RE: [squid-users] NTLM and transparent/interception confusion
That's exactly what I opted for... I configured WPAD which should work with the majority of browsers out there. And we also authenticate against the hardware (another LDAP connection) to even connect to the open wireless. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, January 05, 2009 10:18 PM To: Johnson, S Cc: Kinkie; Guido Serassio; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Johnson, S wrote: Keep in mind, group policies cannot always be used as in our environment. We are a K-12 education and are mandated by federal law to monitor and protect student access to the internet. We are now allowing students to bring their own notebooks in on a trial basis (to be permanent after this summer when we work out the bugs) to do research on their own computers. We have to monitor their access to the internet and deny bad sites, again mandated by federal law. So their authentication mechanism is AD/LDAP to their user ID set up for them to access network resources on the network. Since their computers are not on our domain (nor do we want them to be), we cannot push group policies down to their computer. In that case your best bet would be to lock down general port-80 access to them entirely. Using WPAD 'auto-detect' or with students setting browsers set manually. That will go a long way toward blocking risky behavior by malware on mobile devices. Second best after that would be to setup some helper where they can authenticate against some other system and the helper permits their requests past Squid for a time. This provides almost no protection from malware once the student is browsing a legit session. Amos The solution Bluecoat had was very secure, but again their devices are about $50,000usd / device. As an education provider, that money is hard to come by especially when we would need 3 devices for the load. Their authentication mechanism is SOX (sarbane oxley) tested and compliant. It also works with any computer outbound to the internet. There's no proxy configuration to worry about; it's all done at the proxy. Granted, I used WCCP to configure this on Bluecoat which allowed me a lot of flexibility to add in multiple proxies with ease (and the users would never know the difference). sj -Original Message- From: Kinkie [mailto:gkin...@gmail.com] Sent: Saturday, January 03, 2009 12:51 PM To: Guido Serassio Cc: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Yuck... IIRC Squid's session helper can do that too then. This is NOT authentication and it's absolutely insecure: even windows nowadays supports remote desktops (3 users can share one IP) and SNAT (connection sharing), and it's pretty easy to hijack an user's credentials (simply log on to his workstation as soon as possible after he's logged out). an nmblookup-based external authentication helper could be set up to do one of these, but after all what's the point? If the user has a proper Windows infrasctructure, it's much easier to use group policies to configure the browsers.. Thanks for the clarification Guido! -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] NTLM and transparent/interception confusion
... We are a K-12 education and are mandated by federal law to monitor and protect student access to the internet. ... We are now allowing students to bring their own notebooks ... Yep, yet another instance of the classic problem filter 'the net' rather than individual computers. (Same thing comes up with iPhones and with wireless.) By requiring NTLM authentication against your own domain, you're requiring users to use your names and passwords even if they use their own computer; that gets you part way. The remaining issue is how to avoid the dreaded dead end browser that won't do anything until its proxy options are changed but can't even display the directions for changing those options. One possible solution is to put a webserver on port 80 that gives detailed instructions on how to set the proxy options in all the various browsers. Reconfigured browsers will access the filter on a special port (3128? 8080?) which works withOUT the problematic transparent/intercepting and withOUT any IPtables rules for the filter. No matter what newly arrived browsers try to view, they'll just see your page of instructions. The biggest problem here may be that K-12 includes some very young kids. Hopefully any young kid that brings their own computer from home can deal with this stuff. (Definitely no problem beyond about third grade - kids are geeks.) Use lots of screenshots and train the teachers. Making this network billboard idea work requires a couple things: 1) use IPtables to redirect all the port 80 traffic to port 80 (!?)- the net effect is the IP address of the desired website will be replaced with the IP address of your own server 2) use an .htaccess file with an ErrorDocument 404 ... in it so all browsers get to your page of instructions no matter what page they originally desired See http://contentfilter.futuragts.com/wiki/doku.php?id=network_billboard for details. thanks! -Chuck Kollars
RE: [squid-users] NTLM and transparent/interception confusion
