Hi Adrian, Sunday, April 4, 2004, 10:22:33 PM, you wrote: AP> We have thought about using static MAC entries per port on managed AP> switches installed at the client endpoints, but that would require a AP> overwhelming budget. We are also thinking about L2TP and PPPoE, but I AP> am uncertain about compatibility. AP> What would you recommand ? Are there any other elegant solutions ? VPN (pptp) solution work just fine both potop and mpd on server side and with any win box on client side, even win'95 with patch from microsoft.com. There is could be problem with MAC OS - i didn't find pptp-client for it but it should be, i think. Also FreeBSD and Linux has pptp-clients. And the last, you can use cheap hardware pptp-clients in situations like with MAC OS for example Allied Telesyn AR-221E. -- Andrew mailto:resident@b-o.ru
Hi,
I am searching for a solution that will enable me to control the
access of clients to a Ethernet network that spans over about an entire
quorter; most of the connected stations are running MS Windows.
We are facing service theft through impersonation, either solely IP
or both IP and Ethernet MAC address. Securing IP access was solved
using a static ARP scheme (we used "staticarp" for the internal
gateway
interface and tied to it a fixed list of IP/MAC tuples), but some of
the clients learnt how to change both the IP and the MAC.
We have thought about using static MAC entries per port on managed
switches installed at the client endpoints, but that would require a
overwhelming budget. We are also thinking about L2TP and PPPoE, but I
am uncertain about compatibility.
What would you recommand ? Are there any other elegant solutions ?
I also heard about 802.1x technology and seems to be an interesting
and professional alternative; I just don't know how well supported is
on the server side, namely FreeBSD.
Thank you.
--
Ady (@freebsd.ady.ro)
On Mon, 5 Apr 2004 12:28:26 +0400 Andrew Riabtsev <resident@b-o.ru> wrote: | VPN (pptp) solution work just fine both potop and mpd on server side | and with any win box on client side, even win'95 with patch from | microsoft.com. There is could be problem with MAC OS - i didn't find | pptp-client for it but it should be, i think. Also FreeBSD and Linux | has pptp-clients. And the last, you can use cheap hardware | pptp-clients in situations like with MAC OS for example Allied Telesyn | AR-221E. FWIW, MacOSX includes a pptp client in the base system, I don't know how good however. For MacOS classic (i.e.: <=9) there _was_ a (commercial) pptp client called "tunnel builder", but the producer seems to no longer exist and/or not support the thing anymore. I've found a website which still offers it at http://www.macadsl.com/logiciels/?cat=client%20de%20connexion but it's priced at USD 99 (!). Hope that helps Frankye
The builtin pptp client in Mac OS X does the job. However, if you want to conviniently setup different routes (to separate corporate and personal internet traffic) DigiTunnel PPTP VPN client for Mac OS X has an easy to configure alternate routing options tab. www.gracion.com/vpn/ -r. -----Original Message----- From: Frankye - ML [mailto:listsucker@ipv5.net] Sent: Monday, April 05, 2004 9:48 AM To: freebsd-security@freebsd.org Subject: Re: Q: Controlling access at the Ethernet level On Mon, 5 Apr 2004 12:28:26 +0400 Andrew Riabtsev <resident@b-o.ru> wrote: | VPN (pptp) solution work just fine both potop and mpd on server side | and with any win box on client side, even win'95 with patch from | microsoft.com. There is could be problem with MAC OS - i didn't find | pptp-client for it but it should be, i think. Also FreeBSD and Linux | has pptp-clients. And the last, you can use cheap hardware | pptp-clients in situations like with MAC OS for example Allied Telesyn | AR-221E. FWIW, MacOSX includes a pptp client in the base system, I don't know how good however. For MacOS classic (i.e.: <=9) there _was_ a (commercial) pptp client called "tunnel builder", but the producer seems to no longer exist and/or not support the thing anymore. I've found a website which still offers it at http://www.macadsl.com/logiciels/?cat=client%20de%20connexion but it's priced at USD 99 (!). Hope that helps Frankye _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> Message: 4 > Date: Mon, 5 Apr 2004 18:08:49 +0200 > From: Sten Daniel S?rsdal<sten.daniel.sorsdal@wan.no> > Subject: RE: Controlling access at the Ethernet level > To: "Adrian Penisoara" <ady@freebsd.ady.ro>, > Cc: freebsd-isp@freebsd.org > > > > What would you recommand ? Are there any other elegant solutions ? > > > How about using 802.1Q vlan's and dedicate a vlan to each port. > If more than 4000 users then add more gateways. > > Just be sure to go for switches that allow you to deny incoming > already tagged packets on the user side as some switches passes > already tagged packets.While this sounds theoretically like a good solution, in my experience many midrange switches (e.g. HP Procurve 25xx and 40xx- series) do not handle large numbers of VLANs well; they seem to consume RAM and CPU roughly proportional to number of active VLANs, and past some threshold you see packet loss. As one of the constraints mentioned was "can't pay to add managed switches" I would be cautious about this solution unless you *know* that all the switches handle large numbers of VLANs well, or you'll be trying to troubleshoot a network with unexplained and intermittent packet loss. Just a warning from experience, FWIW. -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss