LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Internet Access Restrictions (https://www.linuxquestions.org/questions/linux-security-4/internet-access-restrictions-565522/)

SBN 06-29-2007 10:43 PM

Internet Access Restrictions
 
Hey guys currently we are using SQUID as our web cache server and also used its ACL to allow and disallow websites in our production network. But now the Boss decides to give them full access to the internet but Emails,IM and downloading is prohibited. Somehow it fall s to my responsibility to keep those 3 unavailable to our production network. any ideas on how to make this happen...tnx for any help..:)

win32sux 06-29-2007 11:09 PM

Quote:

Originally Posted by SBN
Hey guys currently we are using SQUID as our web cache server and also used its ACL to allow and disallow websites in our production network. But now the Boss decides to give them full access to the internet but Emails,IM and downloading is prohibited. Somehow it fall s to my responsibility to keep those 3 unavailable to our production network. any ideas on how to make this happen...tnx for any help..

Disable routing (so that all clients must use Squid). Using Squid ACLs, disable everything outgoing except connections to TCP ports 443 (HTTPS) and 80 (HTTP). Install DansGuardian. Now you just focus your energy on fine-tuning your DansGuardian configuration so that it filters downloads and the email/IM sites in a satisfactory way.

One aspect my above suggestion doesn't cover: How to prevent the clients from using rogue HTTPS connections to bypass the filters. You can't analyze the web content of encrypted connections. Off the top of my head, one way to address that might be to whitelist HTTPS sites, and use an application-level proxy to make sure that HTTPS (and only HTTPS) goes-out to port 443 and HTTP (and only HTTP) goes out to 80. The HTTP would be content-filtered by DG, while the HTTPS would be access-controlled by Squid.

jschiwal 06-29-2007 11:50 PM

Here is a mailing list entry discussing proxying https connections. The proxy uses it's certificate to decrypt the traffic and then reencrypts it before sending it to the browser.
http://www.squid-cache.org/mail-arch...0505/0775.html

win32sux 06-30-2007 12:11 AM

Quote:

Originally Posted by jschiwal
Here is a mailing list entry discussing proxying https connections. The proxy uses it's certificate to decrypt the traffic and then reencrypts it before sending it to the browser.
http://www.squid-cache.org/mail-arch...0505/0775.html

Interesting stuff. So basically the client would use a certificate from the proxy instead of from the actual HTTPS server? Any idea about what would be the side-effects of this (one I can think of is that client browsers would all get man-in-the-middle attack warnings whenever they try to access an HTTPS site) and how would you actually implement this in the content-filtering system?

jschiwal 06-30-2007 12:48 AM

I think you add your own certificate to the browsers' lists of CA certificates. If the end user chooses to examine the certificate, they can see that this is happening. This technique was mentioned by Steve Gibson in a Security Now podcast.

SBN 06-30-2007 01:30 AM

Quote:

Disable routing (so that all clients must use Squid). Using Squid ACLs, disable everything outgoing except connections to TCP ports 443 (HTTPS) and 80 (HTTP). Install DansGuardian. Now you just focus your energy on fine-tuning your DansGuardian configuration so that it filters downloads and the email/IM sites in a satisfactory way.

One aspect my above suggestion doesn't cover: How to prevent the clients from using rogue HTTPS connections to bypass the filters. You can't analyze the web content of encrypted connections. Off the top of my head, one way to address that might be to whitelist HTTPS sites, and use an application-level proxy to make sure that HTTPS (and only HTTPS) goes-out to port 443 and HTTP (and only HTTP) goes out to 80. The HTTP would be content-filtered by DG, while the HTTPS would be access-controlled by Squid.
Thank you win32sux for this. But how do you block/allow ports using ACL in squid, i have been asking this question before but somehow they all told me to use a third party programs like squidguard or iptables. i have been reading the default squid configuration but all i can see is the "acl Safe_port port #"...

win32sux 06-30-2007 01:35 AM

Quote:

Originally Posted by jschiwal
I think you add your own certificate to the browsers' lists of CA certificates. If the end user chooses to examine the certificate, they can see that this is happening. This technique was mentioned by Steve Gibson in a Security Now podcast.

It does, IMHO, bring up a lot of ethics issues. Not just because you can look at employee's private information, but also because a security weakness has been introduced into their HTTPS sessions AFAICT. If the proxy server is cracked, the attacker will have access to the employees's private information (please correct me if I'm wrong). Imagine Jenny (the cute girl from Marketing) logging into her bank account via HTTPS on her laptop during lunch time, unaware of the financial madness that will insue in the following hours due to the sniffer a script kiddie managed to plant on the proxy that morning.

EDIT: Of course, if she clicked the "OK" button when her browser warned her about the certificate, then she sort of asked for it. But still, as you know, most users are indeed unaware of the risks of such clicks. There's also the possibility of the admin accepting the certificate on Jenny's workstation without her knowing, etc.

Personally, I'm not sure I would do something like this, mainly for ethics reasons related to employee privacy, but also for security reasons from the employee's perspective. I'd probably whitelist the HTTPS sites (such as in the example below) and make sure everything else is content-filtered. Maybe I just haven't properly wrapped my brain around it yet.
=/

win32sux 06-30-2007 02:00 AM

Quote:

Originally Posted by SBN
Thank you win32sux for this. But how do you block/allow ports using ACL in squid, i have been asking this question before but somehow they all told me to use a third party programs like squidguard or iptables. i have been reading the default squid configuration but all i can see is the "acl Safe_port port #"...

