Internet Access Restrictions
Hey guys currently we are using SQUID as our web cache server and also used its ACL to allow and disallow websites in our production network. But now the Boss decides to give them full access to the internet but Emails,IM and downloading is prohibited. Somehow it fall s to my responsibility to keep those 3 unavailable to our production network. any ideas on how to make this happen...tnx for any help..:)
|
Quote:
One aspect my above suggestion doesn't cover: How to prevent the clients from using rogue HTTPS connections to bypass the filters. You can't analyze the web content of encrypted connections. Off the top of my head, one way to address that might be to whitelist HTTPS sites, and use an application-level proxy to make sure that HTTPS (and only HTTPS) goes-out to port 443 and HTTP (and only HTTP) goes out to 80. The HTTP would be content-filtered by DG, while the HTTPS would be access-controlled by Squid. |
Here is a mailing list entry discussing proxying https connections. The proxy uses it's certificate to decrypt the traffic and then reencrypts it before sending it to the browser.
http://www.squid-cache.org/mail-arch...0505/0775.html |
Quote:
|
I think you add your own certificate to the browsers' lists of CA certificates. If the end user chooses to examine the certificate, they can see that this is happening. This technique was mentioned by Steve Gibson in a Security Now podcast.
|
Quote:
|
Quote:
EDIT: Of course, if she clicked the "OK" button when her browser warned her about the certificate, then she sort of asked for it. But still, as you know, most users are indeed unaware of the risks of such clicks. There's also the possibility of the admin accepting the certificate on Jenny's workstation without her knowing, etc. Personally, I'm not sure I would do something like this, mainly for ethics reasons related to employee privacy, but also for security reasons from the employee's perspective. I'd probably whitelist the HTTPS sites (such as in the example below) and make sure everything else is content-filtered. Maybe I just haven't properly wrapped my brain around it yet. =/ |
Quote:
Code:
acl all src 0.0.0.0/0.0.0.0 |
Quote:
|
Quote:
|
IMHO all direct access to the net should be blocked. Ports 80, 443, 21 should be opened only for the proxy. Rest all ports, except for some specific applications like VPN, should be blocked. Blocking only 80 and 443 will not work since messengers like gtalk and msn use port 5222 and 1863.
I have not used DansGuardian, but we use SafeSquid free edition as content filtering proxy and application layer firewall. You can use it independently, or use it for content filtering, and forward requests to squid. I can tell you how to solve your problem using SafeSquid. SafeSquid uses a unique 'profiles' method to identify users and applications. You can create unlimited user and application profiles. These profiles are then used to grant access rights, depending on the user profile and the application he is trying to access. Emails: There are multiple methods of blocking access to a category or nature of website. You can block access to email sites using - # URL Filter - Allows you to define specific URLs or domains [(gmail.com|mail.yahoo.com|login.live.com)] or a regex that looks for 'mail' in the URL (.*mail.*). This simple regex will match almost all email websites like mail.google.com, mail.yahoo.com, hotmail.com, rediffmail.com, etc. You can either globally deny access to these sites, or create an application profile to allow / deny access depending on a group or user profile. # URL Blacklist: We use the categorized database of websites from urlblacklist.com to allow / deny access to a category of websites like mail, webmail, porn, adult, etc. # keyword filter: This is a unique method of predicting the category a website belongs to, and block access to unwanted categories. This method is also effective in blocking access when users try to access a denied website using an external anonymous proxy IMs and Chats: Different IMs and Chats use different methods of communication. Therefore, we have to use different methods for blocking access. This will be effective only if users do not have any direct access to the net. Following are a few examples - # Yahoo Messenger: Can be blocked by simply blocking the URL shttp.msg.yahoo.com # MSN Messenger: Block url: gateway.messenger.hotmail.com Block File: gateway.dll (mime filter) Normally uses port 80 or 1863 Google Talk: uses the XMPP protocal on port 5222, 80 and 443 Block Host: (talkx.l.google.com|talk.google.com) Block Request header pattern: User-Agent: Google Talk Blocking the User-Agent works best with GTalk. Downloading: Depends on what you would like to deny access to. # The SafeSquid 'MiMe Filter' allows you to block access to files depending on the file extension (exe, zip, com) or mime type (application, audio, video) # The SafeSquid 'Limits' section allows downloads depending on the size of file being downloaded. There are many other similar option available. The correct solution can only be framed after analyzing the exact requirements. We find SafeSquid to be the perfect solution for such requirements because, unlike other solutions, SafeSquid has a simple and easy to manage GUI interface. Admins with very little or no knowledge of Linux can also very easily manage it. |
@rsean: I have no problem with proprietary software being suggested as a possible solution to someone's needs, but I do find it quite curious that every single post you've made on LQ so far has been to recommend SafeSquid. At this point, I'm only mentioning this because I think it's something people should know when they read your post.
|
You are right win32sux. That is because I have been using SafeSquid for quite some time now, and it seems to have an easy solution for all proxy related issues that people face. I hope i am not doing anything wrong by sharing my knowledge about SafeSquid with others, who are looking for a solution that can be resolved with SafeSquid.
|
Quote:
@SBN: How's your project coming along? What did you end up doing? |
For what it's worth you can find rseans talking about safesquid all over the internet on various forums. Basically with the same "We use safesquid" format. Seems to me to be kind of spammy, but I hope you can contribute in other ways to the forum as well
|
All times are GMT -5. The time now is 12:18 AM. |