Hi,

12 computers are in an local network with local IP addresses (192.168.1.0/24). I want only 4 of them to have connection to Internet through an OpenBSD or Linux gateway, which uses NAT to masquerade the whole internal network.

My question is which authentication method is best to use, or why one is better than other?

First I've thought to use static IP addresses in our internal network and to bind them with the MAC addresses of the clients NICs and this whole to be checked by a Packet Filter, but as I've heard there is a possibility for older NICs, the MAC address to be changed, or there are some hacking programs which can spoof the gateway and so forth.

So should I use IPsec or Kerberos or something else? Or is there any other easier way to do that kind of authentication?

Thanks in advance!!!

I use static ip addressing for my home network.

Anyone have any suggestions for the other question(s)? Thanks.

A lot would depend on what Operating Systems you have behind your firewall, how much control you have over these computers and the network savvy of your users.

I think one of the simplest solutions with the least amount of overhead would be to use Linux as your router/firewall using iptables. You could use a filter that allows only a small portion of your network through the firewall, say using a 29 bit subnet mask in the filter.
You could assign the computers you want to allow through the firewall a static IP address in the range of 1-7 and still use the 24 bit mask. You could use dhcp to assign ip addresses to the rest of the machines, just don't let the dhcp server give out addresses in the 1-7 range.
The computers would still be able to communicate with each other, only addresses 1-7 would have access to the Internet.

This would work as long as:

- your OS's aren't Win9x where you can't easily control your end user changing your network settings
- your users don't have administrative or root access to computers if they have nix or NT4 type OS's
- your end users aren't a bunch of networking gurus that could figure out what's going on and get around it.

You could implement something like this without your end users even realizing it except that some would no longer have access to the Internet.

Of course, this is assuming that you only want to allow 4 computers to be able to access the Internet. If you have 4 users you want to be able to acces the Internet from any computer, this obviously won't work.

As cowanrl said, alot depends on the operating system(s) you're using and how your network is set up. Issues such as operating system versions, Domain vs. Workgroup, etc. will determine the best way to facilitate your access controls. Explain your network environment in more detail and we can give the best solution.

:)

Thanks to all of you for your comments :)

In the internal network all the computers are with Windows. Most of them are with win98, 1 of them is with winXP and 1 is with win2000. One of the computers (that with win2k) will be used for internet banking. Most of the users know a little more than that to turn their PCs on and off :), but there are few guys who knows more than others about networking so my embarrassment is coming from them. Because of the internet banking I'm wondering will it be better to do some kind of encryption between the user's PC and the Gateway or there is no need of that, ‘cause as I think that kind of encryption will be made between user's PC and the computer of the bank.

Once more many thanks to all of you :)

First and foremost: get rid of Windows 98!!

98 has no security to speak of, and precious little can be done with it in terms of administrative lock-downs as compared to XP or Win2k.

When you say that the 2k box will be used for Internet banking, do you mean that users will have to physically sit down at the box to use it, or do you mean that you want the 2k box to act as your network's gateway to the Internet?


In terms of a secure connection between your users and the bank, banks usually use a private-key encryption scheme called Secure Sockets Layer (SSL). SSL is supported by most browsers; an ssl connection can be identified by the fact that the destination URL will begin with "https" instead of "http".

Have a look at:

http://nocat.net/download/NoCatAuth/

or its newer version:

http://nocat.net/download/NoCatSplash/

I agree about the lack of security of Win98.

The gateway will be with Slackware or OpenBSD. The PC with win2k will be used as a client's computer

Well, you could filter the Win2k box's Internet access at the Slack/BSD box, or apply the restrictions via user/group policy on the Win2k box. Of course, neither solution is foolproof if the user you want to restrict has access to the other computers. At that point your best bet would probably be to set up a Windows domain and a PDC; that way you can configure domain-level policies that would apply to each user regardless of the computer they log on to. Of course, at that point you would have to upgrade all of the Win98 boxes, which you should do anyway.

Put the more advanced users on the 2000 and XP machines so you can lock them down so they cant change there IP, gateway, subnet etc..

Have the gateway also function as a DHCP server and set reservations on what MAC addresses get what IP, gateway and whatnot.... Just don't assign a gateway to the computers you don't want to connect, and the fact that they don't have permission to change the gateway should stop 99% of people.

Since your only allowing allowing 4 machines access to the internet you could do something like this with just iptables, using the MAC address as the source. Off the top of my head....

iptables -I FORWARD -i $INTIF -o $EXTIF -m mac --mac-source ZZ:XX:HA:SE:R8:60 -j ACCEPT

instead of

iptables -I FORWARD -i $INTIF -o $EXTIF -j ACCEPT

that common in most scripts, should do it. Repeat as required, you may need to load a module, or rework the rules a bit (...like it said that was off the top of my head...) I must admit, I use shorewall to do what you want...