Squid with encrypted authentication vs. Novell BorderManager

From: David C Niemi <niemi@dont-contact.us>
Date: Wed, 26 Nov 1997 23:50:54 -0500 (EST)

This is really two separate questions for one project.

My company wants to implement a scalable caching web proxy with
micromanaged user authentication and site blocking lists. We have had
major scalability problems in the past (and present) with IP-address-based
authentication schemes, and would really prefer to change to a User ID +
Password scheme. We have about 1100 active web users out of ca. 5000
employees, and both the number of web users and the traffic per capita keep
growing steadily.

I am quite familiar (and pleased) with Squid in a smaller, less
access-controlled environment. One of the two ways I can see of
implementing our next generation of web proxy is to use Squid on top of
Caldera OpenLinux Standard, requiring a user ID + password when they start
browsing which is checked against our NDS data base via Caldera's NetWare
tools. Sessions would be tracked by IP address and timed out so that
re-authentication is only needed after a management-dictated idle timeout
period, say 10 minutes. I have already figured out what code is needed to
add this to Squid, and this is quite reasonable.

The main problem I see with this approach (aside of the politics against
using Linux) is that Squid authentication is normally unencrypted HTTP
Basic Authentication, i.e. user ID and Passwords "in the clear" (well,
Base64 encoded) *on every hit*. How plausible is it to force clients to
authenticate to a Squid proxy via SSL (using SSLeay, perhaps) to avoid this
problem? I don't mind doing some coding/hacking in my spare time, but a
major development effort is out of the question.

The second approach is Novell BorderManager. I am very concerned about its
scalability, and do not yet know if its authentication and session
management meet our needs either, but it certainly sounds promising on the
surface. It supports ICP and is supposed to be "Squid-derived" (though I
rather doubt that given Squid's GPL, perhaps it is really Harvest-derived).
Has anyone compared its performance/scalability vs., say, Squid on Linux on
the same hardware?


Niemi@tux.org 703-810-5538 Reston, Virginia, USA
    "Down that path lies madness. On the other hand, the road to
     hell is paved with melting snowballs." -- Larry Wall, 1992
Received on Wed Nov 26 1997 - 21:04:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:44 MST