1) Use authpf with packet filter. This requires the user to authenticate 
with the firewall to get access. No proxy needed.

2) Let each client establish a VPN to the router, this have the 
advantage of also encrypting traffic if you have a wireless or 
non-switched network.

Cheers, Erik

-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9


                
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to