Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
What you have is a severely dysfunctional corporation. Network security is the least of your problems.
That's what dot1x is for
Posted Jul 14, 2012 9:37 UTC (Sat) by nim-nim (subscriber, #34454)
Yes you don't have this kind of problems with a few hundred people you can always educate directly
Posted Jul 14, 2012 11:09 UTC (Sat) by hummassa (subscriber, #307)
The "access control" thing has a solution, and it's not deep packet inspection, it's 802.1x.
The "traffic shaping" thing has a solution, and once your user is authenticated with 802.1x, you can identify their traffic and mark their packets and shape it so it does not mess things for himself and others.
If you have a real-world big organization, you shoudn't snoop people's bank account passwords (THAT is what your deep packet inspection is doing, anyway) so you don't incur in a HUGE liability (bank auditor inspecting user laptop: "no viruses or trojans, let's check the bank certificates... whoa, a fake one, not in my list... who emitted this? ah, a MITM box, whose box? aha! they snooped the password. hi, legal department, I found someone for you to sue." -- true story)
Posted Jul 14, 2012 11:54 UTC (Sat) by nim-nim (subscriber, #34454)
I've already explained why 802.1x was useless for gateway authorisation. Putting it in the title thread does not make it any less useless.
Quoting Willy Tarreau (Linux 2.4 maintainer, haproxy author, IETF HTTPbis WG member):
> Despite our disgust for this fact, HTTP has become a de-facto standard
> transport protocol for many purposes. WebSocket is a proof of this, it was
> born to address the dirty bidirectional mechanisms that were appearing
> everywhere. A wide number of tools are able of using the HTTP CONNECT
> method over a proxy to reach a point on the net (for VPNs, SSH, etc...).
> HTTP has brought what TCP lacks : user authentication and bouncing over
> proxies even in non-routable environments.
> The problem is that right now the migration to HTTPS for many sites has
> caused increased need for HTTPS content analysis, and a large number of
> products are now used to spoof certificates and control everything. This
> is not acceptable (technically speaking, and from the user's privacy
> respect). We absolutely need the new HTTP standard to make it possible
> for end users to choose if their contents may be analysed by the proxy
> or not
Is that enough to make you understand that perhaps you don't understand all the use cases?
Posted Jul 14, 2012 12:20 UTC (Sat) by hummassa (subscriber, #307)
It also states that "Despite our disgust for this fact, HTTP has become a de-facto standard transport protocol for many purposes". This means, in other words, that "a lot of people is using what they should not be using", i. e., there are other solutions to that.
Finally, you state that "perhaps you don't understand all the use cases?" Nope, I do, in fact, understand _all_ the use cases. And for all of them, a well-thought combination of network authentication (802.1x + RADIUS), traffic shaping, and maybe limited VPNs are the correct solution, in the correct network layers.
Maybe you can disprove me if you cite one use case (or more than one!) where my last statement is not true (*), or if you can explain to me why it is so.
(*) I will probably show you that you are wrong, and that dot1x is a better and simpler solution. But give your best shot, I don't mind being wrong.
Posted Jul 14, 2012 12:42 UTC (Sat) by nim-nim (subscriber, #34454)
Your "well-thought combination of network authentication (802.1x + RADIUS), traffic shaping, and maybe limited VPNs" is a deployment nightmare (and is getting worse the bigger your organisation is) which is why big orgs just use interception instead (which can be deployed easily and solves their problems even if it has ugly privacy side-effects).
But feel free to communicate your thoughts to the httpbis ietf workgroup.
(btw the current http/2 discussions would make an interesting lwn article topic)
Posted Jul 14, 2012 15:30 UTC (Sat) by hummassa (subscriber, #307)
This does not parse to me. We just deployed your "nightmare" to an organization with 3000 users and 5000 devices in less than a week. They select WPA2Enterprise, write their login, their password and voilà. Wired connections are managed by a combination of MAC addresses and kerberos workstation authentications (any OSes where this would be complicated are just added as exceptions and bypass the authentication but they are mapped to a physical network point, so anything funky is easy to block). Each user/device combo has access to a specific routing and traffic shaping ruleset.
Is it more difficult than "plug MITM machine after the router and use the default settings"? Yes, it is. Is it much more difficult? No. Is it safer? YES. Do orgs as big as mine and bigger just use interception instead because it is easier? Yes, but mainly it is because they are lazy and haven't seen all the consequences.
