Re: [squid-users] Requirement to restrict one user accessing squid only from one I.P Address. from Amos Jeffries on 2010-04-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 28 Apr 2010 22:20:59 +1200

Vivek Varghese Cherian wrote:
> Hi,
>
> My client has a requirement where he would like to ensure that a user authorized
> to squid should be able to access the internet from only one I.P Address.
>
> Her requirement is that even if one of her users shares her password
> with the second
> user, the second should not be able to login except from the first
> user's machine, not
> even on the second user's machine or any other machine in the network
> for that matter.
>
> The client has around 1000 users in her organization who frequently
> share their user names and password with other users.
>
> Any pointers/urls in this direction would be most welcome. If this
> question has been answered previously in this mailing list, a pointer
> in that direction would suffice.
>
> Thanks in advance.
>
> Regards,

I see you are faced with the major job dealing with a seriously
dangerous habit amongst your users.

The only real solution is education. The users must be taught not to
share access privileges. This is going to take some work and probably a
fair amount of time as well.

You will need a plan of attack on the problem and support from your
organizations management to make this fully work. The management will
need to make policies prohibiting credentials being shared and outline
some consequences if they are.

A) The easy initial catch is to use a max_user_ip type ACL which detects
multiple-IPs using the same credentials.
A deny_info splash page for that ACL can be used to inform the users
that their offence has been caught and re-inforce the organization policies.
This can be fooled in circumstances where DHCP dynamically assigns
IPs, or NAT hides whole groups of users.

B) As Jeff pointed out the arp type ACL can go beyond IP address and
detect individual machines network cards.
This can fail if the network has any routers between the users and
Squid. And may require organization-wide proxy-ARP protocol to be
implemented.

C) The other way is to create a database matching user logins to the IP
address the user is assigned. Create a external_acl_type script to take
%LOGIN %SRC parameters and lookup the database for a matching pair.
Returning OK/ERR about whether the request is allowed or not.
This can be fooled by NAT, or users setting their IP manually or
relaying requests through a box which does either for them.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1

Received on Wed Apr 28 2010 - 10:21:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 28 2010 - 12:00:31 MDT