Hello, I`m currently one of the network administrators of a 3000+ students and i have some issues maintaining security, authentication ... and quality of service ...
Currently we're having 16 buildings each with its own network server which does proxy caching (due to limited Internet Bandwidth) and NAT for other services. Our network bandwidth is 20 Mbit (up to 150 Mbit shared with the University), so the ISP suggested (actually demanded) to allow only access to some services like http, https, smtp, pop3 and to limit all others. Due to some network attacks it is required to have network authentication which currently is made via MAC+IP (which to me it looks very unhealthy due to spoofs). Each building has an Ethernet network with unmanaged switches directly connected to 1 server. I'm interested in a better authentication method than registering all the MACs+IPs of all my users (which after all is just dust in the wind ...) using my current hardware (16 servers, 1 for at least 250 clients). I was thinking about ppp based authentication but it doesn't look very scalable and secure ... am I wrong ? Also due to the fact that my ISP doesn't agree with opening all ports and traffic shaping due to possible attacks, most of my clients are using tunneling methods like "your freedom" and "surf no limit", which currently produce a high CPU usage on all the servers due to the CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables. I still believe that opening all ports and traffic shape them would be the only solution ... but this would impose a high network security ... so i`m back to point 1 ... suggestions ?! Thanks, Adrian TIRLA ps: this mail is forwarded also on [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
