Hi I have to manage a network with approx. 200 users, a 256kbit/s unmanaged Internet connection and a 3Mbit/s unreliable managed Internet connection (only http/ftp-proxy and ssh available). All users are in one Class C Subnet with 512 IP-Addresses. 60% of the machines are Windows. The rest are SUN and Linux. At the moment Windows viruses and p2p-traffic eats most of our bandwidth. My Aims are: - inform Windows users with a virus problem; limit their traffic to http over proxy - allocate different bandwidth to different user groups on port level (to limit p2p traffic) depending on time (day/night) - allocate different amounts of traffic to groups and reduce the night bandwidth of user groups who exceed their daily limit - prevent that users get access to a different group by simply taking an IP address from a different group without creating an access control list with IP/MAC Pairs - users should be able to monitor the bandwidth usage of their group on a web page - the 3Mbit/s uplink should be used whenever possible/available (ssh + ftp/http proxy) - preserve privacy of users as far as possible The idea is to split the network using transparent bridgewalls. This should manage the traffic on port level for each group using Netfilter in Bridge Mode and using IPP2P to limit P2P-traffic. Group limitations should be implemented here. A firewall should be installed on the gateway to the Internet. The firewall should do NAT and have a QoS setup managing and monitoring the real outgoing traffic. I plan to use the cookbook example 15.10 from the lartc as a base. My question is if there are known running solutions out there that would fit these aims? The Windows machines with their viruses give me a headache. I do not want to enforce remote Windows patching and virusscanner updating. It should also be taken into account that there is nearly no money available for any special equipment. Best would be to get this job done with a couple of old computers. Another question is that I want to know if it is advisable to split traffic filtering and traffic management/monitoring. I would appreciate any help. Regards Ralf _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>The Windows machines with their viruses give me a >headache. I do not want to enforce remote Windows patching and >virusscanner updating. It should also be taken into account that there >is nearly no money available for any special equipment. Best would be to >get this job done with a couple of old computers. > >One thing you could address is that most virus''s arrive via smtp. Can you scan inbound smtp traffic, perhaps with clamav? Or do users have their own external email accounts? Ed W _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 21 June 2004 13:36, Ralf Staudemeyer wrote:> Hi > > I have to manage a network with approx. 200 users, a 256kbit/s unmanaged > Internet connection and a 3Mbit/s unreliable managed Internet connection > (only http/ftp-proxy and ssh available). All users are in one Class C > Subnet with 512 IP-Addresses. 60% of the machines are Windows. The rest > are SUN and Linux. At the moment Windows viruses and p2p-traffic eats > most of our bandwidth.Wow. Subnets are your friend. Subnet if you can. <snip>> My question is if there are known running solutions out there that would > fit these aims? The Windows machines with their viruses give me a > headache. I do not want to enforce remote Windows patching and > virusscanner updating. It should also be taken into account that there > is nearly no money available for any special equipment. Best would be to > get this job done with a couple of old computers.I''d suggest social engineering and suggestion. See if you can get your users to clean up and tone down p2p. :)> Another question is that I want to know if it is advisable to split > traffic filtering and traffic management/monitoring. > > I would appreciate any help. > > Regards > Ralf >-- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ralf Staudemeyer wrote:>On Mon, 2004-06-21 at 17:06, Ed Wildgoose wrote: > > >>>The Windows machines with their viruses give me a >>>headache. I do not want to enforce remote Windows patching and >>>virusscanner updating. It should also be taken into account that there >>>is nearly no money available for any special equipment. Best would be to >>>get this job done with a couple of old computers. >>> >>> >>> >>> >>One thing you could address is that most virus''s arrive via smtp. Can >>you scan inbound smtp traffic, perhaps with clamav? Or do users have >>their own external email accounts? >> >> >> >> >We have a Novel Groupwise service that should be used for email (via the >managed 3Mbit connection). That system supports spam-filtering and >virus-scanning. Unfortunately that service does not support any security >functions and is not reliable. There will be not much change about that. >So I want and I must support users who use their external email >accounts. > >A quick search on google suggests that you can get a POP3 transparent proxy which will do virus scanning. This is also used and maintained by Astaro Linux firewall. See http://p3scan.sourceforge.net/ Perhaps you could look at something like Astaro with a bridging firewall to get the bulk of your requirements sorted (or just roll your own (Shorewall?) if you are happy with iptables) Second problem is splitting traffic between your two internet connections. This is very possible, read the LARTC faq for basic details and then come back here with specific questions The other stuff is easily possible, but for the number of users that you have you are going to need to invest some time to write some scripts to handle mapping users to MAC addresses and make the whole thing maintainable. There was another post only hours ago from at least one other person who you might contact to see if they will share some stuff. P2P is pretty easy to control. Try kernel patches for "ippp" or "l7-filter" (both on sf.net I think). This lets you simply filter traffic using iptables. You mentioned time based rules. I think there are patches to iptables to handle this. Alternatively you could have two scripts which run from cron to switch rules. A further, and perhaps easier possibility, is to use the QOS rules to prioritise everything else and simply leave unwanted traffic in the "left over" bucket. This will mean that P2P users cannot affect your normal traffic, but if the link is idle at any time of day or night then they can use up to the max amount, but only if it''s idle. This is perhaps good enough and easier to configure. You need to have read the LARTC faq, and browsed the iptables docs or you will find this quite advanced. I suggest that you break the problem up into parts. If you aren''t completely technical, or pushed for time then you might want to consider hiring someone, or looking at a prebuilt solution. Your requirements are all possible though. Ed W _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 2004-06-21 at 17:06, Ed Wildgoose wrote:> >The Windows machines with their viruses give me a > >headache. I do not want to enforce remote Windows patching and > >virusscanner updating. It should also be taken into account that there > >is nearly no money available for any special equipment. Best would be to > >get this job done with a couple of old computers. > > > > > > One thing you could address is that most virus''s arrive via smtp. Can > you scan inbound smtp traffic, perhaps with clamav? Or do users have > their own external email accounts? > >We have a Novel Groupwise service that should be used for email (via the managed 3Mbit connection). That system supports spam-filtering and virus-scanning. Unfortunately that service does not support any security functions and is not reliable. There will be not much change about that. So I want and I must support users who use their external email accounts. Ralf _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ralf Staudemeyer wrote:>On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote: > > > >>The other stuff is easily possible, but for the number of users that you >>have you are going to need to invest some time to write some scripts to >>handle mapping users to MAC addresses and make the whole thing >>maintainable. There was another post only hours ago from at least one >>other person who you might contact to see if they will share some stuff. >> >> >> >I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks, >some will change their working place and some will buy new hardware they >want to connect to the network. This is not maintainable. Also I really >do not want to know want the users do with their bandwidth. I just want >to assure that things go fair and everyone can work with the network. > >Well, in that case your problem gets easy really easy. Just pick up one of the prioritisation scripts - I like this one: http://www.digriz.org.uk/jdg-qos-script/ Then read the LARTC doc so you know what it''s doing. At that should be you up and running. What you will be doing is just classifying traffic based on it''s type and ignoring the source, etc completely. Ed W _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote:> The other stuff is easily possible, but for the number of users that you > have you are going to need to invest some time to write some scripts to > handle mapping users to MAC addresses and make the whole thing > maintainable. There was another post only hours ago from at least one > other person who you might contact to see if they will share some stuff. >I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks, some will change their working place and some will buy new hardware they want to connect to the network. This is not maintainable. Also I really do not want to know want the users do with their bandwidth. I just want to assure that things go fair and everyone can work with the network. Thx for all the help!!! Ralf _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tue, 2004-06-22 at 12:01, Ed Wildgoose wrote:> Ralf Staudemeyer wrote: > > >On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote: > > > > > > > >>The other stuff is easily possible, but for the number of users that you > >>have you are going to need to invest some time to write some scripts to > >>handle mapping users to MAC addresses and make the whole thing > >>maintainable. There was another post only hours ago from at least one > >>other person who you might contact to see if they will share some stuff. > >> > >> > >> > >I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks, > >some will change their working place and some will buy new hardware they > >want to connect to the network. This is not maintainable. Also I really > >do not want to know want the users do with their bandwidth. I just want > >to assure that things go fair and everyone can work with the network. > > > > > > Well, in that case your problem gets easy really easy. Just pick up one > of the prioritisation scripts - I like this one: > > http://www.digriz.org.uk/jdg-qos-script/ > > Then read the LARTC doc so you know what it''s doing. At that should be you up and running. > > What you will be doing is just classifying traffic based on it''s type and ignoring the source, etc completely. >It is not such easy since there is still the prioritisation problem. There are user groups who should not use p2p-traffic (public accessible machines for only surfing and email), some need some extra bandwidth (mirrors, powerusers), some need low latency for their Voice-over-IP or videoconferencing ... things like that. It is quite easy to group them to five groups. But I do not know how I should make sure that someone reconfigures the IP of a public accessible machine to get some extra rights. I thought to filter this with some transparent bridgewalls. But this makes it impossible to move with a machine of a higher prioritisation a subnet of lower prioritisation. The bridgewall will, and should, discard the packages. Even if I would start collecting MAC addresses it would be still quite easy to sniff the MAC/IP pair (isnĀ“t it?). The script looks very promising. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/