LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-29-2007, 11:43 PM   #1
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Rep: Reputation: 30
Smile Internet Access Restrictions


Hey guys currently we are using SQUID as our web cache server and also used its ACL to allow and disallow websites in our production network. But now the Boss decides to give them full access to the internet but Emails,IM and downloading is prohibited. Somehow it fall s to my responsibility to keep those 3 unavailable to our production network. any ideas on how to make this happen...tnx for any help..
 
Old 06-30-2007, 12:09 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by SBN
Hey guys currently we are using SQUID as our web cache server and also used its ACL to allow and disallow websites in our production network. But now the Boss decides to give them full access to the internet but Emails,IM and downloading is prohibited. Somehow it fall s to my responsibility to keep those 3 unavailable to our production network. any ideas on how to make this happen...tnx for any help..
Disable routing (so that all clients must use Squid). Using Squid ACLs, disable everything outgoing except connections to TCP ports 443 (HTTPS) and 80 (HTTP). Install DansGuardian. Now you just focus your energy on fine-tuning your DansGuardian configuration so that it filters downloads and the email/IM sites in a satisfactory way.

One aspect my above suggestion doesn't cover: How to prevent the clients from using rogue HTTPS connections to bypass the filters. You can't analyze the web content of encrypted connections. Off the top of my head, one way to address that might be to whitelist HTTPS sites, and use an application-level proxy to make sure that HTTPS (and only HTTPS) goes-out to port 443 and HTTP (and only HTTP) goes out to 80. The HTTP would be content-filtered by DG, while the HTTPS would be access-controlled by Squid.

Last edited by win32sux; 06-30-2007 at 12:19 AM.
 
Old 06-30-2007, 12:50 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Here is a mailing list entry discussing proxying https connections. The proxy uses it's certificate to decrypt the traffic and then reencrypts it before sending it to the browser.
http://www.squid-cache.org/mail-arch...0505/0775.html
 
Old 06-30-2007, 01:11 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jschiwal
Here is a mailing list entry discussing proxying https connections. The proxy uses it's certificate to decrypt the traffic and then reencrypts it before sending it to the browser.
http://www.squid-cache.org/mail-arch...0505/0775.html
Interesting stuff. So basically the client would use a certificate from the proxy instead of from the actual HTTPS server? Any idea about what would be the side-effects of this (one I can think of is that client browsers would all get man-in-the-middle attack warnings whenever they try to access an HTTPS site) and how would you actually implement this in the content-filtering system?

Last edited by win32sux; 06-30-2007 at 01:14 AM.
 
Old 06-30-2007, 01:48 AM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I think you add your own certificate to the browsers' lists of CA certificates. If the end user chooses to examine the certificate, they can see that this is happening. This technique was mentioned by Steve Gibson in a Security Now podcast.
 
Old 06-30-2007, 02:30 AM   #6
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Quote:
Disable routing (so that all clients must use Squid). Using Squid ACLs, disable everything outgoing except connections to TCP ports 443 (HTTPS) and 80 (HTTP). Install DansGuardian. Now you just focus your energy on fine-tuning your DansGuardian configuration so that it filters downloads and the email/IM sites in a satisfactory way.

One aspect my above suggestion doesn't cover: How to prevent the clients from using rogue HTTPS connections to bypass the filters. You can't analyze the web content of encrypted connections. Off the top of my head, one way to address that might be to whitelist HTTPS sites, and use an application-level proxy to make sure that HTTPS (and only HTTPS) goes-out to port 443 and HTTP (and only HTTP) goes out to 80. The HTTP would be content-filtered by DG, while the HTTPS would be access-controlled by Squid.
Thank you win32sux for this. But how do you block/allow ports using ACL in squid, i have been asking this question before but somehow they all told me to use a third party programs like squidguard or iptables. i have been reading the default squid configuration but all i can see is the "acl Safe_port port #"...
 
Old 06-30-2007, 02:35 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jschiwal
I think you add your own certificate to the browsers' lists of CA certificates. If the end user chooses to examine the certificate, they can see that this is happening. This technique was mentioned by Steve Gibson in a Security Now podcast.
It does, IMHO, bring up a lot of ethics issues. Not just because you can look at employee's private information, but also because a security weakness has been introduced into their HTTPS sessions AFAICT. If the proxy server is cracked, the attacker will have access to the employees's private information (please correct me if I'm wrong). Imagine Jenny (the cute girl from Marketing) logging into her bank account via HTTPS on her laptop during lunch time, unaware of the financial madness that will insue in the following hours due to the sniffer a script kiddie managed to plant on the proxy that morning.

EDIT: Of course, if she clicked the "OK" button when her browser warned her about the certificate, then she sort of asked for it. But still, as you know, most users are indeed unaware of the risks of such clicks. There's also the possibility of the admin accepting the certificate on Jenny's workstation without her knowing, etc.

Personally, I'm not sure I would do something like this, mainly for ethics reasons related to employee privacy, but also for security reasons from the employee's perspective. I'd probably whitelist the HTTPS sites (such as in the example below) and make sure everything else is content-filtered. Maybe I just haven't properly wrapped my brain around it yet.
=/

Last edited by win32sux; 06-30-2007 at 04:56 AM.
 
Old 06-30-2007, 03:00 AM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by SBN
Thank you win32sux for this. But how do you block/allow ports using ACL in squid, i have been asking this question before but somehow they all told me to use a third party programs like squidguard or iptables. i have been reading the default squid configuration but all i can see is the "acl Safe_port port #"...
This example only allows usage of two HTTPS sites, while allowing all HTTP sites:

Code:
acl all src 0.0.0.0/0.0.0.0
acl HTTP_port port 80
acl HTTPS_port port 443
acl CONNECT method CONNECT
acl allowed_https_sites dstdomain .nsa.gov
acl allowed_https_sites dstdomain .cia.gov
acl my_network src 192.168.1.0/255.255.255.0

http_access deny CONNECT !HTTPS_port
http_access allow my_network HTTPS_port allowed_https_sites
http_access allow my_network HTTP_port
http_access deny all

http_reply_access allow all

Last edited by win32sux; 06-30-2007 at 05:10 AM. Reason: Gave the "allowed_https_sites" ACL a more James Bond feel. =)
 
Old 06-30-2007, 03:40 AM   #9
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Quote:
CONNECT method CONNECT
What this do?
 
Old 06-30-2007, 04:55 AM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by SBN
What this do?
That line creates an ACL named "CONNECT" which matches against the HTTP CONNECT request method. The CONNECT method asks a proxy to switch-over to tunnel mode. The http_access rule which calls that ACL later just makes sure that only connections going-out to port 443 use the CONNECT method (needed to do the SSL for HTTPS).

Last edited by win32sux; 06-30-2007 at 05:12 AM.
 
Old 06-30-2007, 05:51 AM   #11
rsean
LQ Newbie
 
Registered: Jun 2007
Posts: 15

Rep: Reputation: 0
IMHO all direct access to the net should be blocked. Ports 80, 443, 21 should be opened only for the proxy. Rest all ports, except for some specific applications like VPN, should be blocked. Blocking only 80 and 443 will not work since messengers like gtalk and msn use port 5222 and 1863.

I have not used DansGuardian, but we use SafeSquid free edition as content filtering proxy and application layer firewall. You can use it independently, or use it for content filtering, and forward requests to squid. I can tell you how to solve your problem using SafeSquid.

SafeSquid uses a unique 'profiles' method to identify users and applications. You can create unlimited user and application profiles. These profiles are then used to grant access rights, depending on the user profile and the application he is trying to access.

Emails:
There are multiple methods of blocking access to a category or nature of website. You can block access to email sites using -

# URL Filter - Allows you to define specific URLs or domains [(gmail.com|mail.yahoo.com|login.live.com)] or a regex that looks for 'mail' in the URL (.*mail.*). This simple regex will match almost all email websites like mail.google.com, mail.yahoo.com, hotmail.com, rediffmail.com, etc. You can either globally deny access to these sites, or create an application profile to allow / deny access depending on a group or user profile.

# URL Blacklist: We use the categorized database of websites from urlblacklist.com to allow / deny access to a category of websites like mail, webmail, porn, adult, etc.

# keyword filter: This is a unique method of predicting the category a website belongs to, and block access to unwanted categories. This method is also effective in blocking access when users try to access a denied website using an external anonymous proxy


IMs and Chats:
Different IMs and Chats use different methods of communication. Therefore, we have to use different methods for blocking access. This will be effective only if users do not have any direct access to the net.

Following are a few examples -

# Yahoo Messenger: Can be blocked by simply blocking the URL shttp.msg.yahoo.com

# MSN Messenger:
Block url: gateway.messenger.hotmail.com
Block File: gateway.dll (mime filter)
Normally uses port 80 or 1863

Google Talk:
uses the XMPP protocal on port 5222, 80 and 443
Block Host: (talkx.l.google.com|talk.google.com)
Block Request header pattern: User-Agent: Google Talk
Blocking the User-Agent works best with GTalk.

Downloading:
Depends on what you would like to deny access to.
# The SafeSquid 'MiMe Filter' allows you to block access to files depending on the file extension (exe, zip, com) or mime type (application, audio, video)
# The SafeSquid 'Limits' section allows downloads depending on the size of file being downloaded.

There are many other similar option available. The correct solution can only be framed after analyzing the exact requirements.

We find SafeSquid to be the perfect solution for such requirements because, unlike other solutions, SafeSquid has a simple and easy to manage GUI interface. Admins with very little or no knowledge of Linux can also very easily manage it.
 
Old 06-30-2007, 07:12 AM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
@rsean: I have no problem with proprietary software being suggested as a possible solution to someone's needs, but I do find it quite curious that every single post you've made on LQ so far has been to recommend SafeSquid. At this point, I'm only mentioning this because I think it's something people should know when they read your post.
 
Old 07-01-2007, 12:45 AM   #13
rsean
LQ Newbie
 
Registered: Jun 2007
Posts: 15

Rep: Reputation: 0
You are right win32sux. That is because I have been using SafeSquid for quite some time now, and it seems to have an easy solution for all proxy related issues that people face. I hope i am not doing anything wrong by sharing my knowledge about SafeSquid with others, who are looking for a solution that can be resolved with SafeSquid.
 
Old 07-01-2007, 01:59 AM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by rsean
You are right win32sux. That is because I have been using SafeSquid for quite some time now, and it seems to have an easy solution for all proxy related issues that people face. I hope i am not doing anything wrong by sharing my knowledge about SafeSquid with others, who are looking for a solution that can be resolved with SafeSquid.
Like I said, I was only pointing something out for the readers. I'm sure you'll help lots of people with their SafeSquid questions here on LQ - welcome aboard!

@SBN: How's your project coming along? What did you end up doing?
 
Old 07-01-2007, 02:35 AM   #15
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
For what it's worth you can find rseans talking about safesquid all over the internet on various forums. Basically with the same "We use safesquid" format. Seems to me to be kind of spammy, but I hope you can contribute in other ways to the forum as well
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linksys WRT54G Access Restrictions pljvaldez Linux - Networking 7 11-13-2006 04:02 AM
Access restrictions in Redhat to connect to the web sadhanandh Linux - Newbie 7 12-11-2003 05:12 AM
User and Group access restrictions? KendersPlace Linux - Security 1 08-20-2003 06:32 PM
How to remove FTP access restrictions goodman Linux - Newbie 4 08-16-2003 07:07 PM
FTP access using root account - restrictions alaerte Linux - Software 7 04-03-2003 02:33 PM


All times are GMT -5. The time now is 08:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration