Re: [squid-users] Requirement to restrict one user accessing squid only from one I.P Address.

From: Vivek Varghese Cherian <vivekcherian_at_gmail.com>
Date: Mon, 3 May 2010 00:20:47 +0530

On Wed, Apr 28, 2010 at 3:50 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Vivek Varghese Cherian wrote:
>>
>> Hi,
>>
>> My client has a requirement where he would like to ensure that a user
>> authorized
>> to squid should be able to access the internet from only one I.P Address.
>>
>> Her requirement is that even if one of her users shares her password
>> with the second
>> user, the second should not be able to login except from the first
>> user's machine, not
>> even on the second user's machine or any other machine in the network
>> for that matter.
>>
>> The client has around 1000 users in her organization who frequently
>> share their user names and password with other users.
>>
>> Any pointers/urls in this direction would be most welcome. �If this
>> question has been answered previously in this mailing list, a pointer
>> in that direction would suffice.
>>
>> Thanks in advance.
>>
>> Regards,
>
> I see you are faced with the major job dealing with a seriously dangerous
> habit amongst your users.
>
> The only real solution is education. The users must be taught not to share
> access privileges. This is going to take some work and probably a fair
> amount of time as well.
>
> You will need a plan of attack on the problem and support from your
> organizations management to make this fully work. The management will need
> to make policies prohibiting credentials being shared and outline some
> consequences if they are.
>
> A) The easy initial catch is to use a max_user_ip type ACL which detects
> multiple-IPs using the same credentials.
> �A deny_info splash page for that ACL can be used to inform the users that
> their offence has been caught and re-inforce the organization policies.
> �This can be fooled in circumstances where DHCP dynamically assigns IPs, or
> NAT hides whole groups of users.
>
>
> B) As Jeff pointed out the arp type ACL can go beyond IP address and detect
> individual machines network cards.
> �This can fail if the network has any routers between the users and Squid.
> And may require organization-wide proxy-ARP protocol to be implemented.
>
> C) The other way is to create a database matching user logins to the IP
> address the user is assigned. Create a external_acl_type script to take
> %LOGIN %SRC parameters and lookup the database for a matching pair.
> Returning OK/ERR about whether the request is allowed or not.
> �This can be fooled by NAT, or users setting their IP manually or relaying
> requests through a box which does either for them.
>
> Amos
> --
> Please be using
> �Current Stable Squid 2.7.STABLE9 or 3.1.1
>

Thanks Jeff, Sagar and Amos for your invaluable feed backs.

-- 
Vivek Varghese Cherian
Senior Systems Administrator
RHCT ( # 605010995430406)
Website : http://vivekvc.freeshell.org
Blog: http://vivekvc.wordpress.com
Linkedin: http://www.linkedin.com/in/vivekvc
IRC: Vivek and ViveKVC on both Freenode and OFTC
GPG Key fingerprint = 1EB1 0647 9574 18A3 40B5  8D74 F842 576B 3C2B 8538
Received on Sun May 02 2010 - 18:51:04 MDT

This archive was generated by hypermail 2.2.0 : Mon May 03 2010 - 12:00:03 MDT