Chapter

Zentyal 2.0 for Network Administratorss Administrators

3.5.4

Practical examples
PRACTICAL EXAMPLE A

A high school wants to modernise their network, allowing the use of Wi-Fi to their students. One pre-requisite is that only the registered students should have access, using a user name and password provided by the centre. 1. ACTION. Access to Zentyal interface, go to Module status and activate the module RADIUS, for this you should check the box in the column State. The changes will be displayed and made active on the system. Confirm the operation by clicking the button Accept. EFFECT. The button Save changes is active now. 2. ACTION. Access to the menu RADIUS and add a NAS client using Add new. In the drop down form, we will activate Enabled, we will choose a name for the client NAS in Client, for example HighSchoolNAS1, the IP address will be 192.168.1.12/32. In order to authenticate the messages between the NAS and the RADIUS server we will use a shared password that also needs to added to the NAS client configuration.

3.6

HTTP Proxy Service

An HTTP Proxy server is used to reduce the bandwidth consumption of web traffic, increase the navigation speed, define the web access policies and improve security - blocking potentially dangerous contents. Traffic savings are made as some web page requests are answered by the proxy itself and dont need to reach Internet. This increases speed, since the proxy will create a cache containing the accessed contents. We can also define an access policy and filtering of the content, dynamically analysing each page, using white or black lists. Access can depend on the time of the day, users, groups and IP addresses. This contents can be analysed, blocking dangerous material such as viruses. One of the drawbacks is that some advanced browsing operations may not work correctly because they cant directly access the Internet. In other cases the proxy may represent a violation of the privacy regarding content accessed by the users. To use a proxy, the clients have to configure their web clients, but we can also set it as a transparent proxy, forcing our security politics. With this option, the clients do not need to configure their web browsers and its not possible to evade the proxy by changing any configuration. But, a transparent proxy can not perform user authentication.

Notes Notas

142

Chapter

Zentyal Gateway

The HTTP proxy server listens in port 3128/TCP by default. Zentyal uses Squid11 as HTTP proxy, along with Dansguardian12 for the content control.

3.6.1

Configuring the web browser to use the HTTP Proxy

In order to configure a HTTP proxy in Windows, we have to go to Start Configuration Control panel, and in the Control panel window select Network connections.

Image 3.40. Control Panel.

Now, go to Internet Options.

11 www.squid-cache.org/. 12 www.dansguardian.org/.

Notes Notas

143

Chapter

Zentyal 2.0 for Network Administrators

Image 3.41. Network connections.

You will see the window Internet Properties with different tabs, in our case we are interested in the tab Connections. Once there click on LAN configuration...:

Image 3.42. Internet Properties.

144

Captulo Chapter

Zentyal Gateway

You can now see the window Local Network Configuration (LAN).

Image 3.43. Local network configuration (LAN).

To indicate that a HTTP proxy operation is required, we have to check the box Use a HTTP Proxy for your LAN. This configuration will not apply to phone access connections or VPN. Below that we have another box Dont use proxy server for local connections, it is recommended to check this to avoid requests to the local machine to be sent to the HTTP Proxy. To configure the proxy connection go to Advanced options...

Image 3.44. Proxy servers configuration.

145

Chapter

Zentyal 2.0 for Network Administratorss Administrators

In this window, we can set a different address for different protocols, but normally we will use the same address for all of them. We can just check the box Use the same proxy server for all the protocols. The address will be the IP address of the HTTP proxy, or its associated domain name. The port used is 3128 by default. In case we want to specify web pages that dont have to use the proxy, we can add its address to the field Dont use proxy server to the addresses that start with:. Once we have configured these parameters, we just have to accept the changes then HTTP proxy will be configured. In case we need authentication, the first time we access a web page the HTTP proxy will require our user and password. In the figure below, we can see this window in Internet Explorer.

Image 3.45. Proxy requires authentication.

To configure a HTTP proxy in Ubuntu Lucid, go to the menu System Preferences, and there we can choose the option Network Proxy. We will see the windows Network proxy preferences, where we can configure the HTTP Proxy connection, from the tab Proxy manual configuration.

Notes Notas

146

Chapter

Zentyal Gateway

Image 3.46. Proxy configuration.

In order to indicate which proxy we want to use, check the option Manual proxy configuration. Below we have all the data we need to configure the proxy for the different protocols. If you want to use the same proxy for all the protocols, as in the former case, then check the option Use the same proxy for all the protocols. In the tab Ignored hosts, you can manage a list of addresses that wont pass through the proxy. The local network will be automatically added, but another addresses can be added if needed

Notes Notas

147

Chapter

Zentyal 2.0 for Network Administratorss Administrators

Image 3.47. Ignored hosts.

Once the proxy is configured, just click on Apply system wide... and then Reboot. If the proxy requires authentication, the first time users access a web page, they will see a dialogue window asking for credentials. We can see this in the window for Firefox in the figure below.

Image 3.48. Proxy requires authentication.

Notes Notas

148

Chapter

Zentyal Gateway

3.6.2

HTTP Proxy configuration in Zentyal

To configure the HTTP Proxy go to Proxy HTTP General. You can define which mode you need the proxy to operate in Transparent Proxy if you want to force the configured policies or use a manual configuration. In this case in Port we will establish the port for incoming connections. The default port will be 3128, other typical ports may be 8000 or 8080. Zentyal proxy will only accept connections that come from internal network interfaces, so an internal network address must be used for the web browser configuration. The size of the cache will define the maximum disk space used to temporally store web contents. It is set in Cache size and it is a system administrator decision to decide the optimal value, taking into account the servers characteristics and expected traffic.

TIP. The bigger the Cache size the more content can be stored and less content will have to be downloaded from the Internet, therefore improving then the browsing speed and reducing the bandwidth required. Conversely, increasing the size too much can have negative consequences, not only increased hard drive requirements, but also an increase in the RAM memory used, because the Cache has to maintain a list of indexs to reference stored contents.

Here the Default policy for the access to HTTP web contents through the proxy can be configured. This policy determines whether the web can be accessed and if the content filter is to be applied. You can choose one of the options below: Allow all. With this policy, you can allow the users to browse the web without any type of restrictions, but still have the advantages of the cache; traffic saving and better speed. Deny all. This politic totally denies all the access to the web. Even though it may seem not useful at a first view, given that we can achieve the same effect with a firewall rule, we can later establish particular policies to different objects, users and groups, therefore using this policy to deny by default and then choosing carefully what will be accepted. Filter. This policy allows the users to navigate, but activates the content filtering which can deny the access to some of the web pages requested by the users. Authorize and Filter, Allow all, Deny All. These policies are versions of the previous policies, where authentication is required. The authentication will be explained in 4.1 HTTP Proxy advanced configuration.

Notes Notas

149

Chapter

Zentyal 2.0 for Network Administratorss Administrators

Image 3.49. HTTP Proxy.

It is possible to select which domains will not be stored in the cache. For example, if we have local web servers, we wont speed up the access using the cache and memory that can be used to store remote server contents is wasted. If a domain is excluded from the cache, when a request is received for this domain, the cache is ignored and only the data is forwarded from the server without storing it. These domains are defined in Cache exceptions. After setting the global policy, more specific policies can be defined for Network objects (see section 3.1.1) in the menu HTTP Proxy Object Policy. Choose any of the six politics for each object; If access to the proxy from any member of the object associated with this policy occurs, it will have preference over the global policy. A network address can be contained in different objects, so its possible to sort the object to indicate priority. Only apply the object policy with a higher priority. There is also the possibility of defining a hour range outside which access to the network object is denied. This option is only compatible with Allow or Deny policies, not with filter policies.

Image 3.50. Object policies.

Notes Notas

150

Chapter

Zentyal Gateway

3.6.3

Limiting downloads with Zentyal

Another configurable characteristic with Zentyal is to limit the download bandwidth using network objects through the Delay Pools. For configuring this we will go to HTTP Proxy Limit bandwidth. We can represent the Delay Pools as boxes that contain a limited amount of bandwidth; they are being filled with the time, and using the network empties them. When they are completely empty, bandwidth and download speed is limited. Bearing in mind this representation, the configurable values can be tested: Ratio. Maximum bandwidth that can be used once the box is empty. Volume. Maximum capacity of the box in bytes, lets say that the box will empty if we have transmitted this number of bytes. With Zentyal bandwidth can be limited using two different methods; Delay Pools class 1 and class 2. The restrictions of the class 1 have priority over class 2 restrictions; if a network object does not match with any of the limitations in the rules, non will be applied. Class 1 Delay Pools. These limit the bandwidth globally for a subnet, and allow configuration of a transferred data limit. The Maximum network size and a maximum bandwidth restriction, in Network ratio. The limitation will be activated when the data limit has been reached. These Delay Pools are a single box shared by all the network objects. Class 2 Delay Pools. These Delay Pools have two types of boxes, a general one where, as in the Class 1 all the transmitted traffic is accumulated and one dedicated to each client. If a member of the subnet empties his box, his bandwidth will be limited to Client Ratio, but it will not affect other clients. If they empty the shared box, all the clients will be limited to the Ratio.

Image 3.51. Bandwidth limit. 151

Chapter

Zentyal 2.0 for Network Administratorss Administrators

3.6.4

Content filtering with Zentyal

Zentyal supports web page filtering depending on the content. To do so, it is required that a global policy is set or the specific policy of each object that is accessing to be Filter or Authorize and filter. We can define multiple filtering profiles in HTTP Proxy Filtering profiles, but if there is no specific profile for this user or object the default will be applied.

Image 3.52. Filtering profiles.

Content filtering for web pages can be achieved using different methods, including heuristic filtering, MIME type, extensions, white lists and black lists, amongst others. The final decision is - whether a specific web site can be accessed or not. The first filter to be configure is antivirus. In order to use it the Antivirus module must be installed and active. If its activated then HTTP traffic containing detected viruses will be blocked. Heuristic filtering consists mainly of the analysis of the text in web pages. If the content is inappropriate (pornography, racism, violence, etc.) the filter will block access to the page. To control this process establish a threshold of more or less restrictive. This is the value to be compared with the score assigned to the site. The threshold can be set in the section Content filtering threshold. You can disable this filter by choosing the value Off. Keep in mind that this analysis can block allowed pages, which is known as a false positive. This problem can be remedied by adding the domains of this site to a whitelist, but there is always the risk of a false positive with new pages. Also available are the File extension filtering, the MIME type filtering and the Domain filtering.

Notes Notas

152

Chapter

Zentyal Gateway

Image 3.53. Filtering profile.

In the tab File extension filtering select which extension will be blocked. In a similar fashion in MIME type filtering you can select which MIME types are blocked and add new one if necessary, as with extensions. In the tab Domain filtering the filtering configuration based on domains can be found. Selections available are: Block domains specified only as IP, this options blocks the domains based only on the IP address and not in the domain. Block not listed domain, this option blocks all the domains that are not present in the section Domain rules or in the categories present in Domain list files and which policy is not set to Ignore. Next are the domain lists, where domain names can be inserted and one of these policies can be chosen:

Notes Notas

153

Chapter

Zentyal 2.0 for Network Administratorss

Always allow. Access to the domain contents will be always allowed, all the filters are ignored. Always deny. We will never allow access to the contents of this domain. Filter. We will apply the usual rules to this domain. It is useful if we have activated the option Block non listed domains.

Image 3.54. Domain filtering.

The work of the systems administrator can be simplified if we use classified domain lists. These lists are normally maintained by third parties and have the advantage of classifying domains by categories, allowing us to choose a policy for a entire domain category. These lists are distributed as a compressed file. Once a file has been downloaded it can be incorporated into our configurations and policies set for the different categories. The policies that are available for each category are the same as those used for domains and will applied to all the domains in the category. There is an additional policy Ignore, as the name implies, this will ignore all of this category when filtering. This is the default policy for all the categories.

Notes Notas

154

Chapter

Zentyal 2.0 for Network Administratorss

Image 3.55. Category list.

Using the Advanced Security Updates in Zentyal13, an updated database of domain categories can be automatically installed - in order to have a professional content filtering policy level.

3.6.5

Practical examples
PRACTICAL EXAMPLE A

Activate transparent mode in the proxy, blocking all the traffic. Check the correct functioning of the proxy by configuring a client and trying to access the web from it. To do this: 1. ACTION. Access the Zentyal interface, go to Module status and activate HTTP Proxy, to do this you must check the box in the column State. EFFECT. Zentyal will request permission to overwrite configuration files. 2. ACTION. Read the associated changes and allow Zentyal to overwrite them. EFFECT. The button Save changes is active. 3. ACTION. Go to HTTP Proxy General, enable the box Transparent mode. Make sure that Zentyal can act as as a gateway, that is, that there is at least one internal and one external network. Check that the proxy has Always deny as Default policy. Click on Change. EFFECT. The proxy is configured in transparent mode and will deny all traffic.
13 http://store.zentyal.com/other/advanced-security.html.

Notes Notas

155

Chapter

Zentyal 2.0 for Network Administratorss

4. ACTION. Save changes to save the configuration. EFFECT. Firewall and HTTP proxy will reboot. 5. ACTION. Configure the client to use Zentyal as gateway. Open a web browser in the client and try to access www.zentyal.com. EFFECT. Check in the client that instead the official Zentyal page, a warning page indicating forbidden content is displayed.

3.6.6

Proposed exercises
EXERCISE A

Disable transparent mode. Set a global policy that allows to browse, check using another client that we can navigate using the Zentyal proxy server.
EXERCISE B

Disable transparent mode. Set a global policy that does not allow to navigate. Check from another client that the access is forbidden.
EXERCISE C

Activate transparent mode. Set a global policy that allows to browse. Check from a client that we can navigate without setting an explicit connection to the proxy.
EXERCISE D

Set a global policy that includes content filtering. Activate the antivirus module. In the default profile activate antivirus. Check that it reject to download infected files. For this we can use the virus library in EICAR, using the webpage www.eicar.org.
EXERCISE E

Set a global policy that includes content filtering. Set the threshold to strict. Check that some pages are blocked for their inappropriate content.
EXERCISE F

Set a global policy that includes content filtering. Allow explicitly the access to a domain that was forbidden by the former policy.
EXERCISE G

Set a global policy that includes content filtering. Block the access to the web page www.marca.com. Check that we cannot access this domain.
EXERCISE H

Create an object for an internal machine. Allow this object to navigate. Set a global policy that block navigation. Check that we can only navigate from this configured object.

156