All About Microservices and OpenSource Microservice Frameworks
DIH Summer Internship Program Delivers Transparent Proxy Access
1. Design & Innovation Hub (DIH)
sponsored
SUMMER INTERNSHIP PROGRAM - 2014
(SIP - 2014)
running at
R&D and Technology Extension Laboratory for
Networked Communication & Computation (NCC LAB),
Department of Electronics Engineering,
Indian Institute of Technology (BHU)
2. Minor Module
• Design and configuration of Proxy less internet access on
LAN/WAN
Interns:
T.Benith 12105EN074 B.Tech Part II Electronics Engg.
3. Objective of Module
• User should be able to access the internet without any
proxy settings in the web browser.
• Authentication of users and the logs of users are must.
• All applications(Win,IOS,Android) must run through
the server without any hassle.
• Finally , Load Balancing, High availability , DPI(Deep
Packet Inspection) has to be implemented on server for
server redundancy.
4. What is a firewall?
A Firewall is software or hardware-based network security system that
controls the incoming and outgoing network traffic by analyzing the data packets
and determining whether they should be allowed through or not, based on
applied rule set.
pfSense is an open source firewall/router computer software distribution
based on FreeBSD. It is installed on a computer to make a dedicated
firewall/router for a network
What is a Proxy Server ?
Proxy server acts as an intermediary between users and Internet.
A proxy server receives a request for an Internet service from a user , acting as a
client on behalf of the user, uses one of its own IP addresses to request the page
from the server out on the Internet.
5. Why do we need Proxy less Internet access ??
Explicit Proxy Servers (Presently deployed in IIT BHU)
does not support many software applications (like
Windows metro apps , android apps ) which causes
major problems for the users accessing it .
Hard to configure proxy settings for each client.
Reason:
This is because the apps have been designed under the
assumption that there is an uninterrupted path out to the
Internet, thus if the device is configured to use an
explicit proxy, either the app does not use this global
setting, or the app itself has no provision to be
configured to use an explicit proxy.
6. How we did it ??
• We have setup Transparent proxy server on pfSense(Open
source Firewall) using squid package.
• User authentication is done with captive portal.
• Light squid is used for better(graphical) representation of user
logs.
• Squidguard is used to filter/block unwanted domains .
7. Why Transparent Proxy ??
In an explicit proxy configuration, the client (browser) is explicitly
configured to use a proxy server, meaning the browser knows that all
requests will go through a proxy.
When transparent proxy is enabled, the client (browser) does not know
the traffic is being processed by a proxy.
Transparent proxy deployments resolve the issues of the software
applications running through proxy ,as it has an uninterrupted
connection out to the internet, and therefore work as intended.
But, the usual authentication procedure is not possible as users do
not know that proxy is accessing their requests(traffic).
8. User authentication is done with captive portal
Screenshot of Captive
portal page
When username/password
is Invalid
9. Logout popup
window to diconnect
Authentication of users is mandatory for accessing internet over
LAN as we need logs of each client accessing internet through
proxy server.
Captive portal is running through HTTPS protocol so username &
password of all our clients are secured and cannot be accessed by
any network analyser(sniffer) like Wireshark.
10. Domain filtering/blocking
Domain blocking is necessary as we do not want our users to
access certain unwanted domains (torrent,facebook) .
Proxy bypassing software will not be useful , as we are using
transparent proxy.
We have configured squidguard as proxy filter :
Sample screenshot
of Proxy filter
11. Problem : HTTPS traffic can not be filtered by Squidguard
Solution 1 :
We use OpenDNS method for filtering all HTTPS
traffic .
Solution 2:
We use squid3-dev package with SSL bump feature (i.e,
installing self-generated certificates into client’s
browser) . This method also creates logs of HTTPS
traffic .
13. User Logs
Logs of users accessing the proxy can be seen in /squid/logs folder
but as this format is not reader friendly . We installed Lightsquid
package in the firewall for better User logs interface.
Light squid report
for all the users
accessing the
proxy server
14. User logs for a specific user (IP address : 192.168.1.103) along with
browsed data size
15. Testing windows apps through proxy
As windows apps are most affected with explicit proxy servers
we tested our solution (transparent proxy) with windows metro
application on Windows 8 platform.
Screenshot of
Windows 8
sports metro
app
16. As our main objective is successfully accomplished , we now try
to stabilise server by :
1.WAN Load Balancing (Gateway and Load Balancing) and
WAN Failover
2.High Availability
We have also implemented Deep Packet Inspection (Layer7
filtering) for better performance and QoS(Quality of Service).
17. WAN Load Balancing : The ability to distribute load between
multiple WAN interfaces.
We have used two wan interface to balance the load on the server
thereby no Interface gets overloaded and ultimately gets highly
congested.
Screenshot of
Multi WAN
Load Balancing
18. WAN Failover : The ability to use only one WAN interface, but
fail over to another WAN if the preferred WAN fails.
We have used two WAN interfaces(i.e two global IP addresses ,
so when IP is down all traffic on proxy server is shifted to other
IP).
WAN failover
configuration
S
Screenshot when WAN2 is down Screenshot when WAN1 is down
19. High Availability : Refers to a system that is continuously
operational or never failing.
We have installed pfSense on two independent servers and the
internet access is available through a default(Master) server , but
when this server is down the other(Backup) server acts as Master
Server and provides internet access to LAN.
Screenshot of MASTER server configuration on 192.168.1.3
20. Screenshot of BACKUP Server Configuration on 192.168.1.2
When 192.168.1.3(MASTER) is down , Configuration of BACKUP (192.168.1.2) Server
21. Deep Packet Inspection or application based filtering is also
implemented to give higher priority to some applications like
VoIP(Skype) or to block any type of p2p sharing applications.
This feature is also used to limit the bandwidth for a specific user
based on IP Address to disable any DDoS Attacks .
DPI technology is the latest version of traffic packet inspection
and is most secure and useful for blocking specific software
applications (programs).
22. Advantages
• Proxy server is used to speedup the browsing and access of data
in a network by caching.
• Users cannot bypass transparent proxy server(eg.
Tor,spotflux,proxifier) .
• Logs of all the users accessing proxy server are made.
• Domain filtering is done easily.
• Load Balancing , WAN Failover and HA(High Availability) is
implemented to develop a stable server.
• DPI is implemented for application based filtering.
• Can be deployed for an organisation with ease.
Windows , Android , IOS apps run through proxy server without
any hassle.
23. Conclusion
We have deployed squid as a transparent proxy to resolve the
issue of apps being unable to use the proxy setting. And since, the
authentication procedure (challenging the user for valid
credentials before they can use the proxy) does not work for
transparent proxy deployments; a captive portal has been used to
validate a user. Thus, the proposed solution involves using a
transparent proxy in conjunction with a captive portal to get the
apps to work seamlessly.
All screenshots provided have been deployed on local machine.