SlideShare a Scribd company logo

DIH Summer Internship Program Delivers Transparent Proxy Access

Download as PPTX, PDF
B
Benith T
1 of 24
Design & Innovation Hub (DIH) sponsored SUMMER INTERNSHIP PROGRAM - 2014 (SIP - 2014) running at R&D and Technology Extension Laboratory for Networked Communication & Computation (NCC LAB), Department of Electronics Engineering, Indian Institute of Technology (BHU)
Minor Module • Design and configuration of Proxy less internet access on LAN/WAN Interns: T.Benith 12105EN074 B.Tech Part II Electronics Engg.
Objective of Module • User should be able to access the internet without any proxy settings in the web browser. • Authentication of users and the logs of users are must. • All applications(Win,IOS,Android) must run through the server without any hassle. • Finally , Load Balancing, High availability , DPI(Deep Packet Inspection) has to be implemented on server for server redundancy.
What is a firewall? A Firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set. pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network What is a Proxy Server ? Proxy server acts as an intermediary between users and Internet. A proxy server receives a request for an Internet service from a user , acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet.
Why do we need Proxy less Internet access ?? Explicit Proxy Servers (Presently deployed in IIT BHU) does not support many software applications (like Windows metro apps , android apps ) which causes major problems for the users accessing it . Hard to configure proxy settings for each client. Reason: This is because the apps have been designed under the assumption that there is an uninterrupted path out to the Internet, thus if the device is configured to use an explicit proxy, either the app does not use this global setting, or the app itself has no provision to be configured to use an explicit proxy.
How we did it ?? • We have setup Transparent proxy server on pfSense(Open source Firewall) using squid package. • User authentication is done with captive portal. • Light squid is used for better(graphical) representation of user logs. • Squidguard is used to filter/block unwanted domains .
Why Transparent Proxy ?? In an explicit proxy configuration, the client (browser) is explicitly configured to use a proxy server, meaning the browser knows that all requests will go through a proxy. When transparent proxy is enabled, the client (browser) does not know the traffic is being processed by a proxy. Transparent proxy deployments resolve the issues of the software applications running through proxy ,as it has an uninterrupted connection out to the internet, and therefore work as intended. But, the usual authentication procedure is not possible as users do not know that proxy is accessing their requests(traffic).
User authentication is done with captive portal Screenshot of Captive portal page When username/password is Invalid
Logout popup window to diconnect Authentication of users is mandatory for accessing internet over LAN as we need logs of each client accessing internet through proxy server. Captive portal is running through HTTPS protocol so username & password of all our clients are secured and cannot be accessed by any network analyser(sniffer) like Wireshark.
Domain filtering/blocking Domain blocking is necessary as we do not want our users to access certain unwanted domains (torrent,facebook) . Proxy bypassing software will not be useful , as we are using transparent proxy. We have configured squidguard as proxy filter : Sample screenshot of Proxy filter
Problem : HTTPS traffic can not be filtered by Squidguard Solution 1 : We use OpenDNS method for filtering all HTTPS traffic . Solution 2: We use squid3-dev package with SSL bump feature (i.e, installing self-generated certificates into client’s browser) . This method also creates logs of HTTPS traffic .
HTTPS traffic logs by squid-3dev method
User Logs Logs of users accessing the proxy can be seen in /squid/logs folder but as this format is not reader friendly . We installed Lightsquid package in the firewall for better User logs interface. Light squid report for all the users accessing the proxy server
User logs for a specific user (IP address : 192.168.1.103) along with browsed data size
Testing windows apps through proxy As windows apps are most affected with explicit proxy servers we tested our solution (transparent proxy) with windows metro application on Windows 8 platform. Screenshot of Windows 8 sports metro app
As our main objective is successfully accomplished , we now try to stabilise server by : 1.WAN Load Balancing (Gateway and Load Balancing) and WAN Failover 2.High Availability We have also implemented Deep Packet Inspection (Layer7 filtering) for better performance and QoS(Quality of Service).
WAN Load Balancing : The ability to distribute load between multiple WAN interfaces. We have used two wan interface to balance the load on the server thereby no Interface gets overloaded and ultimately gets highly congested. Screenshot of Multi WAN Load Balancing
WAN Failover : The ability to use only one WAN interface, but fail over to another WAN if the preferred WAN fails. We have used two WAN interfaces(i.e two global IP addresses , so when IP is down all traffic on proxy server is shifted to other IP). WAN failover configuration S Screenshot when WAN2 is down Screenshot when WAN1 is down
High Availability : Refers to a system that is continuously operational or never failing. We have installed pfSense on two independent servers and the internet access is available through a default(Master) server , but when this server is down the other(Backup) server acts as Master Server and provides internet access to LAN. Screenshot of MASTER server configuration on 192.168.1.3
Screenshot of BACKUP Server Configuration on 192.168.1.2 When 192.168.1.3(MASTER) is down , Configuration of BACKUP (192.168.1.2) Server
Deep Packet Inspection or application based filtering is also implemented to give higher priority to some applications like VoIP(Skype) or to block any type of p2p sharing applications. This feature is also used to limit the bandwidth for a specific user based on IP Address to disable any DDoS Attacks . DPI technology is the latest version of traffic packet inspection and is most secure and useful for blocking specific software applications (programs).
Advantages • Proxy server is used to speedup the browsing and access of data in a network by caching. • Users cannot bypass transparent proxy server(eg. Tor,spotflux,proxifier) . • Logs of all the users accessing proxy server are made. • Domain filtering is done easily. • Load Balancing , WAN Failover and HA(High Availability) is implemented to develop a stable server. • DPI is implemented for application based filtering. • Can be deployed for an organisation with ease. Windows , Android , IOS apps run through proxy server without any hassle.
Conclusion We have deployed squid as a transparent proxy to resolve the issue of apps being unable to use the proxy setting. And since, the authentication procedure (challenging the user for valid credentials before they can use the proxy) does not work for transparent proxy deployments; a captive portal has been used to validate a user. Thus, the proposed solution involves using a transparent proxy in conjunction with a captive portal to get the apps to work seamlessly. All screenshots provided have been deployed on local machine.
THANK YOU

Recommended

802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networksprimeteacher32
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authenticationXiaoqi Zhao
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Ali shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli Shahbazi Khojasteh
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices ArchitectureLucian Neghina
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021xNetPlus
 

Recommended

802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networksprimeteacher32
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authenticationXiaoqi Zhao
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Ali shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli Shahbazi Khojasteh
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices ArchitectureLucian Neghina
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021xNetPlus
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAruba, a Hewlett Packard Enterprise company
 
Managing HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusManaging HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusDashamir Hoxha
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Bluecoat Services
Bluecoat ServicesBluecoat Services
Bluecoat ServicesChessBall
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring BasicsRob Dunn
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionsmoscato
 
Server Push Technology ( Ratchet )
Server Push Technology ( Ratchet )Server Push Technology ( Ratchet )
Server Push Technology ( Ratchet )Milad Alshomary
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 xMohamed Gamel
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightManageEngine, Zoho Corporation
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba, a Hewlett Packard Enterprise company
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
Remote Desktop Services - Who Needs It?
Remote Desktop Services - Who Needs It?Remote Desktop Services - Who Needs It?
Remote Desktop Services - Who Needs It?Aventis Systems, Inc.
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication StandardDan Miller
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Vfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporterVfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reportervfmindia
 
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by AtidanGSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by AtidanDavid J Rosenthal
 
6421 b Module-05
6421 b Module-056421 b Module-05
6421 b Module-05Bibekananada Jena
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy servergreatbury
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 

