Date: Sun, 4 Apr 2004 23:32:52 +0400 From: Gleb Smirnoff <glebius@cell.sick.ru> To: Adrian Penisoara <ady@freebsd.ady.ro> Cc: freebsd-security@freebsd.org Subject: Re: Q: Controlling access at the Ethernet level Message-ID: <20040404193252.GA53516@cell.sick.ru> In-Reply-To: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> References: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 04, 2004 at 09:22:33PM +0300, Adrian Penisoara wrote: A> We have thought about using static MAC entries per port on managed A> switches installed at the client endpoints, but that would require a A> overwhelming budget. We are also thinking about L2TP and PPPoE, but I A> am uncertain about compatibility. PPPoE is a working solution. mpd from ports can serve PPPoE at wirespeed. However is has some disadvantages: - Traffic from host A to host B flows thru access concentrator. - All hosts share bandwidth of access concentrator - mpd in PPPoE mode does not work under CURRENT - PPPoE gives authentication for access outside your LAN, it does not prevent someone plugging into a port of dumb switch and flooding your LAN with broadcasts, or performing any other kind of ethernet DoS. A> I also heard about 802.1x technology and seems to be an interesting A> and professional alternative; I just don't know how well supported is A> on the server side, namely FreeBSD. Theoretically, 802.1x is best solution. But client side is supported only in Windows XP, and I've been told that it has numerous weird bugs. In 802.1x the server side is ethernet switch itself, which authenticates clients on RADIUS server. So upgrading all switches in your LAN is required. The cheapest one with 802.1x support is D-Link DES-3226, AFAIK. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040404193252.GA53516>