Ok here's our problems. Mostly pertaining to tracking down who is this user
eating up our bandwidth or who is this user flooding our network.
1. Users when they want to plug a machine to the network... let's say their
own testbeds, they will choose whatever ip they want possibly stealing used
2. Users workstations are mixed Windows and *nixes. Most windows machines are
getting infected with worm from time to time... Some of them are not so
skillful enough to clean their own workstations. Given an unmanaged ip
allocation, it would also be hard to trace which machines are causing the
3. Some users with public workstations and testbeds are eating up bandwidth
through file sharing...Still hard to trace this without proper ip allocation
Erik Nørgaard <[EMAIL PROTECTED]> wrote:
I once set up such a solution in a student house with about 120 users.
People had their own private pcs so we couldn't just take away their
admin rights on their own pc.
Now, question to ask:
- Are all users legitimate users? Do users have friends coming in and
connect to the network? is it wired or do you have neighbors trying to
use the net also?
- What is the benefit of stealing another users ip? Do you have
limitations on access such as download? Is it to hide behind another user?
In our case we had a wired network, so all users was legitimate users,
but we had a limitation on download so some users would try to use their
neighbors ip to get more quota.
What we did was:
1) Static ip assigned with dhcp - people wouldn't need to learn to
configure their computer.
2) Static arp table on router, to spoof, one would have to spoof
3) Require registration of all hosts owned by the user: To hold users
accountable for their hosts.
4) Count traffic per host, up and download, this was done with ipfilter.
5) Make current usage visible, the users could always check their quota
and knew when they hit the limit. That way they didn't get surprises and
This actually worked fine. It was sufficiently complicated to spoof that
people wouldn't bother.
A different and possibly better way around this would be to limit
bandwidth for ports higher than 1023, this is where most file sharing
takes place. You can do that with packet filter, I still haven't figured
how to effectively implement traffic quotas on packet filter as
accounting is not so easy.
If your concerns are people trying to hide behind others identity, or
unauthorized access such as if you have a wireless lan, then there are
two good options:
1) Use authpf with packet filter. This requires the user to authenticate
with the firewall to get access. No proxy needed.
2) Let each client establish a VPN to the router, this have the
advantage of also encrypting traffic if you have a wireless or
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"