%PDF-1.3
%
2 0 obj
<<
/Length 1017
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 118 209.182 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(Dealing with Public Ethernet Jacks:)Tj
-1.111 -1 TD
(Switches, Gateways, and Authentication)Tj
7.0805 -6 TD
(Bob Beck)Tj
-3.872 -1 TD
(beck@bofh.ucs.ualberta.ca)Tj
1.164 -1 TD
(University of Alberta)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 1)Tj
ET
endstream
endobj
3 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
11 0 obj
<<
/Length 2073
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 118 207.561 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(The Problem: Public Ethernet Jacks.)Tj
-3.8391 -2 TD
[()-469.6(Public access points to our campus network,)]TJ
1.0756 -1 TD
[(Insecure PC \(W)37(indows and Macintosh\) labs as well)]TJ
T*
(as public Ethernet jacks for laptops)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
227.22 168.05 m
230.394 168.05 232.97 165.474 232.97 162.3 c
232.97 159.126 230.394 156.55 227.22 156.55 c
224.046 156.55 221.47 159.126 221.47 162.3 c
221.47 165.474 224.046 168.05 227.22 168.05 c
s
BT
0 23 -23 0 233 180 Tm
[(People of)18(f)-250(the street walk in, then use/abuse.)]TJ
ET
250.26 168.05 m
253.434 168.05 256.01 165.474 256.01 162.3 c
256.01 159.126 253.434 156.55 250.26 156.55 c
247.086 156.55 244.51 159.126 244.51 162.3 c
244.51 165.474 247.086 168.05 250.26 168.05 c
s
BT
0 23 -23 0 256 180 Tm
(Students may use the labs to cause mischief on)Tj
T*
[(or of)18(f)-250(campus.)]TJ
-2.6408 -2 TD
[()-469.6(I)0(n)-250(the past, to prevent abuse labs weren)18(t)-250(routed)]TJ
1.0756 -1 TD
[(of)18(f)-250(our campus. \(Internet use by proxy only\). Still a)]TJ
T*
(source of attacks on campus.)Tj
-1.0756 -2 TD
[()-469.6(More and more demand for mobile plug-in type)]TJ
1.0756 -1 TD
[(access, and other protocols we didn)18(t)-250(want to proxy)92(.)]TJ
T*
[(W)74(e)74( )-74(needed a better solution.)]TJ
ET
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 2)Tj
ET
endstream
endobj
12 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
14 0 obj
<<
/Length 1630
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 118 290.073 Tm
0 g
/GS1 gs
0 Tc
0 Tw
[(What Did W)74(e)-250(W)74(ant?)]TJ
-7.9162 -2 TD
(The same level of control we have with our student)Tj
0 -1 TD
(access UNIX systems.)Tj
0.4897 -2 TD
[()-469.6(W)74(e)-250(already make use of Kerberos \(we have about)]TJ
1.0756 -1 TD
(50,000 User IDs\).)Tj
-1.0756 -1 TD
[()-469.6(Needed a solution to work both with public plug-)]TJ
1.0756 -1 TD
[(in access and labs of insecure PC)55(s)-250(\(win95, win98,)]TJ
T*
(Mac\).)Tj
-1.0756 -1 TD
[()-469.6(W)74(anted something to integrate with the Kerberos)]TJ
1.0756 -1 TD
[(IDs we already give out to all students and staf)18(f.)]TJ
-1.0756 -1 TD
[()-469.6(Must prevent unauthorized net usage)]TJ
T*
[()-469.6(Must ensure authorized usage can be easily)]TJ
1.0756 -1 TD
(tracked.)Tj
-1.0756 -1 TD
[()-469.6(Must be relatively secure and attack resistant.)]TJ
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 3)Tj
ET
endstream
endobj
15 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
17 0 obj
<<
/Length 1223
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 118 287.601 Tm
0 g
/GS1 gs
0 Tc
0 Tw
[(What W)74(e)-250(Looked At.)]TJ
-7.3191 -2 TD
[()-469.6(W)37(indows NT)]TJ
T*
[()-469.6(Nontransparent Proxies \(FWTK etc.\))]TJ
T*
[()-469.6(Commercial )]TJ
/TT7 1 Tf
6.8812 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(rewall products)Tj
-7.492 -2 TD
[()-469.6(DHCP registration systems)]TJ
1.5756 -3 TD
[(W)74(e)74( )-74(found nothing that did what we wanted at a)]TJ
-0.5 -1 TD
[(price we could af)18(ford.)]TJ
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 4)Tj
ET
endstream
endobj
18 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
21 0 obj
<<
/Length 1793
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 322.434 Tm
0 g
/GS1 gs
0 Tc
0 Tw
[(What W)74(e)-250(Did.)]TJ
-8.8336 -2 TD
[()-469.6(A)0(n)-250(authenticating gateway)92(,)-250(which when placed in)]TJ
1.0756 -1 TD
(front of a lab forces the user to authenticate before)Tj
T*
(allowing access from their IP address.)Tj
-1.0756 -2 TD
[()-469.6(Once authenticated, everything is allowed,)]TJ
1.0756 -1 TD
[(\(although much is logged\).)-500(T)111(o)111( )-111(do)-250(this we wrote)]TJ
T*
(some custom software for our gateways.)Tj
-1.0756 -2 TD
[()-469.6(W)74(e)-250(ensure our gateways are con)]TJ
/TT7 1 Tf
15.5845 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(gured to avoid)Tj
-15.1198 -1 TD
(problems with IP spoo)Tj
/TT7 1 Tf
10.3599 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(ng.)Tj
-12.0463 -2 TD
[()-469.6(W)74(e)-250(use only switched networks with the switches)]TJ
1.0756 -1 TD
(con)Tj
/TT7 1 Tf
1.6108 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(gured appropriately to prevent snif)Tj
/TT7 1 Tf
16.0372 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(ng and)Tj
-18.8697 -1 TD
(hijacking.)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 5)Tj
ET
endstream
endobj
22 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
24 0 obj
<<
/Length 1993
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 118 322.549 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(The Switches.)Tj
-8.8386 -2 TD
[()-469.6(Our system authenticates a used based on their)]TJ
1.0756 -1 TD
(source IP address.)Tj
-1.0756 -2 TD
[()-469.6(T)111(o)-250(d)0(o)-250(this in a reasonable manner)55(,)-250(w)0(e)-250(needed a)]TJ
1.0756 -1 TD
(network which was not vulnerable to spoo)Tj
/TT7 1 Tf
19.4414 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(ng or)Tj
-20.0522 -1 TD
(hijacking attempts.)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
296.22 168.05 m
299.394 168.05 301.97 165.474 301.97 162.3 c
301.97 159.126 299.394 156.55 296.22 156.55 c
293.046 156.55 290.47 159.126 290.47 162.3 c
290.47 165.474 293.046 168.05 296.22 168.05 c
s
BT
0 23 -23 0 302 180 Tm
(MAC-lock switches where possible.)Tj
ET
319.26 168.05 m
322.434 168.05 325.01 165.474 325.01 162.3 c
