Firewall Wizards mailing list archives
RE: NTLM on firewalls (was: Microsoft ISA Server)
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 24 Jun 2002 09:56:26 +0200
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of Patrick M. Hausen [...] All this based on MS Active Directory users and groups. This is where the Gauntlet I sold them failed cold. Of course you can set up Gauntlet (or any other decent firewall for that matter) to authenticate users using RADIUS or LDAP and interface to NT Domains or Active Directory that way. Maybe you can even use M$ group memberships. But one thing Gauntlet can't do: NTLM authentication. This is a M$ proprietary protocol that takes care of "single sign on", i.e. you authenticate to your Active Directory once - and that's that. No HTTP 401 asking you for a username and password _again_ when you first use the proxy. Authentication for using services that don't support authentication themselves. You can even allow or disallow ICMP (ping) to the Internet based on Active Directory user/group. User starts to ping an external host. The ISA can use NT protocol to ask who's logged on to the workstation and ask the Active Directory server if said user is part of the "Allow Ping" group. Weird.
I'm a little confused here. Even back a couple of years ago I was doing seamless NTLM authentication with Squid proxies on Linux, and the user never saw an authentication dialog box. From memory, Squid faked up all the NTLM Auth HTTP headers to the client and then tried to use the proxied credentials to read a dummy file on a real life server in the network (yes, it's a nasty hack). If successful the connection was allowed. (This is also a demonstration of why NTLM is not the world's best authentication protocol) Now that NTLM is much better understood, and even sort of documented[1], I don't see any reason why firewalls couldn't be built now on freeware that would do everything you describe. HP's CIFS/9000 claims that it supports NTLM via PAM, with (MS) Kerberos coming soon, and it's Open Source.[2] We can find out who is logged on to a workstation trivially with Samba (it's just a NetBIOS query). I guess it's worth noting that, unless I've gone completely insane, NTLM and MS Kerberos for "true" AD environments aren't the same. MSKrb was always supposed to be a replacement for the much spat-upon NTLM. Hearts fluttered when it was first released ("What? They're using a _standard_ protocol that's _good_?") but sadly it was messed with a little too much. I still seem to recall that "normal" Kerberos clients were supposed to be able to talk to MS AD "KDCs" though, so maybe this would be even easier with a native AD network. So, given all that, why _don't_ we have a choice of firewalls that can do transparent user authentication for MS networks? Is it just that nobody has gotten around to hacking it all together? [...]
Patrick M. Hausen Technical Director
Cheers, [1]http://www.innovation.ch/java/ntlm.html [2]http://www.hp.com/products1/unix/operating/hpuxcifs9000/faq.html -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Microsoft ISA Server RWoerner (Jun 21)
- RE: Microsoft ISA Server B. Scott Harroff (Jun 21)
- RE: Microsoft ISA Server Bill Royds (Jun 21)
- Re: Microsoft ISA Server Mikael Olsson (Jun 22)
- Re: Microsoft ISA Server R. DuFresne (Jun 22)
- Re: Microsoft ISA Server Patrick M. Hausen (Jun 22)
- RE: NTLM on firewalls (was: Microsoft ISA Server) Ben Nagy (Jun 24)
- Re: NTLM on firewalls (was: Microsoft ISA Server) Darren Reed (Jun 25)
- RE: NTLM on firewalls (was: Microsoft ISA Server) Ben Nagy (Jun 24)
- <Possible follow-ups>
- Re: Microsoft ISA Server R. DuFresne (Jun 26)