On 5/23/05, Mark Romer <mromer@good.com> wrote:
> I'm curious how often those who deploy squid configure it to require
> user authentication. And what are the main reasons for requiring
> authentication?
AAA: Authentication, Authorization and Accounting.
Are you who you claim to be? Do you have permission to use the proxy?
Can we track back specific requests to an individual user?
On a small "home" network without any official security policies, I can
get away with being hyper-paranoid about personal privacy, restricting
access to specific ether addresses (MAC) and turning off logging.
On a slightly larger network with static IP addresses and trustworthy
internal users, I keep logs for a few days (or weeks) and rely on the
source IP for access control and logging. This is enough to be able
to respond to RIAA/MPAA complaints and debug technical problems.
In very large networks with dynamic IP addresses and many diverse
LANS/WANS using DHCP servers not under centralized management,
the IP address is not a reliable identifier, and user authentication may
be necessary, or even a mandatory (regulatory, internal policy, etc)
requirement.
The only place I've ever actually used Squid with authentication was
where the business had a need to have different policies apply to
different users within the same DHCP scope; for example "students"
might have more restrictive ACLs than "teachers" while a reception desk
might only have access to Mapquest, OpenTable, and AnyWho.
Kevin
Received on Mon May 23 2005 - 12:13:29 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT