Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NT Authentication

From: Vin McLellan <vin () shore net>
Date: Thu, 8 Oct 1998 17:31:52 -0400
Steve () po i-way co uk queried the Listocracy:


I have been asked a few times recently to specify a proxy which can get
Authentication from an NT domain.  This seems to be sites which are
using DHCP.

I often like to specify a FW which has an internal proxy where the
site admin team can control the insides clients Internet access.  This
means they can make all the changes for individual users and don't have
to go near the FW.  In the past I have used Wingate and IP's but more
and more sites seem to want this authentication to come from an NT
domain ala M$ Proxy server I guess.

Being no genius on NT I wondered if anyone has any other product
suggestions, alternative ways of doing this etc.  Any actual
experiences with Microsofts proxy would be good too - I think we all
know how dubious the security is, the management possibilities seem
useful though.


        One of my clients has a new mix of technologies which might be
worth considering. SDTI <http://www.securid.com> has just come out with a
new ACE/Agent for NT which supports NT Domain authentication (with a neat
little PKI for the Domain) with two-factor SecurID authentication.  It's
been shipping for a couple weeks -- free for current ACE/SecurID sites --
but I don't think it will be announced for another week or so, so there may
be nothing on the website until then.

        This is also something of overkill for your specific problem, but
among its many and wonderous tricks for authorization and access control
within the NT LAN, it should be able to manage control of users permitted
egress thru the firewall.

        With MS Proxy in a domain that has the 4.4 ACE/Agent running
subauth, the Winsock Proxy part of the MS Proxy Server can control access
to the firewall by NT username.  That should fire off the ACE/Agent's
subauth filter at the Domain Controller when the user tries to route
through the firewall.

        The only problem might be with DHCP clients. You would need to make
sure that you have dynamic DNS (through WINS?) so that SDTI's subauth
filter can connect back to the client and authenticate.

        Surete,
                _Vin


-----
      Vin McLellan + The Privacy Guild + <vin () shore net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                         -- <@><@> --
Previous By Date Next
Previous By Thread Next

Current thread: