RE: [squid-users] NTLM and transparent/interception confusion

From: Johnson, S <sjohnson_at_edina.k12.mn.us>
Date: Tue, 6 Jan 2009 10:40:02 -0600

That's exactly what I opted for... I configured WPAD which should work
with the majority of browsers out there. And we also authenticate
against the hardware (another LDAP connection) to even connect to the
open wireless.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, January 05, 2009 10:18 PM
To: Johnson, S
Cc: Kinkie; Guido Serassio; squid-users_at_squid-cache.org
Subject: Re: [squid-users] NTLM and transparent/interception confusion

Johnson, S wrote:
> Keep in mind, group policies cannot always be used as in our
> environment.
>
> We are a K-12 education and are mandated by federal law to monitor and
> protect student access to the internet.
>
> We are now allowing students to bring their own notebooks in on a
trial
> basis (to be permanent after this summer when we work out the bugs) to
> do research on their own computers.
>
> We have to monitor their access to the internet and deny "bad" sites,
> again mandated by federal law. So their authentication mechanism is
> AD/LDAP to their user ID set up for them to access network resources
on
> the network.
>
> Since their computers are not on our domain (nor do we want them to
be),
> we cannot push group policies down to their computer.

In that case your best bet would be to lock down general port-80 access
to them entirely. Using WPAD 'auto-detect' or with students setting
browsers set manually.
That will go a long way toward blocking risky behavior by malware on
mobile devices.

Second best after that would be to setup some helper where they can
authenticate against some other system and the helper permits their
requests past Squid for a time. This provides almost no protection from
malware once the student is browsing a legit session.

Amos

>
> The solution Bluecoat had was very secure, but again their devices are
> about $50,000usd / device. As an education provider, that money is
hard
> to come by especially when we would need 3 devices for the load.
Their
> authentication mechanism is SOX (sarbane oxley) tested and compliant.
> It also works with any computer outbound to the internet. There's no
> proxy configuration to worry about; it's all done at the proxy.
> Granted, I used WCCP to configure this on Bluecoat which allowed me a
> lot of flexibility to add in multiple proxies with ease (and the users
> would never know the difference).
>
> sj
>
> -----Original Message-----
> From: Kinkie [mailto:gkinkie_at_gmail.com]
> Sent: Saturday, January 03, 2009 12:51 PM
> To: Guido Serassio
> Cc: Johnson, S; squid-users_at_squid-cache.org
> Subject: Re: [squid-users] NTLM and transparent/interception confusion
>
> On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio
> <guido.serassio_at_acmeconsulting.it> wrote:
>> Hi Kinkie,
>>
>> At 18.45 02/01/2009, Kinkie wrote:
>>> Could you try to get a network trace of a successfully authenticated
>>> http transaction?
>>> I would love to see how they do it...
>> Websense too is using something similar for filtering:
>>
>> They maintain an IP Address/Username table on the policy server. The
> table
>> can be populated using different ways:
>> - A logon agent, a little executable running on every client at logon
> time
>> - Direct query to the user workstation
>> - A DC agent that query DCs for user sessions
>> There isn't any kind of web browser authentication, and this solution
> cannot
>> work with non Windows clients or machine non domain member.
>> Multiuser terminal server environments cannot be supported and the WS
> policy
>> server should be Windows based and domain member for full
> functionality.
>
>
> Yuck...
> IIRC Squid's "session" helper can do that too then.
> This is NOT authentication and it's absolutely insecure: even windows
> nowadays supports remote desktops (3 users can share one IP) and SNAT
> ("connection sharing"), and it's pretty easy to hijack an user's
> credentials (simply log on to his workstation as soon as possible
> after he's logged out).
>
> an nmblookup-based external authentication helper could be set up to
> do one of these, but after all what's the point? If the user has a
> proper Windows infrasctructure, it's much easier to use group policies
> to configure the browsers..
>
> Thanks for the clarification Guido!
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
   Current Beta Squid 3.1.0.3
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Received on Tue Jan 06 2009 - 16:40:50 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 06 2009 - 12:00:02 MST