325.01 159.126 322.434 156.55 319.26 156.55 c
316.086 156.55 313.51 159.126 313.51 162.3 c
313.51 165.474 316.086 168.05 319.26 168.05 c
s
BT
0 23 -23 0 325 180 Tm
(Where not possible, ensure they do not)Tj
T*
(broadcast unknown traf)Tj
/TT7 1 Tf
10.9244 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(c)Tj
-14.176 -2 TD
[()-469.6(Ensure nothing in the lab can talk to the switch.)]TJ
T*
[()-469.6(Goal: ensure nobody can see anyone else)55(s)-250(session)]TJ
ET
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 6)Tj
ET
endstream
endobj
25 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
27 0 obj
<<
/Length 1738
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 320.939 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(The Gateways)Tj
-8.7686 -2 TD
[()-469.6(Our gateways are built using OpenBSD \(version)]TJ
1.0756 -1 TD
(2.5\).)Tj
-1.0756 -2 TD
[()-469.6(The gateways by default blocks all outgoing traf)]TJ
/TT7 1 Tf
23.1396 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(c)Tj
-22.6748 -1 TD
(from the labs using packet )Tj
/TT7 1 Tf
12.3584 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(lters \(ipf\).)Tj
-14.0448 -2 TD
[()-469.6(Our gateways allow a user to connect and)]TJ
1.0756 -1 TD
(authenticate using their Kerberos ID and)Tj
T*
(password.)Tj
-1.0756 -2 TD
[()-469.6(O)0(n)-250(successful authentication the gateway adds)]TJ
1.0756 -1 TD
(rules to allow out all traf)Tj
/TT7 1 Tf
11.2305 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(c \(and log some of it\).)Tj
-12.9169 -2 TD
[()-469.6(A)0(s)-250(soon as the authenticating session disconnects,)]TJ
1.0756 -1 TD
(the )Tj
/TT7 1 Tf
1.6938 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(lter rules added above are removed.)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 7)Tj
ET
endstream
endobj
28 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
30 0 obj
<<
/Length 1550
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 194.761 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(authipf - Our Program For Filter Rules)Tj
-3.2826 -2 TD
[()-469.6(Users connect to gateway with telnet \(Why telnet?)]TJ
1.0756 -1 TD
(because they all have it and can use it!\))Tj
-1.0756 -2 TD
[()-469.6(User authenticates with login, login runs authipf, a)]TJ
1.0756 -1 TD
(program which adds )Tj
/TT7 1 Tf
9.6377 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(lter rules when started,)Tj
-10.2485 -1 TD
(removes when done.)Tj
-1.0756 -2 TD
[()-469.6(TCP KEEP)74(ALIVE values tuned to ensure that)]TJ
1.0756 -1 TD
(unresponsive sessions go away in under a minute.)Tj
-1.0756 -2 TD
[()-469.6(authipf logs to syslog when users authenticate, and)]TJ
1.0756 -1 TD
[(when they disconnect.)-500(It also puts in rules to log)]TJ
T*
(tcp sessions.)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 8)Tj
ET
endstream
endobj
31 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
33 0 obj
<<
/Length 2201
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 218.095 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(Security and Con)Tj
