Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hi,
is there anybody out there who would prefer BASIC-AUTH over NTLM?
What would you tell a customer why to swap to NTLM?
The background is that a lot of UTM customers use BASIC and XG doesnt runs this anymore. Is there a alternative?
Basic authentication is very insecure. To quote that wikipedia article "The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. "
The way you should approach it is that you should use NTLM. Only if there is some reason that NTLM cannot be used and there is no other viable workaround should you use basic.
IIRC there were some old devices or services that only support basic.
So the question is - if an UTM customer is using basic, what prevents them from using NTLM?
Hi Michael,
thanks for the helpful answer :).
I have one final question, with BA it's possible to authenticate a single application (for example if you enter credentials for firefox, your internet explorer also need to be authenticated with user/pass) - because of the post header?) - does this work with ntlm synonymous? or will SFOS unlock the whole IP-address?
If I recall correctly:
The proxy caches the authentication for 5 minutes. Therefore for the next five minutes any traffic from that IP will be considered authenticated and the known user will be used. After that cache has expired there is no currently authenticated user and on the next request that it can, the system will again try to authenticate. There are some special cases for example, like if you have an exception saying "Do not authenticate" or if you are going to certain sites (Windows or Sophos update) where it will use the "last known user" in the log and policy, even if that cached user is from hours ago.
In standard mode, the browser knows that it is authenticating to a proxy. Therefore it continues to send the authentication headers for every request. When the 5 minutes are up the proxy check the headers, says everything is still good (there is no challenge-response for authentication). If you switched browser it would re-authenticate after the cache expires.
In transparent mode, only certain types of requests we can do authentication on (HTTP with no parameters). If the five minute cache expires and the next request is HTTPS I think (not positive) that it uses the Last Known User. Only when an HTTP request comes in does it do the challenge-response to get the user.
So in Transparent mode, there is re-authentication every 5 minutes, adding a hundred milliseconds to some request.
In true NTLM AD SSO (Single Sign On - the user signed into the computer is the same as the user signed into the UTM) all this is transparent to the user, no browser pop ups. It makes no difference if it cached, re-authenticating, etc.
If I recall correctly:
The proxy caches the authentication for 5 minutes. Therefore for the next five minutes any traffic from that IP will be considered authenticated and the known user will be used. After that cache has expired there is no currently authenticated user and on the next request that it can, the system will again try to authenticate. There are some special cases for example, like if you have an exception saying "Do not authenticate" or if you are going to certain sites (Windows or Sophos update) where it will use the "last known user" in the log and policy, even if that cached user is from hours ago.
In standard mode, the browser knows that it is authenticating to a proxy. Therefore it continues to send the authentication headers for every request. When the 5 minutes are up the proxy check the headers, says everything is still good (there is no challenge-response for authentication). If you switched browser it would re-authenticate after the cache expires.
In transparent mode, only certain types of requests we can do authentication on (HTTP with no parameters). If the five minute cache expires and the next request is HTTPS I think (not positive) that it uses the Last Known User. Only when an HTTP request comes in does it do the challenge-response to get the user.
So in Transparent mode, there is re-authentication every 5 minutes, adding a hundred milliseconds to some request.
In true NTLM AD SSO (Single Sign On - the user signed into the computer is the same as the user signed into the UTM) all this is transparent to the user, no browser pop ups. It makes no difference if it cached, re-authenticating, etc.
I confirmed that in XG the NTLM cache is 4 minutes.
In standard mode if I recall correctly the browser will continue to send NTLM type 3 messages (SessionIds) as part of the header on every request (because the browser thinks it is talking to a proxy server).
In transparent mode, the browser will not send any authentication information after it does the initial auth (because the browser thinks it is talking to a real website) until auth is re-requested.
To complicate matters, though, we actually send "WWW-Authenticate: Negotiate" which allows for both Kerberos and NTLM. Windows computers in a domain will prefer Kerberos. The result however is the same (though I'm not sure if Kerberos uses SessionsIds). In XG (and with a lot of the internet) when we say "NTLM" it is shorthand for "Negotiate=NTLM/Kerberos".
If you want greater detail on how NTLM works you can google "ntlm type 1 2 3" and "how does kerberos work in http". There is nothing special about Sophos's implementation.
