Authentication - First Layer of Security

Access Restrictions are vital for a Corporate Internet Gateway. Inadequate access restrictions can make your Internet proxy / gateway - vulnerable. Such open gateways, are silently and constantly - subject to abuse or misuse. A huge variety of utilities and tools are available, that can exploit an HTTP proxy to attack, email or any other servers. However such attacks are quite easy to discover, for the victimized servers. But by then even a hobby-hacker could simply ruin the prestige of a corporate entity. Initially, such hobby-hackers may not have enough expertise or knowledge of such tools and techniques, but then - an able mind can learn almost anything, at the Global University of the Internet ! Most ignorant enterprises learn about the implications of living with an open gateway rather late - when they receive the court-summons that accuses them of a cyber-crime. Most enterprises today have witnessed a growth in employee turnover. So the old-notions of social familiarity with the employees are quite a thing of the past, and simply cannot hold any value for the security administrators. A huge variety of utilities are today available, to crawl the Internet while you appear to be normally working . Most of these utilities can connect to the Internet via even a proxy server, while some can even meet the username / password challenge, quite efficiently. Use of a session-based-authentication can help, but to a limited extent. The proxy server should be able to recognize an acceptable web-client like Internet Explorer, Netscape Navigator, FireFox etc. and differentiate them from other utilities that automatically crawl the Internet and download stuff like Music, Movies, Screen Savers, etc. Corporations, where the general I.T. awareness of the employees seems to be on the higher side, stronger policies are recommended. One of my personal favorites is appending a code to the user-agent string of the Internet Browsers. This can be achieved very easily, by using the Global Policy settings in an LDAP or ADS based environment. The codes should then be changed periodically and the proxy / gateway should allow only the Internet connections that are made by clients that bear valid codes. In quite a few networks, it is quite difficult to configure the proxy settings of every individual user. Administrators of such networks prefer to set-up their proxy servers in the transparent mode. Transparent proxies generally cannot perform the process of user-authentication very efficiently. Transparent proxies are therefore most vulnerable to exploitation by these viruses, worms and Trojans. Automatic crawling and downloading undesirable content from the Internet, is a common activity of the newer varieties of these pests. In a large and centrally managed network, Automatic Proxy Detection feature of the newer generation browsers, is a better alternative to transparent proxying. For any reason, if this too cannot be employed, and transparent proxying seems to be the only option, then this proxy server should simply forward all requests to another proxy server, which should then carry out the challenge for authentication. Logs are extremely important for the managing the security, and identifying any violation of enterprise s rules. The logs should therefore contain enough data, and should be easily parsable to analyze and identify the source and content of Internet traffic. The logs should contain the user s identity, such that the identity can be established beyond doubt, and any reason for ambiguity should be a result of the user s wanton violation of security, namely - sharing his or her identity. Parameters for access restrictions should be a combination of Network-IDs and username / passwords. It is vastly desirable to have a common user identity authentication database. Various applications can subsequently share this database, so that the users do not have to manage a number of identities, unique for each of the applications they seek to access like the Internet Gateway, email servers or any other networked resources. A proxy server should therefore ideally, just challenge the user s for establishing the identity and then verify the same from the central user authentication database. Locally caching the username/password can be very useful, in such enterprises; to avoid user s discomfort in the events of the network connectivity between the proxy servers becomes slow or temporarily unavailable. Smaller networks that do not have any such database could be served from a user identity database that could be maintained within the configuration files of a proxy server. A proxy server that allows creation of user-groups can be very useful if the policies are group-wide. Manish Kochar is the founder CEO of Office Efficiencies India Private Limited (OEIPL). Under his guidance, OEIPL has developed a number of security products like CxProtect, an anti virus solution for Linux based Email servers; and SafeSquid ( safesquid.com/ ), which is a Linux based Content Filtering Internet Proxy.