/TT7 1 Tf
7.8877 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(guration Issues)Tj
-12.7956 -2 TD
[()-469.6(T)111(o)-250(reiterate, switches must be con)]TJ
/TT7 1 Tf
16.405 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(gured properly)Tj
-15.9402 -1 TD
(to avoid traf)Tj
/TT7 1 Tf
5.5386 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(c snooping and hijacking)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
181.26 168.05 m
184.434 168.05 187.01 165.474 187.01 162.3 c
187.01 159.126 184.434 156.55 181.26 156.55 c
178.086 156.55 175.51 159.126 175.51 162.3 c
175.51 165.474 178.086 168.05 181.26 168.05 c
s
BT
0 23 -23 0 187 180 Tm
[(MAC lock each port or)55(..)]TJ
ET
204.24 168.05 m
207.414 168.05 209.99 165.474 209.99 162.3 c
209.99 159.126 207.414 156.55 204.24 156.55 c
201.066 156.55 198.49 159.126 198.49 162.3 c
198.49 165.474 201.066 168.05 204.24 168.05 c
s
BT
0 23 -23 0 210 180 Tm
[(T)129(urn of)18(f)-250(unknown unicast )]TJ
/TT7 1 Tf
12.1841 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(ooding.)Tj
-15.4357 -2 TD
[()-469.6(W)74(e)-250(periodically review switch con)]TJ
/TT7 1 Tf
16.7203 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(gs to ensure we)Tj
-16.2555 -1 TD
[(haven)18(t)-250(made mistakes)]TJ
-1.0756 -2 TD
[()-469.6(Our switches deal with traf)]TJ
/TT7 1 Tf
13.497 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(c at the MAC level, yet)Tj
-13.0322 -1 TD
(we authenticate based on IP address - this means)Tj
T*
(that there is a potential problem..)Tj
ET
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 712.8 Tm
(Page 9)Tj
ET
endstream
endobj
34 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
36 0 obj
<<
/Length 1792
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 336.257 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(IP spoo)Tj
/TT7 1 Tf
3.417 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(ng)Tj
-13.4624 -2 TD
[()-469.6(A)0(n)-250(attacker can fake a ARP reply)92(,)-250(o)0(r)-250(just try to use)]TJ
1.0756 -1 TD
(an IP address from the lab to get an IP address that)Tj
T*
(is in use in the lab and already authenticated.)Tj
-1.0756 -2 TD
[()-469.6(W)74(e)-250(react to this possibility by having the gateway)]TJ
1.0756 -1 TD
(watch for the occurence of such events. ARP)Tj
T*
(changes are logged by OpenBSD.)Tj
-1.0756 -2 TD
[()-469.6(When we see an ARP table change, we use swatch)]TJ
1.0756 -1 TD
(to ensure that if there is a running authipf process)Tj
T*
(for that address, it gets killed.)Tj
-1.0756 -2 TD
[()-469.6(This ensures that if an IP address is taken over)55(,)-250(i)0(t)-250(i)0(s)]TJ
1.0756 -1 TD
(no longer authenticated, and must reauthenticate)Tj
-1.0756 -2 TD
[()-469.6(W)74(e)-250(also get noti)]TJ
/TT7 1 Tf
8.3067 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(ed when this happens.)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 704.4 Tm
(Page 10)Tj
ET
endstream
endobj
37 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
39 0 obj
<<
/Length 2247
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 329.898 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(Other Issues)Tj
-9.1581 -2 TD
[()-469.6(Students can walk away)92(.)]TJ
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
158.22 168.05 m
161.394 168.05 163.97 165.474 163.97 162.3 c
163.97 159.126 161.394 156.55 158.22 156.55 c
155.046 156.55 152.47 159.126 152.47 162.3 c
152.47 165.474 155.046 168.05 158.22 168.05 c
s
BT
0 23 -23 0 164 180 Tm
[(W)74(e)74( )-74(deal with this in our traditional way of)]TJ
0 -1 TD
(dealing with the "Oh gee, you left yourself)Tj
T*
(logged on" cases.)Tj
-2.6408 -2 TD
[()-469.6(Users must know how to telnet to the gateway and)]TJ
1.0756 -1 TD
[(authenticate. )-250(W)74(e)-250(put big posters everywhere, and)]TJ
T*
(icons on the desktops in the labs of machines.)Tj
-1.0756 -2 TD
[()-469.6(This does not address the \(in\)security of the client)]TJ
1.0756 -1 TD
(machines due to what is running on them.)Tj
ET
388.26 168.05 m
391.434 168.05 394.01 165.474 394.01 162.3 c
394.01 159.126 391.434 156.55 388.26 156.55 c
385.086 156.55 382.51 159.126 382.51 162.3 c
382.51 165.474 385.086 168.05 388.26 168.05 c
s
BT
0 23 -23 0 394 180 Tm
(The laptop is the users problem.)Tj
ET
411.24 168.05 m
414.414 168.05 416.99 165.474 416.99 162.3 c
416.99 159.126 414.414 156.55 411.24 156.55 c
408.066 156.55 405.49 159.126 405.49 162.3 c
405.49 165.474 408.066 168.05 411.24 168.05 c
s
BT
0 23 -23 0 417 180 Tm
(Labs of machines reload an image regularly on)Tj
T*
(boot to minimize trojan/virus exposure \(and)Tj
T*
(warn users in big letters\))Tj
ET
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 704.4 Tm
(Page 11)Tj
ET
endstream
endobj
40 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
44 0 obj
<<
/Length 1548
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 308.703 Tm
0 g
/GS1 gs
0 Tc
0 Tw
[(Other Nice Stuf)18(f)]TJ
-8.2366 -2 TD
[()-469.6(Gateway intercepts IDENT \(rfc 1413\) requests)]TJ
1.0756 -1 TD
[(aimed at inside hosts.)-500(answers them with the)]TJ
T*
[(authenticated user)55(.)]TJ
-1.0756 -2 TD
[()-469.6(W)74(e)-250(intercept and proxy IMAP and SMTP outbound)]TJ
1.0756 -1 TD
(to our main central servers which use the same id)Tj
T*
(and passwords. These proxies then substitute in)Tj
T*
(the username/password for those connections with)Tj
T*
(the one used to authenticate.)Tj
-1.0756 -2 TD
[()-469.6(W)74(e)-250(don)18(t)-250(regularly proxy http on the gateways, but)]TJ
1.0756 -1 TD
(have the capability to do it when tracking)Tj
T*
(problems \(at our site we watch http requests)Tj
T*
(elsewhere\))Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 704.4 Tm
(Page 12)Tj
ET
endstream
endobj
45 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
47 0 obj
<<
/Length 1891
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 293.374 Tm
0 g
/GS1 gs
0 Tc
0 Tw
[(W)74(ell, Does it work?)]TJ
-7.5701 -2 TD
[()-469.6(Deployed in front of student residences and over)]TJ
1.0756 -1 TD
(30 labs and laptop areas at University of Alberta.)Tj
T*
(More all the time.)Tj
-1.0756 -1 TD
[()-469.6(Students rapidly became used to how it works.)]TJ
1.0756 -1 TD
[(very little user training necessary)92(.)]TJ
-1.0756 -1 TD
[()-469.6(Other on campus departments now less fearful of)]TJ
1.0756 -1 TD
(connections from public labs \(some used to block)Tj
T*
(them entirely!\))Tj
-1.0756 -1 TD
[()-469.6(N)0(o)-250(more of)18(f-street people showing up to abuse)]TJ
1.0756 -1 TD
[(labs \(It)55(s)-250(not interesting if they have no Internet)]TJ
T*
(connection\). Places without this installed are now)Tj
T*
(requesting it.)Tj
-1.0756 -1 TD
[()-469.6(T)55(ime to identify the user responsible for harrasing)]TJ
1.0756 -1 TD
(e-mail from these locations via hotmail is down to)Tj
T*
[(about 60 seconds. \(other stuf)18(f)-250(quick to )]TJ
/TT7 1 Tf
17.5889 0 TD
()Tj
/TT2 1 Tf
0.6108 0 TD
(nd too\))Tj
-18.1998 -1 TD
(This saves *lots* of work.)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 704.4 Tm
(Page 13)Tj
ET
endstream
endobj
48 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
/TT7 19 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
50 0 obj
<<
/Length 1070
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 95 235.034 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(Possible Future Enhancements)Tj
-5.0336 -2 TD
[()-469.6(ssh)]TJ
T*
[()-469.6(netbios)]TJ
T*
[()-469.6(More proxies)]TJ
T*
[()-469.6(Support for more/dif)18(ferent authentication)]TJ
1.0756 -1 TD
[(mechanisms \(YP)129(,)-250(LDAP)129(,)-250(etc.\))]TJ
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 704.4 Tm
(Page 14)Tj
ET
endstream
endobj
51 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
53 0 obj
<<
/Length 1169
>>
stream
BT
/TT2 1 Tf
0 23 -23 0 118 209.182 Tm
0 g
/GS1 gs
0 Tc
0 Tw
(Dealing with Public Ethernet Jacks:)Tj
-1.111 -1 TD
(Switches, Gateways, and Authentication)Tj
-2.7986 -4 TD
[()-469.6(ftp://sunsite.ualberta.ca/pub/Local/People/beck/authipf)]TJ
0 -2 TD
[()-469.6(http://www)92(.ualberta.ca/beck/lisa99.ps)]TJ
9.8791 -3 TD
(Bob Beck)Tj
-3.872 -1 TD
(beck@bofh.ucs.ualberta.ca)Tj
1.164 -1 TD
(University of Alberta)Tj
ET
0 G
1 J 1 j 0.012 w 10 M []0 d
1 i
108.03 72.03 m
504.03 72.03 l
504.001 72.012 m
523.873 72.012 540.001 88.14 540.001 108.012 c
540.03 108.03 m
540.03 273.63 l
540.03 233.91 l
540.03 558.15 m
540.03 634.95 l
540.001 684.011 m
540.001 703.883 523.873 720.011 504.001 720.011 c
504.03 720.03 m
108.03 720.03 l
108.001 720.011 m
88.129 720.011 72.001 703.883 72.001 684.011 c
72.03 684.03 m
72.03 108.03 l
72.001 108.011 m
72.001 88.139 88.129 72.011 108.001 72.011 c
S
BT
/TT4 1 Tf
0 9 -9 0 543.001 236.138 Tm
(Bob Beck)Tj
/TT3 1 Tf
3.9717 0 TD
<00ef>Tj
/TT4 1 Tf
0.564 0 TD
[( Dealing with Public Ethernet Jacks: Switches, Gate)25(w)10(ays, and Authentication)-9030.5(No)15(v)-250(5)0(,)-250(1999)]TJ
/TT6 1 Tf
0 14 -14 0 588 704.4 Tm
(Page 15)Tj
ET
endstream
endobj
54 0 obj
<<
/ProcSet [/PDF /Text ]
/Font <<
/TT2 4 0 R
/TT3 5 0 R
/TT4 6 0 R
/TT6 7 0 R
>>
/ExtGState <<
/GS1 8 0 R
>>
>>
endobj
8 0 obj
<<
/Type /ExtGState
/SA false
/SM 0.02
/OP false
/op false
/OPM 1
/BG2 /Default
/UCR2 /Default
/HT /Default
/TR2 /Default
>>
endobj
55 0 obj
<<
/Type /FontDescriptor
/Ascent 750
/CapHeight 662
/Descent -250
/Flags 6
/FontBBox [-168 -218 1000 898]
/FontName /BFGCPH+Times-Roman
/ItalicAngle 0
/StemV 84
/XHeight 450
/StemH 84
/FontFile2 56 0 R
>>
endobj
56 0 obj
<<
/Filter /FlateDecode
/Length 4835
/Length1 9352
>>
stream
HV
lTv{wl0563PCQgs8p?1$dj@JI$ ͏R@HBKDEi+O[RB$i{ݙ U7nfwfggfg@t`R љ㪖{>jT7 &k`>`Q[S{8YS7??_l" O_&g/"աM8?0Z/_1m\Ǘki4+.
*7 -9ZQi/si.Eh
LV]ns诵ncJs.lw H]U#ʃFX1!2div Mzzb?i4nVQ#}Ѐ}Ðl\7`f$~7X4Q"*O||sJ,m)~
W\>a܅(B9lIqk_lyoHG}֢NzoHC1GQ,z<Df\SY~#b#v-f2ZlŻnmm %~'va/~2)5,Ԇ]_ѾGpEO25ΐpl/f:hdCweֻ4/cyu'}?a)y[)r{}>n'b+_FzFn;xY}[$T,.O%dw9Nk&}~(6cŮ3^gc8{LC¬cNx-y\%|dE-VIqV|.L} (wNȳehZ6Wۦ^ן3gۮOcUplyQni`4>Ft3)*M!jQelmܿYS4V"Wq1^Ib:g(!Q+^${G3E3h#]7HKCe4eeY@Fkl5hZ"Y ֦]Ѿz}~V_5\c1ӕ*t-w:~̽}Y㷘*俰F=-_rOARo.<RG:W*Ȍ+p}Dq>Jn*]ZXX+{yoo5uX\3DoG.W\Hg~훙ѧwzԔHԭkΝ:z:]IAAkq9jl8orA[yӲ!KR$yGbd oZLa1{J9-kt䉎#wq7 x-Q
Z#M ݵY9z'PC$LYt3zGeCak`W3cyrKө;g?6uMWМrKUXR}jU}3lSZ24TTlVQh3GeӼt+7T[bCE<'xfPTz-YbFj+YsL-?O@{{9A-ikFX9K[<D'_˦ޫP;r61k.@SUrSٔC$t<(gBWV(Q罎>!v!<ر}7ݭJ'Fߨ5qOx 25]*T>%9ߨ?"گx2y,d*QDTh&JGW}G#-htE4f$ԘtGPD;\̠
>xպwfYh hDwrG?QFM><<*vw2&:,GYa(Qkha{%j}Gn}sֆE4*OwbL>D՞_?0Xw? .7a$?6gBlHcWz%
6f~G,=ٌj'rkcfaypgr5fNT0CؾιNlIy-գj}pWߢX:BaKTً}m[K`"GVQ髫#qWPGs_⌊\SEVO|omJGߪ2U߲w&U}zĹ?ws3CMGxZkwDvzVzCN,mZ~6<!<>Դ>Mލb|K9w9;qs{ow/y4@3KB^`!6ˏHcC i?R-Pb2qtcDh[Jm-u*TGk [ۢS"M9{S?;s5j̗\~N_wƮ~ϷYǦž].K#<n &:%`Osk̯e<d~2vwƔם;$_$ wl{+(9}.'2U.λpKm5s)oUJX֫UTXPTAuնqqDF{iMǾ"{4άy+ͅV]|#*4҈U0#ZWxUW|eck6^|eizT꒚*Xg R-)crD c1/x̭s<
,h\+?V%fQyogS9}r̗sX?\c1G`v(??,57kK͇KRsa9$iRlKD#PqxmԵ>+7oS<4OFÇj#x
hx5 v*`*Qۋ՚i;p8B>.:P'ObNvdԿGDYij8䫡(/)Aba:ƔZniiWZ7cNTnt4{cڡ&puѮZbWi:ORtxOha=oos^fcfӜSsr`XK1Ⓖ2kʻ)V~xku*4=f}oZ,β,k51w&P5&|QV.ޞ5"<MHk#90P@wz/=Iݩĺҋ'!LɜQ.ot
VLum-w*(JM!<_VdgyYU]YUe?KquL^g+JֳUUebr>xn( "s9xQ
0/);6lnA26Z#Vo(+Z٥ՕO.8``mWRDp"(|Kh:Fsyq^2^\՟NjƋbqc?&5ջ7IvpVarB}n9
]h1u݃낑ۨzpBym`:P-[BlkZB=
Q[!j%mѽgOnbʚWMɷr+c
MdPJ301)ܐ鐆27A0=O7@JjPɀZE}&d&xcBV>1wbr.xya؏8}>χ0OE>ɀ1Bp=gQ0.&>dUL.ӛpSL.Հ;חw Yhz
YaZ^&Wq?/KѾ☿83OgsaC<&s90=/Lu LNo SpT00\>1/ga09uSK4nW}\1"L1*L1?8cg?0(̍\0ս.LuoMa/\0 m5%ˤCF%cBG2)zKt{ux6Qt$W2E'Nf20?Ĝ.s[qѩ}E'Ktjnщ3D{':qѩg2O{b~yԖ%:Gtj+[tAý_\'<ce^̜# >yE<Bt\щE{E'.0e^<3y)|en`(:N<It7%_CnPTwSED'w#ijD/Btw>щ̕܇9˙N}_tySD'~y6fnf~PtoN\#:Ŝ/:qs쳈yCOċ!~<5x4VKE'njďjۢ6N\to͢`}%jU_ۉWE^a~s-ZNyqщoȻFah8$ <(\&9e׳2䈦?I.'ZtďTfκ^8vԛ3SoBQ똍*e
kUјgCqN;jR@/thJsϿUzl;o$gRMoq*&}D?ݸhg'rp,g"*xYxP؉A8STL
/k�x0h30d2223tR`*]| ;IcWP,;`mq'PbSm2|m4o՟0 C
endstream
endobj
57 0 obj
<<
/Type /FontDescriptor
/Ascent 822
/CapHeight 681
/Descent -277
/Flags 262178
/FontBBox [-152 -266 1000 924]
/FontName /Palatino-Bold
/ItalicAngle 0
/StemV 133
/XHeight 471
/StemH 122
>>
endobj
58 0 obj
<<
/Type /FontDescriptor
/Ascent 750
/CapHeight 662
/Descent -250
/Flags 34
/FontBBox [-168 -218 1000 898]
/FontName /BFGDJN+Times-Roman
/ItalicAngle 0
/StemV 84
/XHeight 450
/StemH 84
/FontFile2 59 0 R
>>
endobj
59 0 obj
<<
/Filter /FlateDecode
/Length 13321
/Length1 20024
>>
stream
HVl=.טfS0,f6J`
! S%
JhHAp#_HBKDEi+T -DHMkTUϻ; ?:kWlWDC5ƞɊE1GD9Fpm{<LU|w>9Z yK<uk56R
]i#/ O?~Wژ*Nt[P-9Z\9"