Introduction
Symantec
Web Gateway (SWG) is state of the art proxy and web filtering solution for
corporate local area networks. It has the capability to authenticate end users
and provide them secure web browsing experience as per organization’s policies
and requirements.
SWG
can use one of the 2 authentication mechanisms available in it named
- Domain Controller Interface (DCI)
- NTML based Authentication
SWG can only use one of these methods at a time.
Comparison of NTLM authentication and DC
Interface Mechanisms
NTLM and DC
Interface provide different kinds of authentication mechanisms and have
difference in functionality as well.
DC Interface
DCI works by
integrating with domain controllers in an organization. In order to do so we
need to install a small piece of software on domain controller. This software
actually integrates SWG with corporate domain.
How DCI Works
The SWG connects routinely to the
DC to obtain all known users LDAP group information.
1-
User logs on to computer.
2-
DC Interface agent on Domain Controller detects logon event and sends
user details and IP address to SWG.
3-
User connects to Internet.
4-
SWG matches connecting IP address to user with information received from
DC Interface.
5-
SWG obtains LDAP group membership information from DC.
6-
SWG applies appropriate policy based on LDAP information.
7-
In the event that no matching logged on Domain User is identified, the
SWG will apply the next IP based policy or the default policy.
NTLM Authentication
NTLM
Authentication configuration accomplishes by providing corporate domain
controller’s IP and credentials to SWG’s configuration tab for NTLM
authentication. It does not require installation of any additional software on
domain controller.
How NTLM Authentication Works
1- SWG Administrator creates an
Authentication policy set to Ignore, Authenticate no Enforce or Enforce.
2- The SWG connects routinely to the
DC to obtain all known users LDAP group information.
3- User connects to the Internet site via
the proxy.
4- Users browser receives an NTLM challenge
from the Web Gateway.
5- Users browser responds transparently with
a hash of the users credentials.
6- The Web Gateway connects to Domain
Controller (noted in LDAP settings) to verify credentials.
8-
If verification succeeds, policies are applied according to LDAP
information.
9-
In the event that the NTLM process is not working correctly, or the
users LDAP information is not yet known, the SWG will apply the next IP
based policy or the default policy.
Comparison of NTLM and DC Interface Features
NTLM has some
Advantages over DC Interface
DCI
|
NTLM
|
Provides only user
identification service.
|
Provides both
Identification and Authentication services
|
Integration with domain controller
requires installation of agent software on at least one of the domain
controllers in the environment
|
Integration with domain controller does
not require any additional software
|
Policy is mapped on the basis of
initially assigned IP to a machine. This results is policy mismatch if user
switches the machine
|
Policy is based on username and only
works for designated user
|
No comments:
Post a Comment