Hello Tirla, Please, find my reply inline with your response.
On Dec 14, 2007 5:19 PM, Tirla Adrian <[EMAIL PROTECTED]> wrote: > hello Andradas, > > On Dec 14, 2007 1:31 PM, Jonas Andradas <[EMAIL PROTECTED]> wrote: > > Hello Adrian, > > > > I do not consider myself an expert, so maybe I shouldn't be replying to > the > > whole list, but maybe my little knowledge can be completed by someone > else. > > > > don`t worry ... i`m not an expert either ... any suggestion i appreciate > it. > > > > > Maybe you could authenticate users through the proxy against an LDAP > with > > user and password or even through certificates with a RADIUS server. > > > > ok ... i`ll google it ... > > if you have some tutorials that can keep me away from head aches i > would appreciate it also. Sorry if I'm asking but i want to know if > you have implemented such type of authentication on a small/medium > network because i'm interested also in any kind of down side of such a > system. Any change in the current authentication method is a little > bit bothering because the Internet is AIR for the students ... . > > I currently have no tutorials on this particular implementation, but you can find it easily searching google (see reference URL [1] below). I am using this implementation currently in a fairly medium to large organization, and it works like a charm. Our squid uses authentication against an LDAP with user and password. We are not using certificates via a RADIUS server. The main concern in using this approach is if your users have access to network hubs, they can tamper with the switches, or a non-encrypted wireless network is deployed and used by the students, because if any of this situations is there, some malicious user could sniff network traffic and obtain usernames and passwords easily. > I also have to consider the fact that not all the students are experts > and know how to configure their internet connection and browsers so > IP+MAC+Static ARP+DHCP appeared as a great idea at a certain time. > The only thing they have to configure is a usename and password to access the Squid proxy. For protocols different than HTTP, though, you would need other proxies or another approach. Another approach, if you can set it up (depends on your infrastructure, your willingness, your users, etc.), as Willi Mann points out, is to create VPNs between your users and the gateway servers. Thus, if the connection does *not* come through a valid VPN tunnel, you can deny it, and if it does (the user is a valid user) you can allow it. If it's HTTP, you can run it through a caching proxy transparently. The main drawback to this is that it is harder to implement and that you might find users that have hard time to configure their connection (or maybe even that they cannot do it) depending on their devices and operating system, and that the machine acting as the VPN terminator could be heavily loaded if it's not powerful enough to handle that many simultaneous VPN sessions. OpenVPN [2] is a good option, is cross-platform, very robust, and not too hard to configure. Plus (for your users) there is even a GUI client [3] for Windows users and a client (not free of bugs yet) for PocketPC [4]. > > > > > When limiting access to only certain protocols, if the users have the > > interest it's very probable that they will start tunneling (which is > what > > seems to be happening already) by using the means you talk about or, if > they > > can install software on the computers, tunneling SSH by using Corkscrew. > > Once SSH is tunneled, almost anything can be tunneled through SSH. > > > > Limiting access wasn't my idea to start. It was suggested (demanded > ... my version) by my ISP. Yea ... i keep on learning new types of > tunneling day by day ... . I have nothing against it but it kills the > CPU and it creates latency and the "good" users complain. I can't > disconnect/drop the "malefic" users due to the policy of the > University. > > > > > Maybe others can shed some more light on this, or even propose more > adequate > > ideas and/or solutions. > > > > Best regards, > > > > Jonas Andradas > > I just want to mention that my "dream" is to leave all ports open and > traffic shape all non http traffic. For this i need a better > authentication method to identify all users, due to possible attacks, > illegal downloads via P2P, etc. > > I'll look into your suggestion. If you have some tutorials or links as > i mentioned above feel free to share :">. > > Thank you for your time. > If you manage to "proxize" every single protocol you want to allow, or have some way to only allow access to internet to authenticated users (VPN, RADIUS, etc), you could leave those ports open. > > > Adrian TIRLA > > ps: I reply in private because all the messages till now I've received > them in private. Don`t ask my why because I'm new to the mailing > lists. > Best Regards, Jonas Andradas. [1] http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=squid+authentication+ldap [2] http://openvpn.net/ [3] http://openvpn.se/ [4] http://ovpnppc.ziggurat29.com/ovpnppc-main.htm
