Chapter
3
Zentyal 2.0 for Network Administrators Administratorss
3.5.4
P PRACTICAL EXAMPLE A
A high school wants to modernise their network, allowing the use of Wi-Fi to their students. One pre-requisite is that only the registered students should have access, access, using a user name and password provided by the centre. 1. ACTION. Access to Zentyal interface, go to Module status and activate the module RADIUS , for this you should check the box in the column State . The changes will be displayed and made active on the system. Conrm the o peration by clicking the button Accept . EFFECT. The button Save changes is active now.
Accesss to the menu RADIUS and add a NAS client using Add new . In the drop 2. ACTION. Acces down form, we will activate Enabled , we will choose a name for the client NAS in Cli- ent , for example HighSchoolNAS1 , the IP address will be 192.168.1.12/32. In order to authenticate the messages between the NAS and the RADIUS server we will use a shared password that also needs to added to the NAS client conguration.
3.6
HTTP TPP P S S An HTTP Proxy server is used to reduce the bandwidth consumption of web trac, in crease the navigation speed, dene the web access policies and improve security - block ing potentially dangerous contents. Trac savings are made as some web page requests are answered by the proxy itself and don’t need to reach Internet. This increases speed, since the proxy will create a cache containing the accessed contents. We can also dene an access policy and ltering of the content, dynamically analysing each page, using white or black lists. Access can depend on the time of the day, users, groups and IP addresses. This contents can be analysed, blocking dangerouss material such as viruses. dangerou
One of the drawbacks is that some advanced browsing operations may not work correctly because they can’t directly access the Internet. In other cases the proxy may represent a violation of the privacy regarding content accessed by the users. To use a proxy, the clients have to congure their web clients, but we can also set it as a transparent proxy, forcing our security politics. With this option, the clients do not need to congure their web browsers and it’s not possible to evade the proxy by changing any conguration. But, a transparent proxy can not perform user authentication.
Notes Notas
42
Chapter
3
Zentyal Gateway
The HTTP proxy server listens in port 3128/TCP by default. Zentyal uses Squid11 as HTTP proxy, along with Dansguardian 12 for the content control.
3.6.1
ChwbbwhHTTPP In order to congure a HTTP proxy in Windows, we have to go to Start Conguration Control panel, and in the Control panel window select Network connections.
Image 3.40. Control Panel.
Now, go to Internet Options .
11 www.squid-cache.org/. 12 www.dansguardian.org/.
Notes Notas
43
Chapter
3
Zentyal 2.0 for Network Administrators
Image 3.41. Network connections.
You will see the window Internet Properties with dierent tabs, in our case we are inter ested in the tab Connections . Once there click on LAN conguration...:
Image 3.42. Internet Properties.
44
Capítulo Chapter
3
Zentyal Gateway
You can now see the window Local Network Conguration (LAN).
Image 3.43. Local network conguration (LAN).
To indicate that a HTTP proxy operation is required, we have to check the box Use a HTTP Proxy for your LAN . This conguration will not apply to phone access connections or VPN. Below that we have another box Don’t use proxy server for local connections , it is recommended to check this to avoid requests to the local machine to be sent to the HTTP Proxy. To congure the proxy connection go to Advanced options...
Image 3.44. Proxy servers conguration.
45
Chapter
3
Zentyal 2.0 for Network Administrators Administratorss
In this window, we can set a dierent address for dierent protocols, but normally we will use the same address for all of them. We can just check the box Use the same proxy server for all the protocols . The address will be the IP address of the HTTP proxy, or its associated domain name. The port used is 3128 by default. In case we want to specify web pages that don’t have to use the proxy, we can add its address to the eld Don’t use proxy server to the addresses that start with: . Once we have congured these parameters, we just have to accept the changes then HTTP proxy will be congured. In case we need authentication, the rst time we access a web page the HTTP proxy will require our user and password. In the gure below, we can see this window in Internet Explorer.
Image 3.45. Proxy requires authentication.
To congure a HTTP proxy in Ubuntu Lucid, go to the menu System Preferences, and there we can choose the option Network Proxy.
We will see the windows Network proxy preferences , where we can congure the HTTP Proxy connection, from the tab Proxy manual conguration.
Notes Notas
46
Chapter
3
Zentyal Gateway
Image 3.46. Proxy conguration.
In order to indicate which proxy we want to use, check the option Manual proxy congura - tion. Below we have all the data we need to congure the proxy for the dierent protocols. If you want to use the same proxy for all the protocols, as in the former case, then check the option Use the same proxy for all the protocols . In the tab Ignored hosts , you can manage a list of addresses that won’t pass through the proxy. The local network will be automatically added, but another addresses can be added if needed
Notes Notas
47
Chapter
3
Zentyal 2.0 for Network Administrators Administratorss
Image 3.47. Ignored hosts.
Once the proxy is congured, just click on Apply system wide... and then Reboot . If the proxy requires authentication, the rst time users access a web page, they will see a dialogue window asking for credentials. We can see this in the window for Firefox in the gure below.
