[Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!

[Mark Jayson R. Alvarez]

Hello!!

I have been sending tons of emails to various mailing list regarding the 
management of our Local Area Network. I have already looked into serveral 
tools such as authpf, netreg, etc. I even have my presentation slides ready 
after carefully evaluating our needs. I was about to present my proposed 
solution when I landed in nufw's homepage.. I was surprised to find out that 
someone has already come up with such requirements as ours. Now, I just 
joined this mailing list to make sure that nufw is really the solution to our 
problem..

Ok, here is our situation.

Our LAN consisting of 126 users have a very poor ip allocation strategy such 
that users can jump to any ip block he wants making it really hard to track 
down who is doing this and who is doing that.

Or goal is to monitor all network activities of each workstation (ip address) 
and be able to determine who's workstation is this. (DHCP with internal DNS 
can easily be bypassed by smart users)


My proposed solution is to have each user be assigned a static ip address, 
with other details such as os, mac address, property no. etc all stored in 
ldap directory. Tie up an authentication to the firewall ruleset and can also 
do some ip/mac verification by doing ldap lookups.

To accomplish this, since we don't have that much number of staffs, I 
suggested to have a single class C ip block for all the staffs. Having 
different ipblock groupings for staffs is not needed anymore. There's not 
that much difference when it comes to network usage policy for all the 
staffs. Then we put the network servers in another block just to ensure that 
authentication will happen first before a user access those servers.

Authentication is needed because:

"If we are to monitor all of the network activities of each user, we must make 
sure that no one is trying to hide themselves by illegally using another 
user's ip/mac address, or no one have accidentally used another user's ip 
address. By doing an authentication against the pcrouter, we are ensuring 
that every device that will be connecting to our network is registered and 
known, so that all of his network activities can be correctly monitored."

authpf lacks this sort of ip/mac verification because I guess it was designed 
with a multi-user workstation environment in mind(in our case 1 workstation, 
1 ip, per 1 user).

netreg is also not a good idea either.

In our conversations:
________________________________________
Basically, the netreg process looks like this.

1. User will login to the network registration page, using his 
username/password(probably an ldap account).
2. From there, the user will fill up the registration form with his, mac 
address, other info, etc...
3. After successful registration, dhcp client on the user's machine will be 
enabled.
4. When the client tries to obtain the network settings from the dhcp server, 
the server will first try to verify if the hardware address where the request 
is coming from is already registered. If it is, then the entire dhcp 
transaction will be carried out... unless otherwise, the request will be 
denied.

Another problem I am seeing with this kind of setup is that it doesn't prevent 
someone from using other user's network information. There's not that much of 
authentication happening in the process of dhcp. The server only looks if the 
mac address is already registered(in my case, a simple ifconfig will allow me 
to change my mac address to that of a registered user). There are a couple of 
suggestions and workarounds to this however, and with these at hand, were're 
only left with that redundancy issue..
----------------------------------------------------------------------------------------------------

I'm planning to write some custom login scripts that are tied up against the 
firewall ruleset which can do ldap lookups also. However, as far as I can 
understand.. nufw can already accomplish this need..

Is nufw really the solution to our problem?

Thanks!
-jayson














-- 
Mark Jayson R. Alvarez                        email: address@hidden
Advanced Science and Technology Institute     http://www.asti.dost.gov.ph
Voice: +63 2 4269766   Fax: +63 2 4269756