RE: NTLM on firewalls (was: Microsoft ISA Server)

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: firewall-wizards-admin () nfr com 
> [mailto:firewall-wizards-admin () nfr com] On Behalf Of Patrick M. Hausen
> [...]
> All this based on MS Active Directory users and groups. 
> This is where the Gauntlet I sold them failed cold. Of course 
> you can set up Gauntlet (or any other decent firewall for 
> that matter) to authenticate users using RADIUS or LDAP and 
> interface to NT Domains or Active Directory that way. Maybe 
> you can even use M$ group memberships.
>
> But one thing Gauntlet can't do: NTLM authentication. This is 
> a M$ proprietary protocol that takes care of "single sign 
> on", i.e. you authenticate to your Active Directory once - 
> and that's that. No HTTP 401 asking you for a username and 
> password _again_ when you first use the proxy. Authentication 
> for using services that don't support authentication 
> themselves. You can even allow or disallow ICMP (ping) to the 
> Internet based on Active Directory user/group. User starts to 
> ping an external host. The ISA can use NT protocol to ask 
> who's logged on to the workstation and ask the Active 
> Directory server if said user is part of the "Allow Ping" 
> group. Weird.

I'm a little confused here.

Even back a couple of years ago I was doing seamless NTLM authentication
with Squid proxies on Linux, and the user never saw an authentication
dialog box. From memory, Squid faked up all the NTLM Auth HTTP headers
to the client and then tried to use the proxied credentials to read a
dummy file on a real life server in the network (yes, it's a nasty
hack). If successful the connection was allowed. (This is also a
demonstration of why NTLM is not the world's best authentication
protocol)

Now that NTLM is much better understood, and even sort of documented[1],
I don't see any reason why firewalls couldn't be built now on freeware
that would do everything you describe. HP's CIFS/9000 claims that it
supports NTLM via PAM, with (MS) Kerberos coming soon, and it's Open
Source.[2] We can find out who is logged on to a workstation trivially
with Samba (it's just a NetBIOS query).

I guess it's worth noting that, unless I've gone completely insane, NTLM
and MS Kerberos for "true" AD environments aren't the same. MSKrb was
always supposed to be a replacement for the much spat-upon NTLM. Hearts
fluttered when it was first released ("What? They're using a _standard_
protocol that's _good_?") but sadly it was messed with a little too
much. I still seem to recall that "normal" Kerberos clients were
supposed to be able to talk to MS AD "KDCs" though, so maybe this would
be even easier with a native AD network.

So, given all that, why _don't_ we have a choice of firewalls that can
do transparent user authentication for MS networks? Is it just that
nobody has gotten around to hacking it all together?

[...] 
> Patrick M. Hausen
> Technical Director

Cheers,

[1]http://www.innovation.ch/java/ntlm.html
[2]http://www.hp.com/products1/unix/operating/hpuxcifs9000/faq.html
--
Ben Nagy
Network Security Specialist
Mb: TBA  PGP Key ID: 0x1A86E304 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards