The Proxy Menu 1 The Proxy Menu HTTP Proxy The GD eSeries appliance provides a full web proxy and content filtering system to monitor and block inappropriate and/or malicious web traffic. The system also includes the ability to filter web traffic for malware that may be found in web content. A large number of profile-based rules can be defined, based in user authentication (NTLM, LDAP, Services Directory), time of day/day of week, browser type, MIME type, & more. 2 The Proxy Menu HTTP Proxy Architecture GD eSeries uses different applications to provide comprehensive web security: • SQUID: Web Proxy – Caching – Authentication (Windows AD (NTLM), LDAP, RADIUS, Local) • Commtouch: Web filtering – URL Categories Filter – Custom whitelists/blacklists • AV: Panda Antimalware Protection 3 The Proxy Menu HTTP Proxy - Transparent Mode This mode will automatically intercept any web traffic using the firewall and send that traffic through the web proxy & filtering system. From the perspective of the internal users, using the HTTP proxy in transparent mode means the user never knows the proxy is there and thus traffic is handled seamlessly from their viewpoint. 4 The Proxy Menu HTTP Proxy - Transparent Mode 5 The Proxy Menu HTTP Proxy - Non-Transparent Mode This mode requires the client browser to be made aware of the proxy either through (a) manual proxy configuration or (b) using the proxy pac file issued through GD eSeries DHCP which requires client browser to have “auto-detect” proxy settings. From the perspective of the internal users, using the HTTP proxy in non-transparent mode means the client (i.e. browser) must know about the proxy and be configured to use it, so the traffic is broken down between a) clients & the proxy itself and b) the proxy & the destination server. 6 The Proxy Menu Non-Transparent Proxy: Important notice There is a mechanism in place to allow a “typical” client to use the proxy in nontransparent mode without (necessarily) making any changes on the client browser. This involves the use of the proxy PAC file which is distributed to the client using GD eSeries DHCP. This PAC file is nothing more than a set of directions used to direct the client browser on how to find and use the proxy. • Requirements: 1) Clients must receive their DHCP from the GD eSeries server1 2) Clients must have their browser configured to automatically detect proxy settings, which is default for most browsers. 1 You could also configure a separate another internal DHCP server to provide the proxy PAC file information – located at HTTP://<GatedefenderIP>/proxy.pac. 7 The Proxy Menu HTTP Proxy - Ports & SSL ports Configuration options for the ports the clients are allowed to use when browsing: Allowed Ports (from client): The TCP destination ports to which the proxy server will accept connections when using HTTP. One port or one port range per line are accepted, comments are allowed and start with a “#”. Allowed SSL Ports (from client): The TCP destination ports to which the proxy server will accept connections when using HTTPS. One port or port range per line are accepted, comments are allowed and start with a #, ending at the end of the line 8 The Proxy Menu HTTP Proxy - Logging Open Log Settings and choose what to log: HTTP proxy logging: Log all the URLs being accessed through the proxy. This is a master switch, hence the other options are enabled and can be configured only if logging is enabled, which is not by default (note: consider that the more content is logged, the more disk space on the GD eSeries is needed). Query term logging: Log the parameters in the URL (such as ?id=123) Useragent logging: Log the useragent identification sent by each browser. Content filtering logging: Log when the content of web pages is filtered. Firewall logging (transparent proxies only): Outgoing web access instances are logged, i.e., those directed through the RED interface to the Internet. This options only works for transparent proxies. 9 The Proxy Menu HTTP Transparent Proxy - Bypass In this panel transparent proxy exceptions can be defined, i.e., which sources (i.e., clients) and destinations (i.e., remote servers) should be ignored by the proxy, even if it is enabled in that zone. Bypass transparent proxy from SUBNET/IP/MAC: The sources that should not be subject to the transparent proxy. Bypass transparent proxy to SUBNET/IP: The destinations that are not subject to the transparent proxy. 