As I told you, your problem is not just "ugly privacy side-effects", but "ugly liability side-effects because once your machine decrypted my encrypted communications between me and my bank or my government you can take a peek at it". It's not that you _will_ take a peek at it. Is that if passwords/keys/confidential records get copied, you will have the onus of proving you didn't copy them -- because, you know, you could.
> But feel free to communicate your thoughts to the httpbis ietf workgroup.
> (btw the current http/2 discussions would make an interesting lwn article topic)
Please link them!
One more thing: I asked for (at least one) use-case where https interception would be better than dot1x+radius... :-D
Posted Jul 14, 2012 15:48 UTC (Sat) by nim-nim (subscriber, #34454)
Do you realize that with the current economic crisis, many companies announce layoffs which are bigger than your whole organization size? (sometimes, for a single physical site)
3000 users is not even remotely in the big category
Posted Jul 14, 2012 17:53 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
It requires a lot of setup, it breaks in non-trivial ways, it's not really completely compatible between implementations and usually doesn't actually work.
Posted Jul 15, 2012 12:21 UTC (Sun) by jubal (subscriber, #67202)
Posted Jul 15, 2012 12:32 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
My opinion is that technologies should scale down as well as up. If a technology only works for companies with 30000000000 employees then it's a dead technology (sooner or later, usually sooner).
For example, Kerberos + LDAP promise seamless and transparent authentication throughout all the corporate services. Except that it doesn't work on iPads. Fail.
Posted Jul 15, 2012 13:06 UTC (Sun) by hummassa (subscriber, #307)
Posted Jul 15, 2012 13:15 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
I know such a company. They've deployed Ethernet/WiFi authentication using IPSec throughout the company, with smart cards for desktop logins, etc. And then they had to make it work with Windows CE-based devices (they've paid me to do this, actually). Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.
Posted Jul 15, 2012 15:00 UTC (Sun) by hummassa (subscriber, #307)
We already had plans in place for that (we have many such devices, especially those that do not belong to the organization). And the vendors who could not be bothered to implement suport for WPA2/Enterprise, we just don't buy from them.
> Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.
Sometimes, yes it is (or create a less-secured, WPA2/Personal or WPA1 protected network and go from there)... but if you plan right, you can isolate those cases...
Posted Jul 15, 2012 15:08 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
Besides, once you implement the parallel infrastructure that actually works _better_ than your secured-down-to-the-wire IPSec network, people start asking: "Why have we even bothered with this ipsec crap?"
So that's why middlebox vendors make a killing selling various DPI tools to organizations. Sure, they violate all the possible RFCs and all the notions of protocol layering. But at the same time they actually work in RealLife(tm).
Posted Jul 15, 2012 15:31 UTC (Sun) by hummassa (subscriber, #307)
We deal with this limiting EXTREMELY the bandwidth and reliability of the secondary infrastructure. If you want to use a non-standard thing, pay the price.
> So that's why middlebox vendors make a killing selling various DPI tools to organizations. Sure, they violate all the possible RFCs and all the notions of protocol layering. But at the same time they actually work in RealLife(tm).
For a really wide definition of working...
Posted Jul 15, 2012 17:16 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
Nice. Increasing success by lowering expectations.
That's exactly why more and more people ditch all the 'standards compliant' crap and instead install something that is simple and stupid, but actually usable.
> For a really wide definition of working...
It gets stuff done. It doesn't annoy people. It's fairly easy to troubleshoot.
What more do you need?
Posted Jul 15, 2012 18:18 UTC (Sun) by hummassa (subscriber, #307)
No exposure to huge liabilities?
Posted Jul 15, 2012 12:59 UTC (Sun) by nix (subscriber, #2304)
(That Windows sysadmins treat their work as if it were home, with lashup hacks that fall apart all the time, while Unix sysadmins treat their home as if it were work, with high-end stuff like Kerberos all over the place hugely overspecified for their tiny setups. It's not true of Windows anymore, which is a lot less lashupy now that the Windows 9x line has died, but I certainly thought it was still true of a lot of Unix sysadmins.)
Posted Jul 16, 2012 11:37 UTC (Mon) by robbe (guest, #16131)
Hereabouts organisations solve that problem by a combination of:
* forbidding private use of their Internet connection
* informing employees that their Internet traffic can be monitored, even HTTPS
The nicer companies allow exceptions (e.g. private surfing during breaks) but put the onus on their employees to inform them of websites that should never ever be snooped upon. A whitelist of sites that are not MITMed is a standard feature of these SSL scanner products.
I see a much bigger problem at the moment with mobile devices that can jump from unsecured (e.g. 3G) to a privileged (e.g. company WLAN) net in seconds ... sometimes without the user even noticing.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds