+ Post New Thread
Results 1 to 8 of 8
Internet Related/Filtering/Firewall Thread, Smoothwall Authentication - Safeguarding issue? in Technical; Ok, am I over reacting? (Ok, Ok, I know the answer will be yes but bear with me) We have ...
  1. #1

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,307
    Thank Post
    226
    Thanked 414 Times in 306 Posts
    Rep Power
    164

    Smoothwall Authentication - Safeguarding issue?

    Ok, am I over reacting? (Ok, Ok, I know the answer will be yes but bear with me)

    We have been having an issue where a lot of requests through our Smoothwall box end up being 407'd, which is proxy authentication required, and no username shown, just an IP. I posted about this and someone mentioned that they get it occasionally if the NTLM handshake plays up, I looked at the logs and this didn't seem to be the issue. I logged a call with Smoothwall and was originally told that this was normal. I've never seen this behaviour before and asked for it to be escalated.

    Just had a call from Smoothwall to say this is a known issue with NTLM and Kerberos. If the end host, so the website the user is requesting, doesn't use NTLM or Kerberos authentication then the information isn't sent and the Smoothwall proxy can't ID who the user is. The only way around this is to use SSL authentication, meaning to browse the web every user will have to log on through the web portal. In the 5 years of using Smoothwall I've not come across this, unless something od has happened or a site is in proxy bypass then a username has been logged. It also seems odd that Smoothwall is pushed in Education but it can't guarantee an audit trail for a pupils web traffic.

    For me this means Smoothwall is next to useless as I can't produce a full audit on pupil's web activity in the event something happens, or to prevent something happening unless I make everyone log in via the portal which with small ones is a real hassle. I also don't understand how Smoothwall can be used as a proxy if it can only be used to identify users based on the server at the other end of a request allows Authentication, I would expect the majority of web servers to use anonymous access as they have no need to know user credentials. How does it know which group to assign someone or policies to apply?

    So as I asked at the beginning, am I over reacting? Or am I off to Lightspeed?

  2. #2
    OB1
    OB1 is offline

    OB1's Avatar
    Join Date
    Sep 2011
    Location
    Leeds
    Posts
    502
    Thank Post
    34
    Thanked 162 Times in 137 Posts
    Rep Power
    51
    Quote Originally Posted by TechMonkey View Post
    Ok, am I over reacting? (Ok, Ok, I know the answer will be yes but bear with me)
    Yes

    Quote Originally Posted by TechMonkey View Post
    We have been having an issue where a lot of requests through our Smoothwall box end up being 407'd, which is proxy authentication required, and no username shown, just an IP. I posted about this and someone mentioned that they get it occasionally if the NTLM handshake plays up, I looked at the logs and this didn't seem to be the issue. I logged a call with Smoothwall and was originally told that this was normal. I've never seen this behaviour before and asked for it to be escalated.

    Just had a call from Smoothwall to say this is a known issue with NTLM and Kerberos. If the end host, so the website the user is requesting, doesn't use NTLM or Kerberos authentication then the information isn't sent and the Smoothwall proxy can't ID who the user is. The only way around this is to use SSL authentication, meaning to browse the web every user will have to log on through the web portal. In the 5 years of using Smoothwall I've not come across this, unless something od has happened or a site is in proxy bypass then a username has been logged. It also seems odd that Smoothwall is pushed in Education but it can't guarantee an audit trail for a pupils web traffic.
    Those 407s shouldn't be leaving your network.
    That's the Smoothie saying 'hold on, you're asking for x, but I don't know who you are or whether I should give it to you'.
    The client should then supply the Smoothwall with the relevant information, cheked against Active Directory or similar depending on your setup, after which all the requests from that client for that session are authenticated and can be traced back to it.

    If the client fails to provide valid credentials, it will end up in the Unauthenticated IPs group. This is just like any other group, and you can use it to block/allow categories as you wish. Most people use it as a catchall and keep it very restricted, or deny internet access entirely.

    Quote Originally Posted by TechMonkey View Post
    For me this means Smoothwall is next to useless as I can't produce a full audit on pupil's web activity in the event something happens, or to prevent something happening unless I make everyone log in via the portal which with small ones is a real hassle. I also don't understand how Smoothwall can be used as a proxy if it can only be used to identify users based on the server at the other end of a request allows Authentication, I would expect the majority of web servers to use anonymous access as they have no need to know user credentials. How does it know which group to assign someone or policies to apply?

    So as I asked at the beginning, am I over reacting? Or am I off to Lightspeed?
    I think there are some crossed wires here. Authentication is between the client and the Smoothwall. Nothing to do with the external server.
    Have a look in Logs and reports » Reports » Reports » Users. If you feel there are any serious holes in your audit trail, we can take a closer look.
    Correctly configured, a Smoothwall can provide a pretty comprehensive audit trail.
    Last edited by OB1; 2nd April 2014 at 11:15 AM.

  3. Thanks to OB1 from:

    TechMonkey (3rd April 2014)

  4. #3

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,307
    Thank Post
    226
    Thanked 414 Times in 306 Posts
    Rep Power
    164
    Quote Originally Posted by OB1 View Post
    Yes


    Quote Originally Posted by OB1 View Post
    Those 407s shouldn't be leaving your network.
    That's the Smoothie saying 'hold on, you're asking for x, but I don't know who you are or whether I should give it to you'.
    The client should then supply the Smoothwall with the relevant information, cheked against Active Directory or similar depending on your setup, after which all the requests from that client for that session are authenticated and can be traced back to it.

    If the client fails to provide valid credentials, it will end up in the Unauthenticated IPs group. This is just like any other group, and you can use it to block/allow categories as you wish. Most people use it as a catchall and keep it very restricted, or deny internet access entirely.

    I think there are some crossed wires here. Authentication is between the client and the Smoothwall. Nothing to do with the external server.
    Have a look in Logs and reports » Reports » Reports » Users. If you feel there are any serious holes in your audit trail, we can take a closer look.
    Correctly configured, a Smoothwall can provide a pretty comprehensive audit trail.
    Right, thank you @OB1. This was my understanding but the explanation I posted is from the the Tech I spoke to moments before my post and the Tech I was dealing with on the original call thought lots of 407 entries were normal and not a config error. The Tech I spoke to categorically stated and confirmed when I reiterated back to him that without using SSL sign on you couldn't get a full audit trail while contacting remote websites that don't support NTLM or Kerberos. I asked if this was a new thing in one of the updates and he said that he had been there a year and it had always been like that. Now either there was a spectacular misunderstanding by me (which is possible), the tech didn't get my explanation and subsequent example (contacting the BBC) or something is greatly awry
    My understanding previously was that Smoothwall could audit nigh on everything, hence why I've used you for 5 years+ and was very happy when I moved schools that Smoothwall was in place here.

    What is my best route to resolve this?

  5. #4
    OB1
    OB1 is offline

    OB1's Avatar
    Join Date
    Sep 2011
    Location
    Leeds
    Posts
    502
    Thank Post
    34
    Thanked 162 Times in 137 Posts
    Rep Power
    51
    PM me your ticket reference, I'll take a look.

  6. Thanks to OB1 from:

    TechMonkey (3rd April 2014)

  7. #5

    AMLightfoot's Avatar
    Join Date
    Feb 2011
    Location
    Hampshire, England
    Posts
    2,243
    Thank Post
    406
    Thanked 662 Times in 414 Posts
    Rep Power
    272
    Quote Originally Posted by TechMonkey View Post




    Right, thank you @OB1. This was my understanding but the explanation I posted is from the the Tech I spoke to moments before my post and the Tech I was dealing with on the original call thought lots of 407 entries were normal and not a config error. The Tech I spoke to categorically stated and confirmed when I reiterated back to him that without using SSL sign on you couldn't get a full audit trail while contacting remote websites that don't support NTLM or Kerberos. I asked if this was a new thing in one of the updates and he said that he had been there a year and it had always been like that. Now either there was a spectacular misunderstanding by me (which is possible), the tech didn't get my explanation and subsequent example (contacting the BBC) or something is greatly awry
    My understanding previously was that Smoothwall could audit nigh on everything, hence why I've used you for 5 years+ and was very happy when I moved schools that Smoothwall was in place here.

    What is my best route to resolve this?
    When using NTLM there are 3 stages to the request/handshake and each of these is shown in the logs. When the client makes a request to the Smoothwall for a site (the first 407) the Smoothwall says 'I need authentication', so the client responds with Authentication details (the second 407) then the Smoothwall authenticates via the directory and the request becomes authenticated.

    So in any request you'll see a URL appear 3 times - twice as 407, once as 200.

    Authen::NTLM::HTTP - search.cpan.org

    If the site, client machine or software the client is using doesn't support providing the Smoothwall with Authentication credentials, then the Smoothwall receives nothing from the client machine that it can check via the AD. This is not a 'Smoothwall issue' per se but a limitation of the choice of NTLM. It is a known limitation - not everything supports this. The Smoothwall can only authenticate if the client is providing creds. In these instances you have to bypass authentication for those domains. Kerberos is generally pretty good and supported by most things EXCEPT java. Which is a pain. There isn't really anything we can do if a client isn't sending the Smoothwall anything to take to the AD. This is likely why our engineer recommended an alternative authentication method. This is a limitation of the Authentication type, not the Smoothwall.

  8. #6


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    OB's right - what you're seeing is actually an artefact of a change to our logging: we used to just not display 407s, because NTLM naturally generates a lot of them. now we do, because the logging system can handle the extra workload, and *because* of our commitment to safeguarding we want to be able to say "we log everything we can".

  9. #7

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,307
    Thank Post
    226
    Thanked 414 Times in 306 Posts
    Rep Power
    164
    Right. Thank you for explaining. That makes sense, and explains why I've not noticed it ever before, as it was brought in by the change in logging. I can kind of see what the Engineer was trying to say but failed to.

  10. #8

    AMLightfoot's Avatar
    Join Date
    Feb 2011
    Location
    Hampshire, England
    Posts
    2,243
    Thank Post
    406
    Thanked 662 Times in 414 Posts
    Rep Power
    272
    Quote Originally Posted by TechMonkey View Post
    Right. Thank you for explaining. That makes sense, and explains why I've not noticed it ever before, as it was brought in by the change in logging. I can kind of see what the Engineer was trying to say but failed to.
    NTLM is a tricksy thing and the whole handshake thing is complicated to get your head around. It's probably easier to explain it in text than it is verbally because you can lay it out logically. Either way, bottom line is that if you are using NTLM and seeing 407 entries in the logs, this is normal. You will have to bypass auth for some things - this is an inevitable result of using NTLM but most often the ease of use outweighs the hassle.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 11
    Last Post: 10th February 2010, 01:48 PM
  2. Smoothwall Authentication
    By dhicks in forum Internet Related/Filtering/Firewall
    Replies: 19
    Last Post: 7th December 2009, 01:07 PM
  3. Smoothwall Authentication Woes
    By Gatt in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 3rd November 2009, 12:34 PM
  4. SmoothWall Temp Ban Issue
    By mmoseley in forum Wireless Networks
    Replies: 4
    Last Post: 10th October 2008, 12:56 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •