Proxies and CHAP

[Russ <Russ.Cooper () rc on ca>]

I've been giving some thought to the idea of how CHAP can be handled
through proxies. I'm not referring to anyone's particular implementation
of a proxy, just the concepts in general.

If I want to perform a CHAP with a server beyond a Proxy Firewall, then
I'm actually having the client authenticate against the Firewall, and
the Firewall authenticate against the Server, right? This means two CHAP
sessions, and it means I rely on the Firewall to tell the server that
the client really did authenticate with it, and therefore can accept the
authentication request from the Firewall. Doesn't this drastically
increase the level of trust I have to have with the Firewall?

Further, if I were logging the client sessions at the Server, they
wouldn't map directly to any logs I might keep on the client. I'd have
to compare the server/Firewall log and the client/Firewall log, and then
try to figure out a mapping between the two.

Further, if I were attempting to ensure that the client wasn't logged in
twice (or more), this would presumably prevent the Firewall from having
multiple sessions with the server, wouldn't it?

It would seem to me that CHAP done through a Proxy Firewall would end up
lowering my trust level of the CHAP process. The Firewall might, at any
given point in time, have numerous valid sessions with the server that
could be exploited by a client capable of exploiting the Proxy that
maintains all those sessions.

I'm writing off the top of my head here in the hopes to stimulate some
conversation about this, hope nobody minds...;-]

Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security