More Related Content

What's hot

Managing HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusManaging HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusDashamir Hoxha
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Bluecoat Services
Bluecoat ServicesBluecoat Services
Bluecoat ServicesChessBall
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring BasicsRob Dunn
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionsmoscato
 
Server Push Technology ( Ratchet )
Server Push Technology ( Ratchet )Server Push Technology ( Ratchet )
Server Push Technology ( Ratchet )Milad Alshomary
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightManageEngine, Zoho Corporation
 
Remote Desktop Services - Who Needs It?
Remote Desktop Services - Who Needs It?Remote Desktop Services - Who Needs It?
Remote Desktop Services - Who Needs It?Aventis Systems, Inc.
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication StandardDan Miller
 
Vfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporterVfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reportervfmindia
 
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by AtidanGSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by AtidanDavid J Rosenthal
 

What's hot (19)

Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
 
Managing HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusManaging HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadius
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Bluecoat Services
Bluecoat ServicesBluecoat Services
Bluecoat Services
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introduction
 
Server Push Technology ( Ratchet )
Server Push Technology ( Ratchet )Server Push Technology ( Ratchet )
Server Push Technology ( Ratchet )
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings right
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guide
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Remote Desktop Services - Who Needs It?
Remote Desktop Services - Who Needs It?Remote Desktop Services - Who Needs It?
Remote Desktop Services - Who Needs It?
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
 
Vfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporterVfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporter
 
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by AtidanGSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
GSX Monitor and Analyzer for Microsoft Lync 2013 - Presented by Atidan
 
6421 b Module-05
6421 b Module-056421 b Module-05
6421 b Module-05
 

Viewers also liked

seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy servergreatbury
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 

Viewers also liked (7)

seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserver
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy server
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
Proxy server
Proxy serverProxy server
Proxy server
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Proxy Servers & Firewalls
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
 
Proxy Server
Proxy ServerProxy Server
Proxy Server
 

Similar to DIH Summer Internship Program Delivers Transparent Proxy Access

Design and Configuration of App Supportive Indirect Internet Access using a ...
Design and Configuration of App Supportive Indirect Internet Access using a ...Design and Configuration of App Supportive Indirect Internet Access using a ...
Design and Configuration of App Supportive Indirect Internet Access using a ...IJMER
 
B04010 01 0917
B04010 01 0917B04010 01 0917
B04010 01 0917IJMER
 
Web application & proxy server
Web application & proxy serverWeb application & proxy server
Web application & proxy serverMeera Hapaliya
 
Open Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network DevicesOpen Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network DevicesTal Lavian Ph.D.
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Tal Lavian Ph.D.
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network) Netwax Lab
 
Application server
Application serverApplication server
Application servernava rathna
 
Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise FeaturesForefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise FeaturesFabrizio Volpe
 
SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...
SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...
SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...Journal For Research
 
Adaptiva OneSite Cloud: Software Delivery Everywhere
Adaptiva OneSite Cloud: Software Delivery EverywhereAdaptiva OneSite Cloud: Software Delivery Everywhere
Adaptiva OneSite Cloud: Software Delivery EverywhereJeff Canfield
 
Citrix xenapp training
Citrix xenapp training Citrix xenapp training
Citrix xenapp training Yuvaraj1986
 
Azure Web App services
Azure Web App servicesAzure Web App services
Azure Web App servicesAlexey Bokov
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoCristian Garcia G.
 
All About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksAll About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksMohammad Asif Siddiqui
 

Similar to DIH Summer Internship Program Delivers Transparent Proxy Access (20)

Design and Configuration of App Supportive Indirect Internet Access using a ...
Design and Configuration of App Supportive Indirect Internet Access using a ...Design and Configuration of App Supportive Indirect Internet Access using a ...
Design and Configuration of App Supportive Indirect Internet Access using a ...
 