10 The Proxy Menu HTTP Proxy - Cache management Configuration options for the space taken on disk by the cache and the size of the objects stored. Cache size on harddisk (MB): The amount in megabytes that the proxy should allocate for caching web sites on the hard disk. Cache size within memory (MB): The amount in megabytes of memory that the proxy should allocate for caching web sites in the system memory. Maximum object size (KB): The upper size limit in megabytes of a single object that should be cached. Minimum object size (KB): The lower size limit in megabytes of a single object that should be cached. Enable offline mode: When this option is enabled (i.e., the checkbox is ticked), the proxy will never try to update cached objects from the upstream web server - clients can then browse cached, static websites even after the uplink went down. Clear cache: When this button is clicked, the cache of the proxy is erased. Do not cache these destinations: Domains for which resources should never be cached. 11 The Proxy Menu HTTP Proxy - Upstream proxy If there is another proxy server in the LAN, it can be contacted before actually requesting the original resource. This panel contains configuration options for the connection between the GateDefender and the upstream proxy. Upstream proxy: Tick this checkbox to enable an upstream proxy and show more options. When enabled, before retrieving a remote web page that is not already in its cache, the GateDefender proxy contacts the upstream proxy it to ask for that page. Upstream server: The hostname or IP address of the upstream server. Upstream port: The port on which the proxy is listening on the upstream server. Upstream username/password: If authentication for the upstream proxy is required, specify the credentials here Client username forwarding/Client IP forwarding: Forward the username/client IP address to the upstream proxy. 12 The Proxy Menu Web Proxy System Using the web proxy system is similar to building firewall rules, except you’re actually creating “web access” rules. The functioning is similar: each rule is processed until a successful match is found or until it reaches no match and the request is denied. For this reason it is a best practice to build rules from most specific to the least specific (i.e. generic) scope. 13 The Proxy Menu Access policy Access policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule allows or denies access depending on several parameters e.g. traffic source or destination, client used (useragent), content downloaded (mimetype, antimalware scanning, URL filtering). A list of pre-defined rules is displayed on the page. Any rule can specify if the web access is blocked or allowed, and a filter type can be associated to an allow rule. To add a new rule, simply click on “Create a rule”. A form will open, in which to configure all the parameters of the rule: Source Type: The sources of the traffic to which this rule applies. It can be <ANY>, a zone, a list of networks, IP addresses or MAC addresses. Destination Type: The traffic destinations to which this rule will be applied. This can be either <ANY>, a zone, or a list of networks, IP addresses, or domains. Authentication: The type of authentication to apply to the clients. It can be disabled, in which case no authentication is required, group based or user based. One or more users or groups – to which to apply the policy – can then be selected from the list that will show up. 14 The Proxy Menu Access policy Time restriction: Decide whether the rule is effective on specific days and/or a time period. By default a rule is always active, but its validity can be limited to either an interval or to some days of the week. Useragents: The allowed clients and browsers, as identified by their useragent identification string. Access policy: Select whether the rule should allow or deny the web access from the drop-down menu . If set to Deny, the mimetypes list option is activated. 15 The Proxy Menu Access policy Mimetypes: A list of the MIME types of incoming files that should be blocked, one per line. MIME types can only be blocked (i.e., blacklisted) but not allowed (i.e., whitelisted), therefore this option is only available for Deny access policies. It can be used to block any files not corresponding to the company policy (e.g., multimedia files). Filter profile: This drop-down menu, available when the Access policy has been set to Allow access, allows to select what type of check should the rule perform. Available options are: none for no check and virus detection only to scan only for viruses. Moreover, if any content filter profile has been created, it can be applied to the rule. Policy status: Whether a rule is enabled or disabled. Disabled rules will not be applied, the default is to enable the rule. Position: The place where the new rule should be inserted. 16 The Proxy Menu Authentication The GD eSeries proxy supports four different authentication types: Local Authentication (NCSA), LDAP (v2, v3, Novell eDirectory, AD), Windows Active Directory (NTLM) and RADIUS. The NCSA type stores the user details locally in the GD eSeries, whereas the other methods rely on an external server: In those cases it is mandatory to provide all the necessary information to access that server. The common items that can be configured in this panel are: Authentication realm: The text shown in the authentication dialog and used when joining an Active Directory Domain. When Windows Active Directory is used for authentication, the FQDN of the Domain Controller should be used. Number of Authentication Children: The maximum number of authentication processes that can run simultaneously. Authentication cache TTL (in minutes): The time in minutes during which the authentication data should be cached, before being deleted. Number of different IPs per user: The maximum number of IP addresses from which a user can connect to the proxy simultaneously. User/IP cache TTL (in minutes): The time in minutes an IP address is associated with the logged in user. Once the common configuration settings are done, and depending on the authentication type chosen, it is possible to configure the specific settings for the selected auth method. 17 The Proxy Menu Transparency & Authentication If you wish to use authentication (AD, LDAP, eDirectory, etc.) within the web proxy, then you CANNOT use the proxy in transparent mode. The reason for this is that when using the proxy in transparent mode the client browser is unaware that the proxy actually exists, so the it will not send any authentication parameters. The solution is then to use a proxy that is actually advertised to the client browser, which means you must use it in non-transparent mode. 18 The Proxy Menu AD join This section is used to enter the credentials required to join Active Directory, an operation that is only possible if in the Authentication tab the option Windows Active Directory (NTLM) has been selected. The password is not shown by default, but it is displayed when the Show checkbox is ticked. 19 The Proxy Menu HTTPS Proxy GD eSeries can block HTTPS traffic for those sites contained in any selected content filtering profile (e.g both HTTP://www.facebook.com and HTTPs://www.facebook.com) When the HTTPS proxy is enabled, an “intermediate” certificate is needed for the client browsers to connect via HTTPS to GateDefender, which then can deliver the request, retrieve the remote resource, control it, and then send it to the client. You can generate and download the certificate from this section. 20 The Proxy Menu How to configure a transparent HTTP Proxy 21 The Proxy Menu HTTP Proxy – Transparent Example A transparent web proxy is one that requires no client-side changes to operate effectively (all traffic is transparently redirected). The primary purpose of the web proxy is to allow a simple method to filter web traffic to comply with security and business policies. The first step is to enable the web proxy by clicking the gray button (which will turn blue when enabled). 22 The Proxy Menu HTTP Proxy – Transparent Example Since we want to have all web access (allowed and blocked) logged for review purposes, we will enable the appropriate logging options. Click Save and then Apply the changes to proceed. 23 The Proxy Menu HTTP Proxy – Transparent Example Configure the Web Filter adding a new Profile: In this example, a Profile named “Default” is going to be created. Antivirus scan is turned on (this is a default setting) and the URL Filtering to be blocked will only be SubCategories in the Security Category. You can also add custom white or blacklists 24 (Blacklist:www.facebook.com) to this profile as well. The Proxy Menu HTTP Proxy – Transparent Example Configure the Access Policy by adding a new Access Policy: In the example above, an Access Policy was created for the Green zone (entire network) that is using the web filtering profile (default). 25 The Proxy Menu HTTP Proxy – Transparent Example You can test your configuration by browsing the Internet from the Green network and testing different websites. 26 The Proxy Menu How to Configure a non-transparent HTTP Proxy using NTLM authentication 27 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example The use of Active Directory (NTLM) based authentication is the only way to achieve a “single sign-on" solution where users do not have to authenticate in the browser. In other words, when a user logs into their machine they are also authenticated for the web proxy automatically. 28 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example Kerberos is the network authentication protocol used in Active Directory. It has strict time requirements, which means the clocks of the involved hosts must be synchronized. The best practice is to have the Domain Controller(s) (PDC/BDC) as the NTP server(s) for GD. This can be set under Services. Enter the NTLM information as outlined above. If you have a Backup Domain Controller this can also be added, but is not required. 29 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example Click on join domain and you will see the screen below. Enter the an admin user name and password (permission to perform domain joins is required). Once that is done, click Join ADS and you should see a success message. 