[squid-users] Re: squid_ldap_auth and passwords in clear text
> ... but when watching the protocol analyzer I see ... IMHO these days Ethernet eavesdropping really isn't much of an issue (despite conventional wisdom:-). Much more dangerous are spyware/trojan keyloggers; server penetration is annother danger. Eavesdropping on all network traffic from any connection used to be a big problem when network hubs repeated all traffic everywhere. Although Ethernet has changed hugely, the old paranoia remains. Any modern device is a "switch" (not a "hub") and only directs traffic to the one port it's destined for, so nobody else can eavesdrop. Of course even with "switches" you should take some reasonable precautions: 1) Ensure whatever you do to get your sniffer to work is inaccessible to users. 2) Keep all network infrastructure physically inaccessible, perhaps by locking the wiring closets. 3) Restrict (password protect and more) and monitor "remote" access to all network infrastructure devices. 4) Keep all servers (Squid, etc.) physically inaccessible. 5) Severely restrict (or disallow altogether) "remote" access to all servers (ex: only SSH and never as root and only with a public/private key). 6) Avoid using those cheap "mini-hubs" (often 5-port) unless you're sure your model really function as switches despite their name. thanks! -Chuck Kollars
[squid-users] Re: squid_ldap_auth and passwords in clear text
You might try squid_kerb_auth which uses Negotiate/Kerberos instead of NTLM or Negotiate/NTLM. Markus "Matias Chris" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Henrik, I have tried LDAP authentication in the past and stop using it becouse of the passwords being sent in clear text. I read about TLS but then I would need my DC to be a CA and that is not feasible at the moment. So Im testing NTLMSSP now, but is not being very stable and also read that is not recommended for networks with more than 200 users. Is this the end of the road? Is there any other method Im missing to authenticate users against AD?Transparently? Thanks, On Tue, Nov 18, 2008 at 6:59 AM, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: On fre, 2008-11-14 at 10:31 -0600, Johnson, S wrote: I just got the squid_ldap_auth working ok on my segment but when watching the protocol analyzer I see that the auth requests against the AD are coming in as clear text passwords. Is there anyway we can encrypt the ldap domain requests? By AD do you refer to Microsoft AD? In such case use NTLM authentication instead of LDAP. You can also TLS encrypt the LDAP communication, but this does not protect the credentials sent by browsers to Squid, just the communication squid->LDAP. Regards Henrik
RE: [squid-users] Re: squid_ldap_auth and passwords in clear text
> IMHO these days Ethernet eavesdropping really isn't much of > an issue (despite conventional wisdom:-). Much more dangerous > are spyware/trojan keyloggers; server penetration is annother danger. > > Eavesdropping on all network traffic from any connection used > to be a big problem when network hubs repeated all traffic > everywhere. Although Ethernet has changed hugely, the old > paranoia remains. Any modern device is > a "switch" (not a "hub") and only directs traffic to the one > port it's destined for, so nobody else can eavesdrop. Wrong. (Unless you run Cisco with DHCP snooping with Dynamic ARP Inspection, or similar) This will allow you to sniff on switches; http://ettercap.sourceforge.net/ http://www.monkey.org/~dugsong/dsniff/
Re: [squid-users] Re: squid_ldap_auth and passwords in clear text
On sön, 2008-11-16 at 10:48 -0800, Chuck Kollars wrote: > Eavesdropping on all network traffic from any connection used to be a big > problem when network hubs repeated all traffic everywhere. Although Ethernet > has changed hugely, the old paranoia remains. Any modern device is > a "switch" (not a "hub") and only directs traffic to the one port it's > destined for, so nobody else can eavesdrop. It's usually almost as easy to eavesdrop on selected traffic in a switched environment, only requires some small amount of extra preparation to get the traffic flowing in your direction. > Of course even with "switches" you should take some reasonable precautions: > 1) Ensure whatever you do to get your sniffer to work is inaccessible to > users. Usually the steps taken by an network admin to run a sniffer is very different from an attacker. A serious network admin uses a dedicated station for the purpose, connected to a mirror port on the switch.. an attacker uses a compromised station or server (or in very rare cases of physical access plugs his own gear in a free or borrowed network socket) > 2) Keep all network infrastructure physically inaccessible, perhaps by > locking the wiring closets. Doesn't help when there is a compromised station on the network, unless you both configure the switch to lock ports on mac addresses and smart ARP filtering. > 3) Restrict (password protect and more) and monitor "remote" access to all > network infrastructure devices. As above. > 4) Keep all servers (Squid, etc.) physically inaccessible. As above. > 5) Severely restrict (or disallow altogether) "remote" access to all servers > (ex: only SSH and never as root and only with a public/private key). Agreed. > 6) Avoid using those cheap "mini-hubs" (often 5-port) unless you're sure > your model really function as switches despite their name. Not sure it's very relevant.. and most do function as switches despite their price.. but just don't expect the be able to push a full matrix of traffic over them... Regards Henrik signature.asc Description: This is a digitally signed message part
