large campus network ... sugestions

Hello,

I`m currently one of the network administrators of a 3000+
students
and i have some issues maintaining security, authentication
... and
quality of service ...

Currently we're having 16 buildings each with its own
network server
which does proxy caching (due to limited Internet Bandwidth)
and NAT
for other services. Our network bandwidth is 20 Mbit (up to
150 Mbit
shared with the University), so the ISP suggested (actually
demanded)
to allow only access to some services like http, https,
smtp, pop3 and
to limit all others. Due to some network attacks it is
required to
have network authentication which currently is made via
MAC+IP (which
to me it looks very unhealthy due to spoofs). Each building
has an
Ethernet network with unmanaged switches directly connected
to 1
server.

I'm interested in a better authentication method than
registering all
the MACs+IPs of all my users (which after all is just dust
in the wind
...) using my current hardware (16 servers, 1 for at least
250
clients). I was thinking about ppp based authentication but
it doesn't
look very scalable and secure ... am I wrong ?

Also due to the fact that my ISP doesn't agree with opening
all ports
and traffic shaping due to possible attacks, most of my
clients are
using tunneling methods like "your freedom" and
"surf no limit", which
currently produce a high CPU usage on all the servers due to
the
CONNECT method in the Squid Proxy Cache. Currently i just
drop/traffic
shape the tunneled P2P traffic via ipp2p/l7-filter module of
iptables.
I still believe that opening all ports and traffic shape
them would be
the only solution ... but this would impose a high network
security
... so i`m back to point 1 ... suggestions ?!

Thanks,
Adrian TIRLA


-- 
To UNSUBSCRIBE, email to debian-isp-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org

2007/12/14, Tirla Adrian <tirlaadigmail.com>:
> Hello,
>
> I`m currently one of the network administrators of a
3000+ students
> and i have some issues maintaining security,
authentication ... and
> quality of service ...
[...]

I brought similar  but "client" networks to life 
(so the network were
more demanding -> clients!=students ;) ).

Not going into details I would use pppoe tunneling with
radius authentication.
Radius can be easily managed by an external aplication and I
believe
that it's scalability will let you connect it to the squid
and so on.

Everything is VERY simple unless You start to migrate - I
would
suggest You to build own simple app (C, C# ,java or
something - ask
programmers at your campus ;) ) to build such app that it
will create
a ppppoe connection under windows. Making scripts to notify
everyone
that they have to use authentication/give U their macaddr is
only a
routing here.


And - NO - pppoe is NOT unstable . I know DOZENS of success
stories
with NO (i repeat - NO ) problems


regards

-- 
Wojciech Ziniewicz
Unix SEX
:{look;gawk;find;sed;talk;grep;touch;finger;find;fl
ex;unzip;head;tail;
mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exitargs!
!;)}


-- 
To UNSUBSCRIBE, email to debian-isp-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org