30 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example Add a new Web Filter Profile. 31 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example Add a new Access Policy with group-based authentication (Microsoft AD group gd_filter_high) and using the the web filter profile previously created. 32 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example The easiest solution is to use the web proxy with authentication in a semitransparent fashion is to have the appliance also handle DHCP for those networks you wish to provide the web proxy. Using this method, all of the necessary DHCP parameters are automatically configured and deployed to client workstations so they detect and use the proxy automatically – assuming the above configuration for Internet Explorer is set. The "Automatically detect settings" must be enabled (it is by default) in order for the IE browser to automatically find the proxy without any further manual configuration. 33 The Proxy Menu HTTP Proxy – Non-Transparent with NTLM Authentication Example You can test your configuration by browsing the Internet from the Green network and testing different websites. 34 The Proxy Menu Email Proxies The GD eSeries appliance provides a complete email proxy and filtering system for both SMTP and POP3 traffic. The system can filter and quarantine email traffic for malware/phishing/spam, and additionally support other email features including the ability to perform greylisting, realtime blacklist (RBL) support, blocking by file types & more. 35 The Proxy Menu SMTP Proxy Architecture GD eSeries uses different applications to provide comprehensive email security to both inbound and outbound email traffic: – Postfix: Mail Transfer Agent (MTA) • Receive/send SMTP (smptd) • Basic email security checks – Amavis: Broker agent for MTA & filtering engines • Translates email into streams for spam and AV filtering – SPAM Filtering: • Commtouch (enabled by default). • SpamAssassin – Panda Anti-malware engine. 36 The Proxy Menu SMTP Proxy - Bi-Directional SMTP The GD eSeries SMTP proxy works in both inbound and outbound directions which means you can: (1) scan inbound SMTP – from the Internet to your internal (protected) mail server(s) and (2) scan outbound SMTP – from your mail servers or from clients configured to use their own email server. Warning: When configuring inbound SMTP filtering, you cannot have any port forwarding (DNAT) rules for TCP port 25 as these will cause the SMTP proxy to be bypassed completely. 37 The Proxy Menu SMTP Proxy - SMTP Inbound 38 The Proxy Menu SMTP Proxy - SMTP Outbound 39 The Proxy Menu SMTP Proxy – Antivirus settings Scan mail for virus: Enable filtering of emails for viruses and to reveal the additional virus filter options. Choose virus handling: There are three Available actions that can be carried out on e-mails that have been detected: Move to default quarantine location: any e-mail containing virus will be moved to the default location manageable from Services-Mail Quarantine. Send to quarantine email address: e-mails containing virus are forwarded to a custom e-mail address that can be specified in the “virus quarantine email address” textbox that will appear upon selecting this option. Pass to recipient (regardless of bad contents): e-mail containing virus will be delivered normally. Email used for virus notifications (virus admin): the e-mail address that will receive a notification for each processed e-mail containing virus. 40 The Proxy Menu SMTP Proxy - File settings Block files by extension: Activate the extensions-based filtering on files and reveal the additional options. Choose handling of blocked files: There are three available actions that can be carried out on e-mails that have blocked (They are the same as in the previous Spam Settings and Virus Settings boxes): • move to default quarantine location: mails containing blocked files will be moved to the default location manageable from Services-Mail quarantine • send to quarantine email address: mails containing blocked files are forwarded to a custom email address that can be specified in the “email used for blocked file notifications” textbox that will appear upon selecting this option. • pass to recipient (regardless of bad contents): mails containing blocked files will be delivered normally Choose filetypes to block (by extension): The file extensions to be blocked. Email used for blocked file notifications (file admin): The e-mail address that will receive a notification for each processed e-mail containing blocked attachments. Block files with double extension: Enable the blocking of any file with a double 41 extension. The Proxy Menu SMTP Proxy - Spam Filtering Spam subject: A prefix applied to the subject of all emails marked as spam. Email used for spam notifications (spam admin): The e-mail address that will receive a notification for each processed spam email. Spam tag level: If the spam score is greater than This number, the X-Spam-Status and X-Spam-Level headers are added to the e-mail. Spam mark level: If the spam score is greater than this number, the Spam subject prefix and the X-Spam-Flag header are added to the e-mail. Spam quarantine level: Any e-mail that exceeds this spam score will be moved to the quarantine location. Send notification only below level: Send notification e-mails only if the spam score is below this number. Spam filtering: Enable spam greylisting and show the next option. Delay for greylisting (sec): The greylisting delay in seconds can be a value between 30 and 3600. Activate support for Japanese emails: Tick this checkbox to activate support for Japanese character sets in e-mails, for more accurate detection of Japanese spam. 42 The Proxy Menu SMTP Proxy - Black & Whitelists Whitelist sender: All the e-mails sent from these addresses or domains will be accepted Blacklist sender: All the e-mails sent from these addresses or domains will be rejected. Whitelist recipient: All the e-mails sent to these addresses or domains will be accepted. Blacklist recipient :All the e-mails sent to these addresses or domains will be rejected. Whitelist client : All the e-mails sent from these IP addresses or hosts will be accepted. Blacklist client : All the e-mails sent from these IP addresses or hosts will be Rejected. 43 The Proxy Menu SMTP Proxy - Realtime Blacklist (RBL) A method often used to block spam is the use of RBLs. These lists are created, managed, and updated by different organizations with the purpose to identify as quickly as possible new SMTP servers used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails coming from it will be immediately rejected without further notice. The use of RBL saves bandwidth, since the messages will not be accepted and then handled like any other email traffic, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. 44 The Proxy Menu SMTP Proxy - Greylisting Greylisting is a spam reduction technique that leverages the fact that most spam senders do not use servers that conform to normal email standards, inasmuch as they do not re-send bounced emails. All that greylisting does is to immediately reject all unknown emails for a set time period relying on the idea that the only legitamente senders will resend. There are multiple benefits to this technique, but it can immediately reduce the processing load on the GD eSeries by not having the device process known spam emails. Of course this does not erradicate all spam, but it useful when combined with all the other spam detection tools available in GD eSeries. Warning: Using greylisting will cause all legitimate email to be delayed by (at least) the time period defined on the GD eSeries and possibly even more so depending on the re-try policy of the sending MTA -- so do not use in situations where there is high sensitivity to receiving email. 45 The Proxy Menu SMTP Proxy - Mail routing This option allows to send a BCC of an e-mail to a given email address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list shows the direction, the address and the BCC address, if any. To add a new mail route, click on the “Add a Mail Route” button. In the form that opens the following options can be configured: Direction: Select from the drop-down menu whether the mail route should be defined for a sender or recipient of the e-mail. Mail address: Depending on the direction chosen, this will be the e-mail address of the recipient or sender to which the route should be applied. BCC address: The e-mail address which are the recipient of the copy of the e-mails. 46 The Proxy Menu SMTP Proxy - Advanced In the first panel a smarthost can be activated and configured. One common use case is: if the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL and therefore the remote mail server might refuse the emails. Use a Smarthost to solve it! IMAP Server for SMTP authentication: contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED (WAN) zone. Mail server settings: In this panel, additional parameters of the SMTP server can be defined. Spam prevention: Finally, in this last panel additional parameters for the spam filter can be defined, 47 by ticking one or more of the four checkboxes. The Proxy Menu SMTP Proxy - Anti-Spam Enable spamassassin shortcircuit: skips Spamassassin scan whenever Commtouch marks a message as spam. Ignore IPs/Networks: Here IPs and networks which should not be checked by commtouch can be defined. In the SPAM tag level section the following options can be configured: CONFIRMED: Every email recognized as spam will have this tag level value (between -10 and 10, default 10). BULK: Every message identified as bulk mail will have this tag level value (between -10 and 10, default 7). SUSPECTED: Every email suspected to contain spam will have this tag level value (between -10 and 10, default 2). UNKNOWN Emails classified as unknown will have this tag level value (between -10 and 10, default 0). NONSPAM Non-spam mails will have this tag level value (between -10 and 10, default -10). 