I am currently working on implementing NTLM authentication using a Cisco Cache Engine 560 within our organization. In addition to this stand alone caching device, I am also utilizing SmartFilter for URL filtering policies. I have been successful in configuration NTLM authentication (using our Windows 2003 domain) and have enabled HTTP transparent proxy using WCCP2.
When I started to do my testing, I immediately noticed that the browser displayed a pop-up asking for the user ID and password for this site. Because I want this to be transparent, it seems that after opening a TAC case, the only way to do this is to enable the "User Authentication > Logon > Automatic logon with current username and password" within Internet Explorer 7 in the Internet Zone security settings.
My concern is that with this option enabled, it seems possible that a malicious site could also prompt for HTTP authentication, in which my browser would automatically pass the cached Windows domain credentials which are the domain username and password onward. With this information, said site could use it to attempt to access external (webmail) or internal (VPN, remote access, etc.). Is my thinking correct?
I broke down 4 scenarios below that I have considered.
1) No NTLM Authentication - SmartFilter policies are applied based on source IP addresses. PROS: Secure / CONS: Difficult to manage, DHCP addressing allows for anonymity for most web browsing.
2) Proxy with NTLM - Users NTLM authenticate to a proxy server transparently because the proxy server is in the Intranet zone. IE7 is setup to only passed credentials to other hosts in Intranet zones. PROS: Secure, user based authorization, no additional IE7 settings required, no credentials passed to Internet / CONS: Hardcoded Proxy settings cause problems with mobile / remote users.
3) Transparent WCCP2 with NTLM (Automatic Login turned on) - Users NTLM authenticate transparently to the Cache engine. PROS: No pop-up box, user based authorization / CONS: Domain credentials could be passed to external sites on the Internet.
4) Transparent WCCP2 with NTLM (Automatic Login turned off) - Users authenticate via Basic HTTP authentication method. PROS: user based authorization, no additional IE7 settings required CONS: Credentials are sent Clear Text from browser to cache engine
I was also wondering if there may be some way to have the HTTP header re-written (from the cache engine) so that it shows the authentication request is coming from it and not the Internet, and I could add this host to the Intranet sites list in IE7.
I would like to know how other people, using Cisco equipment, are performing authentication securely. Please feel free to correct me and my thinking, quash my security fears, or share how your organization is doing it.