B04010 01 0917
B04010 01 0917B04010 01 0917
B04010 01 0917
 
Web application & proxy server
Web application & proxy serverWeb application & proxy server
Web application & proxy server
 
Open Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network DevicesOpen Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network Devices
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network)
 
Firewall vpn proxy
Firewall vpn proxyFirewall vpn proxy
Firewall vpn proxy
 
Application server
Application serverApplication server
Application server
 
Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise FeaturesForefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features
 
Remote Web Desk
Remote Web DeskRemote Web Desk
Remote Web Desk
 
SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...
SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...
SECURITY IMPLEMENTATION IN MEDIA STREAMING APPLICATIONS USING OPEN NETWORK AD...
 
Adaptiva OneSite Cloud: Software Delivery Everywhere
Adaptiva OneSite Cloud: Software Delivery EverywhereAdaptiva OneSite Cloud: Software Delivery Everywhere
Adaptiva OneSite Cloud: Software Delivery Everywhere
 
zigbee
zigbeezigbee
zigbee
 
Sangfor SSL VPN Datasheet
Sangfor SSL VPN DatasheetSangfor SSL VPN Datasheet
Sangfor SSL VPN Datasheet
 
E farming
E farmingE farming
E farming
 
Citrix xenapp training
Citrix xenapp training Citrix xenapp training
Citrix xenapp training
 
Azure Web App services
Azure Web App servicesAzure Web App services
Azure Web App services
 
Cloud Platform as a Service: Heroku
Cloud Platform as a Service: HerokuCloud Platform as a Service: Heroku
Cloud Platform as a Service: Heroku
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
 
All About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksAll About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice Frameworks
 

DIH Summer Internship Program Delivers Transparent Proxy Access

  • 1. Design & Innovation Hub (DIH) sponsored SUMMER INTERNSHIP PROGRAM - 2014 (SIP - 2014) running at R&D and Technology Extension Laboratory for Networked Communication & Computation (NCC LAB), Department of Electronics Engineering, Indian Institute of Technology (BHU)
  • 2. Minor Module • Design and configuration of Proxy less internet access on LAN/WAN Interns: T.Benith 12105EN074 B.Tech Part II Electronics Engg.
  • 3. Objective of Module • User should be able to access the internet without any proxy settings in the web browser. • Authentication of users and the logs of users are must. • All applications(Win,IOS,Android) must run through the server without any hassle. • Finally , Load Balancing, High availability , DPI(Deep Packet Inspection) has to be implemented on server for server redundancy.
  • 4. What is a firewall? A Firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set. pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network What is a Proxy Server ? Proxy server acts as an intermediary between users and Internet. A proxy server receives a request for an Internet service from a user , acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet.
  • 5. Why do we need Proxy less Internet access ?? Explicit Proxy Servers (Presently deployed in IIT BHU) does not support many software applications (like Windows metro apps , android apps ) which causes major problems for the users accessing it . Hard to configure proxy settings for each client. Reason: This is because the apps have been designed under the assumption that there is an uninterrupted path out to the Internet, thus if the device is configured to use an explicit proxy, either the app does not use this global setting, or the app itself has no provision to be configured to use an explicit proxy.
  • 6. How we did it ?? • We have setup Transparent proxy server on pfSense(Open source Firewall) using squid package. • User authentication is done with captive portal. • Light squid is used for better(graphical) representation of user logs. • Squidguard is used to filter/block unwanted domains .
  • 7. Why Transparent Proxy ?? In an explicit proxy configuration, the client (browser) is explicitly configured to use a proxy server, meaning the browser knows that all requests will go through a proxy. When transparent proxy is enabled, the client (browser) does not know the traffic is being processed by a proxy. Transparent proxy deployments resolve the issues of the software applications running through proxy ,as it has an uninterrupted connection out to the internet, and therefore work as intended. But, the usual authentication procedure is not possible as users do not know that proxy is accessing their requests(traffic).
  • 8. User authentication is done with captive portal Screenshot of Captive portal page When username/password is Invalid
  • 9. Logout popup window to diconnect Authentication of users is mandatory for accessing internet over LAN as we need logs of each client accessing internet through proxy server. Captive portal is running through HTTPS protocol so username & password of all our clients are secured and cannot be accessed by any network analyser(sniffer) like Wireshark.
  • 10. Domain filtering/blocking Domain blocking is necessary as we do not want our users to access certain unwanted domains (torrent,facebook) . Proxy bypassing software will not be useful , as we are using transparent proxy. We have configured squidguard as proxy filter : Sample screenshot of Proxy filter
  • 11. Problem : HTTPS traffic can not be filtered by Squidguard Solution 1 : We use OpenDNS method for filtering all HTTPS traffic . Solution 2: We use squid3-dev package with SSL bump feature (i.e, installing self-generated certificates into client’s browser) . This method also creates logs of HTTPS traffic .
  • 12. HTTPS traffic logs by squid-3dev method
  • 13. User Logs Logs of users accessing the proxy can be seen in /squid/logs folder but as this format is not reader friendly . We installed Lightsquid package in the firewall for better User logs interface. Light squid report for all the users accessing the proxy server
  • 14. User logs for a specific user (IP address : 192.168.1.103) along with browsed data size
  • 15. Testing windows apps through proxy As windows apps are most affected with explicit proxy servers we tested our solution (transparent proxy) with windows metro application on Windows 8 platform. Screenshot of Windows 8 sports metro app
  • 16. As our main objective is successfully accomplished , we now try to stabilise server by : 1.WAN Load Balancing (Gateway and Load Balancing) and WAN Failover 2.High Availability We have also implemented Deep Packet Inspection (Layer7 filtering) for better performance and QoS(Quality of Service).
  • 17. WAN Load Balancing : The ability to distribute load between multiple WAN interfaces. We have used two wan interface to balance the load on the server thereby no Interface gets overloaded and ultimately gets highly congested. Screenshot of Multi WAN Load Balancing
  • 18. WAN Failover : The ability to use only one WAN interface, but fail over to another WAN if the preferred WAN fails. We have used two WAN interfaces(i.e two global IP addresses , so when IP is down all traffic on proxy server is shifted to other IP). WAN failover configuration S Screenshot when WAN2 is down Screenshot when WAN1 is down
  • 19. High Availability : Refers to a system that is continuously operational or never failing. We have installed pfSense on two independent servers and the internet access is available through a default(Master) server , but when this server is down the other(Backup) server acts as Master Server and provides internet access to LAN. Screenshot of MASTER server configuration on 192.168.1.3
  • 20. Screenshot of BACKUP Server Configuration on 192.168.1.2 When 192.168.1.3(MASTER) is down , Configuration of BACKUP (192.168.1.2) Server
  • 21. Deep Packet Inspection or application based filtering is also implemented to give higher priority to some applications like VoIP(Skype) or to block any type of p2p sharing applications. This feature is also used to limit the bandwidth for a specific user based on IP Address to disable any DDoS Attacks . DPI technology is the latest version of traffic packet inspection and is most secure and useful for blocking specific software applications (programs).
  • 22. Advantages • Proxy server is used to speedup the browsing and access of data in a network by caching. • Users cannot bypass transparent proxy server(eg. Tor,spotflux,proxifier) . • Logs of all the users accessing proxy server are made. • Domain filtering is done easily. • Load Balancing , WAN Failover and HA(High Availability) is implemented to develop a stable server. • DPI is implemented for application based filtering. • Can be deployed for an organisation with ease. Windows , Android , IOS apps run through proxy server without any hassle.
  • 23. Conclusion We have deployed squid as a transparent proxy to resolve the issue of apps being unable to use the proxy setting. And since, the authentication procedure (challenging the user for valid credentials before they can use the proxy) does not work for transparent proxy deployments; a captive portal has been used to validate a user. Thus, the proposed solution involves using a transparent proxy in conjunction with a captive portal to get the apps to work seamlessly. All screenshots provided have been deployed on local machine.