Re: [squid-users] Ident large scale usage

From: Sam Stern <samstern@dont-contact.us>
Date: Mon, 06 Jan 2003 23:51:07 -0500

Jay Turner wrote:
> Hi All,
>
> Does anyone have any opinions/advice on the use of ident?
>
> We are looking to put Squid into an environment with 1500 users and we want
> to have username information stored in the log files.
>
> Two ways to do this 1)Use an authentication scheme (NTLM, SMB etc) or have
> each client PC run an ident service and have Squid request this info as
> required.
>
> I have tested this out fine in a small installation but I was wondering if
> there would be an impact in a 1500 user environment?
>
> Any thoughts?
>
> Regards
> Jay
>
>

Hi Jay,

I'm new to the squid program so I'll confine my comments some general
security and network operations observations:

I would think that some form of Authentication should be used over ident
because (in no particular order):

1) Ident is easy to fool and the identd client probably easy to suborn
into making false or misleading identd responses. I've yet to find a
good ident server for win32 that is security hardened. This item may or
may not be a factor depending on your view of internal threats.
2) You would need to be assured that each user generated a unique identd
request -- even if using a computer they normally would not use. Such a
factor would require careful study to prevent accidental or intentional
misidentification. As an example, what happens when a user surfs for
Pr0n from the cubby used by the temp sitting next to said person? Or if
10 pcs are needed by The New Temps (tm) and you borrow them from the
training room?
2) You already probably have some form of authentication in place so
using the existing structure may entail fewer new processes to enact
than deploying the ident client to each PC. Perhaps a user logon script
could simply update client emplacements for IE or Netscape (and other
apps that would use http/https/ftp) as needed?
3) The extra traffic generated by deploying Identd may increase network
utilization above acceptable limits. Such a deployment would need to be
studied and thus incur extra time from network engineering.
4) Lastly identd client cost and licensing issues. Choice of a PC based
identd client with the proper licenses would need some study.

To me the core question is which authentication method makes the most
sense in your situation when you factor deployment costs into the
equation? How much extra load will NTLM place over SMB vs. the hassle of
deploying password based authentication?

HTH and food for thought,

P.S. Whatever is decided, I would love to hear how and why you make
whatever choice you do make. It would be an interesting case study for
those of us new to the world of squid in the enterprise.

Sam Stern
Glen Burnie, MD, USA
Received on Mon Jan 06 2003 - 21:51:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:29 MST