2

My Institute uses Proxy Authentication for monitoring individual browsing activities. This usually means I need to enter my username and password for using any internet related things.

But recently I was using a virtual machine (Ubuntu on VMware) on my windows 7 and noted that I can browse inside the virtual machine without entering any password. I tested it again and again using a clean system to avoid the chance of password caching or saving.

How can this be possible ? I remember that the virtual network device is configured to use NAT. Even then this shouldn't be possible ryt?

What is happening behind? How can the authentication be strengthened to take care of such loop holes?

Jeffy
  • 21
  • 1
  • 3

1 Answers1

2

Two possibilities come to my mind (the second one being more likely):

1) It is possible that your proxy policy is configured solely for the browsers, but Internet access not limited (ie via Group Policy Objets if in a Windows domain). In this case, the browser would use the proxy but many other applications (including those running inside the virtual machine). This is surprising, because you'd normally filter HTTP traffic when providing a proxy within a network.

2) If your proxy authentication is done via some web inteface, even via Windows Domain Logon, or via some other Single Sign On strategy (ie. such as those implemented by appliances like Fortigate); then you may be on a system where your access rights are granted based on your dynamic IP. In such case, since your Virtual Machine network uses S-NAT, the source address will be the same and access will be granted once you've authenticated once. In this case, a proxy may or may not be necessarily configured in the browser options.

jjmontes
  • 3,247
  • 2
  • 17
  • 27
  • As for how to prevent it, the proxy would need to be transparent (i.e. passively intercepting all port 80/443 network traffic). Even then, all *non*-browser traffic would have to be firewalled off from the internet, which is usually unfeasible. Any whitelisted ports can be leveraged to operate a VPN or some other form of packet forwarder. Preventing port re-purposing requires deep packet inspection...the rabbit hole keeps on going for awhile. – Andrew B Mar 14 '13 at 04:14
  • I think both should be ruled out because 1) All applications outside of the virtual machine needs proxy to connect to internet. If system proxy is configured, each application asks for user name and password in standard dialog box [similar to this](http://nss.wustl.edu/sites/default/files/images/8_0.png), otherwise they simply refuse to connect 2) The authentication seem to last only until the browser / particular application is closed. On opening again the user needs to type in user name and password to authenticate again. – Jeffy Mar 14 '13 at 04:45