Firewall Wizards mailing list archives
Proxies and CHAP
From: Russ <Russ.Cooper () rc on ca>
Date: Thu, 11 Sep 1997 15:40:26 -0400
I've been giving some thought to the idea of how CHAP can be handled through proxies. I'm not referring to anyone's particular implementation of a proxy, just the concepts in general. If I want to perform a CHAP with a server beyond a Proxy Firewall, then I'm actually having the client authenticate against the Firewall, and the Firewall authenticate against the Server, right? This means two CHAP sessions, and it means I rely on the Firewall to tell the server that the client really did authenticate with it, and therefore can accept the authentication request from the Firewall. Doesn't this drastically increase the level of trust I have to have with the Firewall? Further, if I were logging the client sessions at the Server, they wouldn't map directly to any logs I might keep on the client. I'd have to compare the server/Firewall log and the client/Firewall log, and then try to figure out a mapping between the two. Further, if I were attempting to ensure that the client wasn't logged in twice (or more), this would presumably prevent the Firewall from having multiple sessions with the server, wouldn't it? It would seem to me that CHAP done through a Proxy Firewall would end up lowering my trust level of the CHAP process. The Firewall might, at any given point in time, have numerous valid sessions with the server that could be exploited by a client capable of exploiting the Proxy that maintains all those sessions. I'm writing off the top of my head here in the hopes to stimulate some conversation about this, hope nobody minds...;-] Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security
Current thread:
- Proxies and CHAP Russ (Sep 18)
- Re: Proxies and CHAP Paul D. Robertson (Sep 18)
- <Possible follow-ups>
- FW: Proxies and CHAP MSITMI02 . XZ46G8 (Sep 19)