USENIX Technical Program - Abstract - 13th Systems Administration Conference - LISA '99
Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication
Robert Beck, University of Alberta
This paper describes the tools and techniques developed and deployed
to address the problem of blocking unauthorized users on unprotected
Ethernet jacks. Our solution is being deployed to control public labs
at the University of Alberta during the summer of 1999. In this
environment, we have a mix of ``walk up'' Ethernet connections used
for laptop computers, and public Windows 95 and 98 workstations with
fixed Ethernet connections. By themselves, none of these provide
adequate facilities for preventing unauthorized Internet usage and
enabling us to track Internet abuses originating from these networks.
Prior to the deployment of our new access control system, these
networks were not routed off of our campus due to these problems.
Our access control system consists of MAC-locked switches behind a gateway at which an IP filter only allows Internet access when authenticated. Now we allow the authenticated users full access to the Internet, while preventing unauthorized people from plugging in for free Internet access. This also provides a record of Internet activity by authenticated users so that abuses can be easily tracked.
We also have several transparent proxies on the gateway machine to assist us in handling particularly troublesome security and configuration issues relating to the internal lab. This allows us to selectively proxy out bound IMAP, SMTP, and HTTP requests, as well as answering IDENT requests coming in to the lab with the real user. The solution is inexpensive and easy to deploy, using off-the-shelf switches and a gateway router running a free operating system and software.