Image 3.48. Proxy requires authentication.
Notes Notas
48
Chapter
3
Zentyal Gateway
3.6.2
HTTPPZ To congure the HTTP Proxy go to Proxy HTTP General. You can dene which mode you need the proxy to operate in Transparent Proxy if you want to force the congured policies or use a manual conguration. In this case in Port we will establish the port for incoming connections. The default port will be 3128, other typical ports may be 8000 or 8080. Zentyal proxy will only accept connections that come from internal network interfaces, so an internal network address must be used for the web browser conguration. The size of the cache will dene the maximum disk space used to temporally store web contents. It is set in Cache size and it is a system administrator decision to decide the optimal value, taking into account the server’s characteristics and expected trac.
TIP. The bigger the Cache size the more content can be stored and less content will have to be downloaded from the Internet, therefore improving then the browsing speed and reducing the bandwidth required. Conversely, increasing the size too much can have negative consequences, not only increased hard drive requirements, but also an increase in the RAM memory used, because the Cache has to maintain a list of index’s to reference stored contents.
Here the Default policy for the access to HTTP web contents through the proxy can be congured. This policy determines whether the web can be accessed and if the content lter is to be applied. You can choose one of the options below: Allow all. With this policy, you can allow the users to browse the web without any type of restrictions, but still have the advantages of the cache; trac saving and better speed. Deny all. This politic totally denies all the access to the web. Even though it may seem not useful at a rst view, given that we can achieve the same eect with a rewall rule, we can later establish particular po licies to dierent objects, users and groups, therefore using this policy to deny by default and then choosing carefully what will be accepted. Filter. This policy allows the users to navigate, but activates the content ltering which can deny the access to some of the web pages requested by the users. Authorize and Filter, Allow all, Deny All. These policies are versions of the previous policies, where authentication is required. The authentication will be explained in 4.1HTTPProxyadvancedconfguration.
Notes Notas
49
Chapter
3
Zentyal 2.0 for Network Administrators Administratorss
Image 3.49. HTTP Proxy.
It is possible to select which domains will not be stored in the cache. For example, if we have local web servers, we won’t speed up the access using the cache and memory that can be used to store remote server contents is wasted. If a domain is excluded from the cache, when a request is received for this domain, the cache is ignored and only the data is forwarded from the server without storing it. These domains are dened in Cache exceptions . After setting the global policy, more specic policies can be dened for Network objects (see section 3.1.1) in the menu HTTP Proxy Object Policy . Choose any of the six politics for each object; If access to the proxy from any member of the object associated with this policy occurs, it will have preference over the global policy. A network address can be contained in dierent objects, so it’s possible to sort the object to indicate priority. Only ap ply the object policy with a higher priority. There is also the possibility of dening a hour range outside which access to the network object is denied. This option is only compatible with Allow or Deny policies, not with lter policies.
Image 3.50. Object policies.
Notes Notas
50
Chapter
3
Zentyal Gateway
3.6.3
LwwhZ Another congurable characteristic with Zentyal is to limit the d ownload bandwidth using network objects through the Delay Pools . For conguring this we will go to HTTP Proxy Limit bandwidth. We can represent the Delay Pools as boxes that contain a limited amount of bandwidth; they are being lled with the time, and using the network empties them. When they are completely empty, bandwidth and download speed is limited. Bearing in mind this representation, the congurable values can be tested: Ratio. Maximum bandwidth that can be used once the box is empty. Volume. Maximum capacity of the box in bytes, let’s say that the box will empty if we have transmitted this number of bytes.
With Zentyal bandwidth can be limited using two dierent methods; Delay Pools class 1 and class 2. The restrictions of the class 1 have priority over class 2 restrictions; if a network object does not match with any of the limitations in the rules, non will be applied. Class 1 Delay Pools . These limit the bandwidth globally for a subnet, and allow conguration of a transferred data limit. The Maximum network size and a maximum bandwidth restriction, in Network ratio . The limitation will be activated when the data limit has been reached. These Delay Pools are a single box shared by all the network objects. Class 2 Delay Pools . These Delay Pools have two types of boxes, a general one where, as in the Class 1 all the transmitted trac is accumulated and o ne dedicated to each client. If a member of the subnet empties his box, his bandwidth will be limited to Client Ratio , but it will not aect other clients. If they empty the shared box, all the clients will be limited to the Ratio .
Image 3.51. Bandwidth limit.
5
Chapter
3
Zentyal 2.0 for Network Administrators Administratorss
3.6.4
CwhZ Zentyal supports web page ltering depending on the content. To do so, it is required that a global policy is set or the specic policy of each object that is accessing to be Filter or Authorize and lter. We can dene multiple ltering proles in HTTP Proxy Filtering proles, but if there is no specic prole for this user or object the default will be applied.
Image 3.52. Filtering proles.