48 The Proxy Menu SMTP Proxy Different Scenarios 49 The Proxy Menu SMTP Proxy - Scenario I GD eSeries in Gateway Mode with Internal Mail Server • We will configure the GREEN zone to Transparent mode and RED Zone to Inactive. 50 The Proxy Menu SMTP Proxy - Scenario I GD eSeries in Gateway Mode with Internal Mail Server • In order to teach the GD eSeries where to deliver smtp traffic add the existing email domain(s) and mail server IP address(es). • Configure the rest of the protection options available. • No SmartHost configuration needed for this scenario. 51 The Proxy Menu SMTP Proxy - Scenario I GD eSeries in Gateway Mode with Internal Mail Server • It is advisable to configure the advanced SMTP HELO name mail server setting with the same server name as the one in the public DNS MX or A record. 52 The Proxy Menu SMTP Proxy - Scenario II GD eSeries in Gateway Mode with External Mail Server • We´ll configure RED Zone to Inactive as you will be probably receiving POP3 mail (enable POP3 Proxy) and set the GREEN interface to Active mode. 53 The Proxy Menu SMTP Proxy - Scenario II GD eSeries in Gateway Mode with External Mail Server • Configure a Smarthost in the GD eSeries with a generic account to authenticate all Outgoing mail to your external mail server. • Possible issue: Some ISPs only allow sending mail using the same account as the sender 54 The Proxy Menu SMTP Proxy - Scenario II GD eSeries in Gateway Mode with External Mail Server • Lastly you will have to configure the mail clients to use the GD eSeries as their Outgoing mail server (SMTP). This will only be necessary if it is mandatory to scan outbound mail. 55 The Proxy Menu SMTP Proxy - Scenario III GD eSeries in Router Mode with Internal Mail Server • Your Internet router device must deliver all SMTP traffic to the Red interface (in cases in which the GD eSeries does not have your public IP(s) directly, create a port forwarding rule in your ISP router to forward SMTP to port 25 of your RED zone Interface). • We will configure RED Zone to Active and other eixsting zones to Transparent mode. 56 The Proxy Menu SMTP Proxy - Scenario III GD eSeries in Router Mode with Internal Mail Server • In order to teach the GD eSeries where to deliver smtp traffic add the existing email domain(s) and mail server IP address(es). • Configure the rest of the protection options available. • No SmartHost configuration needed for this scenario. 57 The Proxy Menu SMTP Proxy - Scenario III GD eSeries in Router Mode with Internal Mail Server • It is advisable to configure the advanced SMTP HELO name mail server setting with the same server name as the one in the public DNS MX or A record. 58 The Proxy Menu SMTP Proxy - Scenario IV GD eSeries in Router Mode with External Mail Server • We´ll configure RED Zone to Inactive as you will be probably receiving POP3 mail (enable POP3 Proxy) and set the GREEN interface to Active mode. 59 The Proxy Menu SMTP Proxy - Scenario IV GD eSeries in Router Mode with External Mail Server • Configure a Smarthost on the GD eSeries with a generic account to authenticate all outgoing mail to your external mailserver. • Possible issue: Some ISPs only allow sending mail using the same account as the sender. 60 The Proxy Menu SMTP Proxy - Scenario IV GD eSeries in Router Mode with External Mail Server • Lastly you will have to configure the mail clients to use the GD eSeries as their Outgoing mail server (SMTP). This will only be necessary if it is mandatory to scan outbound mail. 61 The Proxy Menu POP3 Proxy (Inbound Only) 62 The Proxy Menu POP3 Proxy Enabled: Enable the POP3 e-mail scanner per zone. Virus scanner: Activate the virus scanner. Spam filter: Enable email spam filtering. Firewall logs outgoing connections: Let all the pop3 fetch outgoing connections be logged by the firewall. Spam subject tag: The prefix that will be added to the subject of emails recognised as spam. Required hits: The number of hits required for a message to be considered as spam. Activate support for Japanese emails: Tick this checkbox to activate support for Japanese character sets in e-mails, for more accurate detection of Japanese spam. Enable message digest spam detection (pyzor): To detect spam using pyzor (in short: spam e-mails are converted to a unique digest message that can be used to identify further analogous spam emails). White list: A list of e-mail addresses or whole domains, specified using wildcards, e.g., *@example.com, one address per line. Emails from these addresses and domains will never be checked for spam. Black list: A list of e-mail addresses or whole domains, specified using wildcards, e.g., *@example.com, one address per line. Emails from these addresses and domains will always be marked as spam. 63