RE: NT Authentication

["Noller, Gregory" <Noller2G () kochind com>]

We use MS Proxy in a three computer array behind our firewall.  It's set up
to authenticate based on the membership in an NT Group (proxy).

In order to go out to the internet via www, folks behind the proxy must be a
member of the proxy group.

Firewall is configured to block outbound unless it comes from the proxy.

Unix folks and non-proxy group members are asked for username and password
on the way out.

Firewall Throughput averages:

Total Connections Reported Thru Firewall : 1299246 
Total Bytes Thru Firewall : Sent = 2067971024 Recieved = 7319338751 Combined
= 9387309775 
With about a 60% - 70% proxy efficiency rate.

Gregory Noller
Network Security Technologist
Koch Industries, Inc.
Wichita, Kansas
(316) 828-7725

"A little security is better than less security!"
Thomas P. Mauriello, NSA 



On Wednesday, October 07, 1998 1:14 PM, Joseph S. D. Yao
[SMTP:jsdy () cospo osis gov] wrote:
> > I have been asked a few times recently to specify a proxy which can get
> > Authentication from an NT domain.  This seems to be sites which are
> > using DHCP.
> >
> > I often like to specify a FW which has an internal proxy where the
> > site admin team can control the insides clients Internet access.  This
> > means they can make all the changes for individual users and don't have
> > to go near the FW.  In the past I have used Wingate and IP's but more
> > and more sites seem to want this authentication to come from an NT
> > domain ala M$ Proxy server I guess.
> >
> > Being no genius on NT I wondered if anyone has any other product
> > suggestions, alternative ways of doing this etc.  Any actual
> > experiences with Microsofts proxy would be good too - I think we all
> > know how dubious the security is, the management possibilities seem
> > useful though.
>
> I know the people working on the [new! improved!] Linux port+ of PAM
> were trying to put together an NT authentication module that worked
> under all hosts to which PAM [Pluggable Authentication Modules, OSF RFC
> 86.0, AKA XSSO - X/Open Single Sign-On Service] had been ported.  I've
> lost track of their progress on this.  Cf.
>       <URL: http://www.kernel.org/pub/linux/libs/pam/>.
>
> --
> Joe Yao                               jsdy () cospo osis gov - Joseph S. D.
Yao
> COSPO/OSIS Computer Support                                   EMT-A/B
> -----------------------------------------------------------------------
>       PLEASE ... send or Cc: all "COSPO/OSIS Computer Support"
>                    mail to sys-adm () cospo osis gov
> -----------------------------------------------------------------------
> This message is not an official statement of COSPO policies.