This example only allows usage of two HTTPS sites, while allowing all HTTP sites:

Code:

acl all src 0.0.0.0/0.0.0.0
acl HTTP_port port 80
acl HTTPS_port port 443

acl CONNECT method CONNECT
acl allowed_https_sites dstdomain .nsa.gov
acl allowed_https_sites dstdomain .cia.gov

acl my_network src 192.168.1.0/255.255.255.0

http_access deny CONNECT !HTTPS_port
http_access allow my_network HTTPS_port allowed_https_sites
http_access allow my_network HTTP_port
http_access deny all

http_reply_access allow all


SBN 06-30-2007 02:40 AM

Quote:

CONNECT method CONNECT
What this do?

win32sux 06-30-2007 03:55 AM

Quote:

Originally Posted by SBN
What this do?

That line creates an ACL named "CONNECT" which matches against the HTTP CONNECT request method. The CONNECT method asks a proxy to switch-over to tunnel mode. The http_access rule which calls that ACL later just makes sure that only connections going-out to port 443 use the CONNECT method (needed to do the SSL for HTTPS).

rsean 06-30-2007 04:51 AM

IMHO all direct access to the net should be blocked. Ports 80, 443, 21 should be opened only for the proxy. Rest all ports, except for some specific applications like VPN, should be blocked. Blocking only 80 and 443 will not work since messengers like gtalk and msn use port 5222 and 1863.

I have not used DansGuardian, but we use SafeSquid free edition as content filtering proxy and application layer firewall. You can use it independently, or use it for content filtering, and forward requests to squid. I can tell you how to solve your problem using SafeSquid.

SafeSquid uses a unique 'profiles' method to identify users and applications. You can create unlimited user and application profiles. These profiles are then used to grant access rights, depending on the user profile and the application he is trying to access.

Emails:
There are multiple methods of blocking access to a category or nature of website. You can block access to email sites using -

# URL Filter - Allows you to define specific URLs or domains [(gmail.com|mail.yahoo.com|login.live.com)] or a regex that looks for 'mail' in the URL (.*mail.*). This simple regex will match almost all email websites like mail.google.com, mail.yahoo.com, hotmail.com, rediffmail.com, etc. You can either globally deny access to these sites, or create an application profile to allow / deny access depending on a group or user profile.

# URL Blacklist: We use the categorized database of websites from urlblacklist.com to allow / deny access to a category of websites like mail, webmail, porn, adult, etc.

# keyword filter: This is a unique method of predicting the category a website belongs to, and block access to unwanted categories. This method is also effective in blocking access when users try to access a denied website using an external anonymous proxy


IMs and Chats:
Different IMs and Chats use different methods of communication. Therefore, we have to use different methods for blocking access. This will be effective only if users do not have any direct access to the net.

Following are a few examples -

# Yahoo Messenger: Can be blocked by simply blocking the URL shttp.msg.yahoo.com

# MSN Messenger:
Block url: gateway.messenger.hotmail.com
Block File: gateway.dll (mime filter)
Normally uses port 80 or 1863

Google Talk:
uses the XMPP protocal on port 5222, 80 and 443
Block Host: (talkx.l.google.com|talk.google.com)
Block Request header pattern: User-Agent: Google Talk
Blocking the User-Agent works best with GTalk.

Downloading:
Depends on what you would like to deny access to.
# The SafeSquid 'MiMe Filter' allows you to block access to files depending on the file extension (exe, zip, com) or mime type (application, audio, video)
# The SafeSquid 'Limits' section allows downloads depending on the size of file being downloaded.

There are many other similar option available. The correct solution can only be framed after analyzing the exact requirements.

We find SafeSquid to be the perfect solution for such requirements because, unlike other solutions, SafeSquid has a simple and easy to manage GUI interface. Admins with very little or no knowledge of Linux can also very easily manage it.

win32sux 06-30-2007 06:12 AM

@rsean: I have no problem with proprietary software being suggested as a possible solution to someone's needs, but I do find it quite curious that every single post you've made on LQ so far has been to recommend SafeSquid. At this point, I'm only mentioning this because I think it's something people should know when they read your post.

rsean 06-30-2007 11:45 PM

You are right win32sux. That is because I have been using SafeSquid for quite some time now, and it seems to have an easy solution for all proxy related issues that people face. I hope i am not doing anything wrong by sharing my knowledge about SafeSquid with others, who are looking for a solution that can be resolved with SafeSquid.

win32sux 07-01-2007 12:59 AM

Quote:

Originally Posted by rsean
You are right win32sux. That is because I have been using SafeSquid for quite some time now, and it seems to have an easy solution for all proxy related issues that people face. I hope i am not doing anything wrong by sharing my knowledge about SafeSquid with others, who are looking for a solution that can be resolved with SafeSquid.

Like I said, I was only pointing something out for the readers. I'm sure you'll help lots of people with their SafeSquid questions here on LQ - welcome aboard! :)

@SBN: How's your project coming along? What did you end up doing?

javaroast 07-01-2007 01:35 AM

For what it's worth you can find rseans talking about safesquid all over the internet on various forums. Basically with the same "We use safesquid" format. Seems to me to be kind of spammy, but I hope you can contribute in other ways to the forum as well


All times are GMT -5. The time now is 12:18 AM.