Content ltering for web pages can be achieved using dierent methods, including heu ristic ltering, MIME type, extensions, white lists and black lists, amongst others. The nal decision is - whether a specic web site can be accessed or not. The rst lter to be congure is antivirus. In order to use it the Antivirus module must be installed and active. If it’s activated then HTTP trac containing detected viruses will be blocked. Heuristic ltering consists mainly of the anal ysis of the text in web pages. If the content is inappropriate (pornography, racism, violence, etc.) the lter will block access to the page. To control this process establish a threshold of more or less restrictive. This is the value to be compared with the score assigned to the site. The threshold can be set in the section Content ltering threshold . You can disable this lter by choosing the value Of . Keep in mind that this analysis can block allowed pages, which is known as a false positive. This problem can be remedied by adding the domains of this site to a whitelist, but there is always the risk of a false positive with new pages.
Also available are the File extension ltering , the MIME type ltering and the Domain lter - ing.
Notes Notas
52
Chapter
3
Zentyal Gateway
Image 3.53. Filtering prole.
In the tab File extension ltering select which extension will be blocked. In a similar fashion in MIME type ltering you can select which MIME types are blocked and add new one if necessary, as with extensions. In the tab Domain ltering the ltering conguration based on domains can be found. Se lections available are: BlockdomainsspecifedonlyasIP,this options blocks the domains based only on the IP address and not in the domain. Block not listed domain, this option blocks all the domains that are not present in the section Domain rules or in the categories present in Domain list les and which policy is not set to Ignore .
Next are the domain lists, where domain names can be inserted and one of these policies can be chosen:
Notes Notas
53
Chapter
3
Zentyal 2.0 for Network Administratorss
Always allow. Access to the domain contents will be always allowed, all the lters are ignored. Always deny. We will never allow access to the contents of this domain. Filter. We will apply the usual rules to this domain. It is useful if we have activated the option Block non listed domains .
Image 3.54. Domain ltering.
The work of the systems administrator can be simplied if we use classied domain lists. These lists are normally maintained by third parties and have the advantage of classifying domains by categories, allowing us to choose a policy for a entire domain category. These lists are distributed as a compressed le. Once a le has been downloaded it can be incorporated into our congurations and policies set for the dierent categories.
The policies that are available for each category are the same as those used for domains and will applied to all the domains in the category. There is an additional policy Ignore , as the name implies, this will ignore all of this category when ltering. This is the default policy for all the categories.
Notes Notas
54
Chapter
3
Zentyal 2.0 for Network Administratorss
Image 3.55. Category list.
Using the Advanced Security Updates in Zentyal13, an updated database of domain categories can be automatically installed - in order to have a professional content ltering policy level.
3.6.5
P PRACTICAL EXAMPLE A
Activate transparent mode in the proxy, blocking all the trac. Check the correct func tioning of the proxy by conguring a client and trying to access the web from it.
To do this: 1. ACTION. Access the Zentyal interface, go to Module status and activate HTTP Proxy , to do this you must check the box in the column State . EFFECT. Zentyal will request permission to overwrite conguration les. 2. ACTION. Read the associated changes and allow Zentyal to overwrite them. EFFECT. The button Save changes is active. 3. ACTION. Go to HTTP Proxy General, enable the box Transparent mode . Make sure that Zentyal can act as as a gateway, that is, that there is at least one internal and one external network. Check that the proxy has Always deny as Default policy . Click on Change . EFFECT. The proxy is congured in transparent mode and will deny al l trac. 13 http://store.zentyal.com/other/advanced-security.html.
Notes Notas
55
Chapter
3
Zentyal 2.0 for Network Administratorss
4. ACTION. Save changes to save the conguration. EFFECT. Firewall and HTTP proxy will reboot. 5. ACTION. Congure the client to use Zentyal as gateway. Open a web browser in the client and try to access www.zentyal.com . EFFECT. Check in the client that instead the ocial Zentyal page, a warning page indicating forbidden content is displayed.
3.6.6
P EXERCISEA
Disable transparent mode. Set a global policy that allows to browse, check using another client that we can navigate using the Zentyal proxy server. EXERCISEB
Disable transparent mode. Set a global policy that does not allow to navigate. Check from another client that the access is forbidden. EXERCISEC
Activate transparent mode. Set a global policy that allows to browse. Check from a client that we can navigate without setting an explicit connection to the proxy. EXERCISED
Set a global policy that includes content ltering. Activate the antivirus module. In the default prole activate antivirus. Check that it reject to download infected les. For this we can use the virus library in EICAR, using the webpage www.eicar.org. EXERCISEE
Set a global policy that includes content ltering. Set the threshold to strict. Check that some pages are blocked for their inappropriate content. EXERCISEF
Set a global policy that includes content ltering. Allow explicitly the access to a do main that was forbidden by the former policy. EXERCISEG
Set a global policy that includes content ltering. Block the access to the web page www.marca.com. Check that we cannot access this domain. EXERCISEH
Create an object for an internal machine. Allow this object to navigate. Set a global policy that block navigation. Check that we can only navigate from this congured object.
56