zentyal administrators book example http proxy

142

Chapter3

NotasNotes

Zentyal 2.0 for Network Administratorss

142

Chapter3Zentyal 2.0 for Network Administrators

3.5.4 Practicalexamples

PRACTICAL EXAMPLE A

A high school wants to modernise their network, allowing the use of Wi-Fi to their stu-dents. One pre-requisite is that only the registered students should have access, using a user name and password provided by the centre.

1. ACTION. Access to Zentyal interface, go to Module status and activate the module RADIUS, for this you should check the box in the column State. The changes will be displayed and made active on the system. Confirm the operation by clicking the but-ton Accept.

EFFECT. The button Save changes is active now.

2. ACTION. Access to the menu RADIUS and add a NAS client using Add new. In the drop down form, we will activate Enabled, we will choose a name for the client NAS in Cli-ent, for example HighSchoolNAS1, the IP address will be 192.168.1.12/32. In order to authenticate the messages between the NAS and the RADIUS server we will use a shared password that also needs to added to the NAS client configuration.

3.6 HTTPProxyService

An HTTP Proxy server is used to reduce the bandwidth consumption of web traffic, in-crease the navigation speed, define the web access policies and improve security - block-ing potentially dangerous contents.

Traffic savings are made as some web page requests are answered by the proxy itself and don’t need to reach Internet. This increases speed, since the proxy will create a cache con-taining the accessed contents. We can also define an access policy and filtering of the content, dynamically analysing each page, using white or black lists. Access can depend on the time of the day, users, groups and IP addresses. This contents can be analysed, blocking dangerous material such as viruses.

One of the drawbacks is that some advanced browsing operations may not work correctly because they can’t directly access the Internet. In other cases the proxy may represent a violation of the privacy regarding content accessed by the users.

To use a proxy, the clients have to configure their web clients, but we can also set it as a transparent proxy, forcing our security politics. With this option, the clients do not need to configure their web browsers and it’s not possible to evade the proxy by changing any configuration. But, a transparent proxy can not perform user authentication.

143

Chapter3Zentyal Gateway

NotasNotes

The HTTP proxy server listens in port 3128/TCP by default.

Zentyal uses Squid11 as HTTP proxy, along with Dansguardian12 for the content control.

3.6.1 ConfiguringthewebbrowsertousetheHTTPProxy

In order to configure a HTTP proxy in Windows, we have to go to Start Configuration Control panel, and in the Control panel window select Network connections.

Image 3.40. Control Panel.

Now, go to Internet Options.

11 www.squid-cache.org/.12 www.dansguardian.org/.

144


Image 3.41. Network connections.

You will see the window Internet Properties with different tabs, in our case we are inter-ested in the tab Connections. Once there click on LAN configuration...:

Image 3.42. Internet Properties.

145

Capítulo3Zentyal Gateway

145


You can now see the window Local Network Configuration (LAN).

Image 3.43. Local network configuration (LAN).

To indicate that a HTTP proxy operation is required, we have to check the box Use a HTTP Proxy for your LAN. This configuration will not apply to phone access connections or VPN. Below that we have another box Don’t use proxy server for local connections, it is recom-mended to check this to avoid requests to the local machine to be sent to the HTTP Proxy.

To configure the proxy connection go to Advanced options...

Image 3.44. Proxy servers configuration.

146

Chapter3

NotasNotes


146


In this window, we can set a different address for different protocols, but normally we will use the same address for all of them. We can just check the box Use the same proxy server for all the protocols. The address will be the IP address of the HTTP proxy, or its associated domain name. The port used is 3128 by default. In case we want to specify web pages that don’t have to use the proxy, we can add its address to the field Don’t use proxy server to the addresses that start with:.

Once we have configured these parameters, we just have to accept the changes then HTTP proxy will be configured.

In case we need authentication, the first time we access a web page the HTTP proxy will require our user and password. In the figure below, we can see this window in Internet Explorer.

Image 3.45. Proxy requires authentication.

To configure a HTTP proxy in Ubuntu Lucid, go to the menu System Preferences, and there we can choose the option Network Proxy.

We will see the windows Network proxy preferences, where we can configure the HTTP Proxy connection, from the tab Proxy manual configuration.

147


NotasNotes

147


Image 3.46. Proxy configuration.

In order to indicate which proxy we want to use, check the option Manual proxy configura-tion. Below we have all the data we need to configure the proxy for the different protocols. If you want to use the same proxy for all the protocols, as in the former case, then check the option Use the same proxy for all the protocols.

In the tab Ignored hosts, you can manage a list of addresses that won’t pass through the proxy. The local network will be automatically added, but another addresses can be added if needed

148

Chapter3

NotasNotes


148


Image 3.47. Ignored hosts.

Once the proxy is configured, just click on Apply system wide... and then Reboot.

If the proxy requires authentication, the first time users access a web page, they will see a dialogue window asking for credentials. We can see this in the window for Firefox in the figure below.

Image 3.48. Proxy requires authentication.

149


NotasNotes

149


3.6.2 HTTPProxyconfigurationinZentyal

To configure the HTTP Proxy go to Proxy HTTP General. You can define which mode you need the proxy to operate in Transparent Proxy if you want to force the configured policies or use a manual configuration. In this case in Port we will establish the port for incom-ing connections. The default port will be 3128, other typical ports may be 8000 or 8080. Zentyal proxy will only accept connections that come from internal network interfaces, so an internal network address must be used for the web browser configuration.

The size of the cache will define the maximum disk space used to temporally store web contents. It is set in Cache size and it is a system administrator decision to decide the opti-mal value, taking into account the server’s characteristics and expected traffic.

TIP. The bigger the Cache size the more content can be stored and less content will have to be downloaded from the Internet, therefore improving then the brow-sing speed and reducing the bandwidth required. Conversely, increasing the size too much can have negative consequences, not only increased hard drive requi-rements, but also an increase in the RAM memory used, because the Cache has to maintain a list of index’s to reference stored contents.

Here the Default policy for the access to HTTP web contents through the proxy can be con-figured. This policy determines whether the web can be accessed and if the content filter is to be applied. You can choose one of the options below:

Allow all. With this policy, you can allow the users to browse the web without any type of restrictions, but still have the advantages of the cache; traffic saving and better speed.

Deny all. This politic totally denies all the access to the web. Even though it may seem not useful at a first view, given that we can achieve the same effect with a firewall rule, we can later establish particular policies to different objects, users and groups, therefore using this policy to deny by default and then choosing carefully what will be accepted.

Filter. This policy allows the users to navigate, but activates the content filtering which can deny the access to some of the web pages requested by the users.

Authorize and Filter, Allow all, Deny All. These policies are versions of the previous policies, where authentication is required. The authentication will be explained in 4.1HTTPProxyadvancedconfiguration.

150

Chapter3

NotasNotes


150


Image 3.49. HTTP Proxy.

It is possible to select which domains will not be stored in the cache. For example, if we have local web servers, we won’t speed up the access using the cache and memory that can be used to store remote server contents is wasted. If a domain is excluded from the cache, when a request is received for this domain, the cache is ignored and only the data is for-warded from the server without storing it. These domains are defined in Cache exceptions.

After setting the global policy, more specific policies can be defined for Network objects (see section 3.1.1) in the menu HTTP Proxy Object Policy. Choose any of the six politics for each object; If access to the proxy from any member of the object associated with this policy occurs, it will have preference over the global policy. A network address can be con-tained in different objects, so it’s possible to sort the object to indicate priority. Only ap-ply the object policy with a higher priority. There is also the possibility of defining a hour range outside which access to the network object is denied. This option is only compatible with Allow or Deny policies, not with filter policies.

Image 3.50. Object policies.

151


3.6.3 LimitingdownloadswithZentyal

Another configurable characteristic with Zentyal is to limit the download bandwidth using network objects through the Delay Pools. For configuring this we will go to HTTP Proxy Limit bandwidth. We can represent the Delay Pools as boxes that contain a limited amount of bandwidth; they are being filled with the time, and using the network empties them. When they are completely empty, bandwidth and download speed is limited. Bearing in mind this representation, the configurable values can be tested:

Ratio. Maximum bandwidth that can be used once the box is empty.

Volume. Maximum capacity of the box in bytes, let’s say that the box will empty if we have transmitted this number of bytes.

With Zentyal bandwidth can be limited using two different methods; Delay Pools class 1 and class 2. The restrictions of the class 1 have priority over class 2 restrictions; if a net-work object does not match with any of the limitations in the rules, non will be applied.

Class 1 Delay Pools. These limit the bandwidth globally for a subnet, and allow con-figuration of a transferred data limit. The Maximum network size and a maximum bandwidth restriction, in Network ratio. The limitation will be activated when the data limit has been reached. These Delay Pools are a single box shared by all the network objects.

Class 2 Delay Pools. These Delay Pools have two types of boxes, a general one where, as in the Class 1 all the transmitted traffic is accumulated and one dedicated to each client. If a member of the subnet empties his box, his bandwidth will be limited to Client Ratio, but it will not affect other clients. If they empty the shared box, all the clients will be limited to the Ratio.

Image 3.51. Bandwidth limit.

152

Chapter3

NotasNotes


152


3.6.4 ContentfilteringwithZentyal

Zentyal supports web page filtering depending on the content. To do so, it is required that a global policy is set or the specific policy of each object that is accessing to be Filter or Authorize and filter.

We can define multiple filtering profiles in HTTP Proxy Filtering profiles, but if there is no specific profile for this user or object the default will be applied.

Image 3.52. Filtering profiles.

Content filtering for web pages can be achieved using different methods, including heu-ristic filtering, MIME type, extensions, white lists and black lists, amongst others. The final decision is - whether a specific web site can be accessed or not.

The first filter to be configure is antivirus. In order to use it the Antivirus module must be installed and active. If it’s activated then HTTP traffic containing detected viruses will be blocked.

Heuristic filtering consists mainly of the analysis of the text in web pages. If the content is inappropriate (pornography, racism, violence, etc.) the filter will block access to the page. To control this process establish a threshold of more or less restrictive. This is the value to be compared with the score assigned to the site. The threshold can be set in the section Content filtering threshold. You can disable this filter by choosing the value Off. Keep in mind that this analysis can block allowed pages, which is known as a false positive. This problem can be remedied by adding the domains of this site to a whitelist, but there is always the risk of a false positive with new pages.

Also available are the File extension filtering, the MIME type filtering and the Domain filter-ing.

153


NotasNotes

Image 3.53. Filtering profile.

In the tab File extension filtering select which extension will be blocked. In a similar fash-ion in MIME type filtering you can select which MIME types are blocked and add new one if necessary, as with extensions.

In the tab Domain filtering the filtering configuration based on domains can be found. Se-lections available are:

BlockdomainsspecifiedonlyasIP,this options blocks the domains based only on the IP address and not in the domain.

Block not listed domain, this option blocks all the domains that are not present in the section Domain rules or in the categories present in Domain list files and which policy is not set to Ignore.

Next are the domain lists, where domain names can be inserted and one of these policies can be chosen:

154

Chapter3

NotasNotes


Always allow. Access to the domain contents will be always allowed, all the filters are ignored.

Always deny. We will never allow access to the contents of this domain.

Filter. We will apply the usual rules to this domain. It is useful if we have activated the option Block non listed domains.

Image 3.54. Domain filtering.

The work of the systems administrator can be simplified if we use classified domain lists. These lists are normally maintained by third parties and have the advantage of classifying domains by categories, allowing us to choose a policy for a entire domain category. These lists are distributed as a compressed file. Once a file has been downloaded it can be incor-porated into our configurations and policies set for the different categories.

The policies that are available for each category are the same as those used for domains and will applied to all the domains in the category. There is an additional policy Ignore, as the name implies, this will ignore all of this category when filtering. This is the default policy for all the categories.

155

Chapter3

NotasNotes


Image 3.55. Category list.

Using the Advanced Security Updates in Zentyal13, an updated database of domain catego-ries can be automatically installed - in order to have a professional content filtering policy level.

3.6.5 Practicalexamples

PRACTICAL EXAMPLE A

Activate transparent mode in the proxy, blocking all the traffic. Check the correct func-tioning of the proxy by configuring a client and trying to access the web from it.

To do this:

1. ACTION. Access the Zentyal interface, go to Module status and activate HTTP Proxy, to do this you must check the box in the column State.

EFFECT. Zentyal will request permission to overwrite configuration files.

2. ACTION. Read the associated changes and allow Zentyal to overwrite them.

EFFECT. The button Save changes is active.

3. ACTION. Go to HTTP Proxy General, enable the box Transparent mode. Make sure that Zentyal can act as as a gateway, that is, that there is at least one internal and one external network. Check that the proxy has Always deny as Default policy. Click on Change.

EFFECT. The proxy is configured in transparent mode and will deny all traffic.

13 http://store.zentyal.com/other/advanced-security.html.

156

Chapter3Zentyal 2.0 for Network Administratorss

4. ACTION. Save changes to save the configuration.

EFFECT. Firewall and HTTP proxy will reboot.

5. ACTION. Configure the client to use Zentyal as gateway. Open a web browser in the client and try to access www.zentyal.com.

EFFECT. Check in the client that instead the official Zentyal page, a warning page indicating forbidden content is displayed.

3.6.6 Proposedexercises

EXERCISEA

Disable transparent mode. Set a global policy that allows to browse, check using an-other client that we can navigate using the Zentyal proxy server.

EXERCISEB

Disable transparent mode. Set a global policy that does not allow to navigate. Check from another client that the access is forbidden.

EXERCISEC

Activate transparent mode. Set a global policy that allows to browse. Check from a cli-ent that we can navigate without setting an explicit connection to the proxy.

EXERCISED

Set a global policy that includes content filtering. Activate the antivirus module. In the default profile activate antivirus. Check that it reject to download infected files. For this we can use the virus library in EICAR, using the webpage www.eicar.org.

EXERCISEE

Set a global policy that includes content filtering. Set the threshold to strict. Check that some pages are blocked for their inappropriate content.

EXERCISEF

Set a global policy that includes content filtering. Allow explicitly the access to a do-main that was forbidden by the former policy.

EXERCISEG

Set a global policy that includes content filtering. Block the access to the web page www.marca.com. Check that we cannot access this domain.

EXERCISEH

Create an object for an internal machine. Allow this object to navigate. Set a global pol-icy that block navigation. Check that we can only navigate from this configured object.

zentyal administrators book example http proxy

Documents