Keep in mind, group policies cannot always be used as in our environment. We are a K-12 education and are mandated by federal law to monitor and protect student access to the internet. We are now allowing students to bring their own notebooks in on a trial basis (to be permanent after this summer when we work out the bugs) to do research on their own computers. We have to monitor their access to the internet and deny bad sites, again mandated by federal law. So their authentication mechanism is AD/LDAP to their user ID set up for them to access network resources on the network. Since their computers are not on our domain (nor do we want them to be), we cannot push group policies down to their computer. The solution Bluecoat had was very secure, but again their devices are about $50,000usd / device. As an education provider, that money is hard to come by especially when we would need 3 devices for the load. Their authentication mechanism is SOX (sarbane oxley) tested and compliant. It also works with any computer outbound to the internet. There's no proxy configuration to worry about; it's all done at the proxy. Granted, I used WCCP to configure this on Bluecoat which allowed me a lot of flexibility to add in multiple proxies with ease (and the users would never know the difference). sj -Original Message- From: Kinkie [mailto:gkin...@gmail.com] Sent: Saturday, January 03, 2009 12:51 PM To: Guido Serassio Cc: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Yuck... IIRC Squid's session helper can do that too then. This is NOT authentication and it's absolutely insecure: even windows nowadays supports remote desktops (3 users can share one IP) and SNAT (connection sharing), and it's pretty easy to hijack an user's credentials (simply log on to his workstation as soon as possible after he's logged out). an nmblookup-based external authentication helper could be set up to do one of these, but after all what's the point? If the user has a proper Windows infrasctructure, it's much easier to use group policies to configure the browsers.. Thanks for the clarification Guido! -- /kinkie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] NTLM and transparent/interception confusion
Johnson, S wrote: Keep in mind, group policies cannot always be used as in our environment. We are a K-12 education and are mandated by federal law to monitor and protect student access to the internet. We are now allowing students to bring their own notebooks in on a trial basis (to be permanent after this summer when we work out the bugs) to do research on their own computers. We have to monitor their access to the internet and deny bad sites, again mandated by federal law. So their authentication mechanism is AD/LDAP to their user ID set up for them to access network resources on the network. Since their computers are not on our domain (nor do we want them to be), we cannot push group policies down to their computer. In that case your best bet would be to lock down general port-80 access to them entirely. Using WPAD 'auto-detect' or with students setting browsers set manually. That will go a long way toward blocking risky behavior by malware on mobile devices. Second best after that would be to setup some helper where they can authenticate against some other system and the helper permits their requests past Squid for a time. This provides almost no protection from malware once the student is browsing a legit session. Amos The solution Bluecoat had was very secure, but again their devices are about $50,000usd / device. As an education provider, that money is hard to come by especially when we would need 3 devices for the load. Their authentication mechanism is SOX (sarbane oxley) tested and compliant. It also works with any computer outbound to the internet. There's no proxy configuration to worry about; it's all done at the proxy. Granted, I used WCCP to configure this on Bluecoat which allowed me a lot of flexibility to add in multiple proxies with ease (and the users would never know the difference). sj -Original Message- From: Kinkie [mailto:gkin...@gmail.com] Sent: Saturday, January 03, 2009 12:51 PM To: Guido Serassio Cc: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Yuck... IIRC Squid's session helper can do that too then. This is NOT authentication and it's absolutely insecure: even windows nowadays supports remote desktops (3 users can share one IP) and SNAT (connection sharing), and it's pretty easy to hijack an user's credentials (simply log on to his workstation as soon as possible after he's logged out). an nmblookup-based external authentication helper could be set up to do one of these, but after all what's the point? If the user has a proper Windows infrasctructure, it's much easier to use group policies to configure the browsers.. Thanks for the clarification Guido! -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] NTLM and transparent/interception confusion
Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Regards Guido Thanks! On 1/2/09, Johnson, S sjohn...@edina.k12.mn.us wrote: That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- /kinkie - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM and transparent/interception confusion
On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Yuck... IIRC Squid's session helper can do that too then. This is NOT authentication and it's absolutely insecure: even windows nowadays supports remote desktops (3 users can share one IP) and SNAT (connection sharing), and it's pretty easy to hijack an user's credentials (simply log on to his workstation as soon as possible after he's logged out). an nmblookup-based external authentication helper could be set up to do one of these, but after all what's the point? If the user has a proper Windows infrasctructure, it's much easier to use group policies to configure the browsers.. Thanks for the clarification Guido! -- /kinkie
RE: [squid-users] NTLM and transparent/interception confusion
That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] NTLM and transparent/interception confusion
Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Thanks! On 1/2/09, Johnson, S sjohn...@edina.k12.mn.us wrote: That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- /kinkie
Re: [squid-users] NTLM and transparent/interception confusion
Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM and transparent/interception confusion
On 31.12.08 13:06, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. configure WPAD (aka proxy autoconfiguration) then. It's principially impossible to have browser log to the proxy, when browser thinks there's no proxy... I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. proxy can get some login info from third party, e.g. domain controller, that tells it who's logged on the particular machine. Browser won't do it as described above. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)