On Fri, Dec 14, 2007 at 09:57:21PM +0200, Tirla Adrian wrote: > Hellow Willi, > > On Dec 14, 2007 6:11 PM, Willi Mann <[EMAIL PROTECTED]> wrote: > > > > > I'm interested in a better authentication method than registering all > > > the MACs+IPs of all my users (which after all is just dust in the wind > > > ...) using my current hardware (16 servers, 1 for at least 250 > > > clients). I was thinking about ppp based authentication but it doesn't > > > look very scalable and secure ... am I wrong ? > > > > openvpn might be an easier solution. > > > > i was thinking also openvpn ... but i believe it is going to kill my > CPUs of all my servers (at least 250 users per server) ... and if > openvpn (never tried to actualy use it) creates like all ppp daemons a > pppx tunnel which is encrypted ... my firewall is going to be a mess > ... rules for all tunnels ? ... or ... am i missing something ? > > have you ever used openvpn with more than 200 clients/tunnels on the > same machine ? if you did can u tell my what kind of hardware did you > poses ? >
[disclaimer: I work for INL, the company developing NuFW] 802.1x won't help (spoofable, and hard to deploy, nor openvpn (which would kill your server). You might want to have a look at NuFW [1], an authenticating firewall. It is based on a client installed on workstations, to authenticate connections. Unlike methods based on ip, mac address or whatever, it does not make an association ip == user, so it can even differentiate users on the same workstation, and apply different rules. You can find a technical description [2], and a schema [3]. All packets can be logged with user information in a database. NuFW is free (both in free beer and free speech), except for the windows client. The other clients and tools for administration, NuFace [4] and NuLog [5], are also free and opensource. Regards, Pierre [1] http://www.nufw.org/ [2] http://www.nufw.org/Introduction,1.html [3] http://www.nufw.org/Principles.html [4] http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuFace2 [5] http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuLog2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
