3.11 Terminal Server
4.1.2 Block Services
Like the situation before the option to block services only Enables (unlocked) or Disable (locked) the normal operation of the shown applications (Figure 4.2).
4.2 Proxy
The proxy service aims the Web access to network users and is commonly used to get a better network management. It makes cache from the accessed site files, providing a better band width management and the personalization of parameters like who’s allowed to access the web and in what time and kind of pages can be visited.
The software that implements the IPBrick proxy service is named squid and runs on gate 3128.
The section is subdivided into three parts, namely:
• Configuration;
• Statistics;
• Kaspersky Proxy.
4.2 Proxy 87
Figure 4.1: Firewall - Available Services
4.2.1 Configuration
Presentation The presented main proxy configuration (Figure 4.3) determines the normal operation of the Internet browsers. Therefore it is recommendable to define each Proxy type first:
1. Standard Proxy: It is not obligatory to use the proxy to access the Internet.
The proxy is only used by those who configure the browser to use the proxy from the IPBrick port 3128. Users without any additional browser configura-tions continue to access the Internet without any problems.The web accesses are registered by IP’s for statistical aims.
2. Transparent Proxy: Every Internet access is done through the proxy. The firewall has to be activated. Users may configure their browsers to use the indicated proxy. They may also continue to access the Internet without any proxy configurations in their browsers. Here the firewall makes the traffic routing to the proxy. The web accesses are registered by IP’s for statistical aims.
3. Proxy with authentication: The Internet access is only possible by using this proxy. In order to have a web access users have to configure their browser with this proxy. Once the browsers are configured a valid authentication is asked whenever the users open the browser to access the Internet. The user
Figure 4.2: Firewall - Block Services
authentication is done with logins and passwords. The firewall has to be activated. All web accesses are registered for each user for statistical aim.
Configurations
Link to the proxy rules settings. This interface (Figure 4.4) has the following options:
• Source groups list: Sets an origin group with access to proxy. After this group creation, the accesses can be set by: Machine group, Machine, IP Subnets, IP Machines and IP ranges.By default IPBrick has a LAN group with its own defined IP Subnet;
• Destination groups list: Sets destination groups (Web servers). You can set Domains, Extensions or Words in the URL each created destination group. By default the created group is named INVALID;
• Blacklists: Displays the set of blacklists that were configured at Other configurations;
• List of time spaces: Sets specific periods based on hours and week days;
• Access Lists: Sets access permissions from the created origin and desti-nation groups, as well as defined blacklists and periods. For instance, you
4.2 Proxy 89
Figure 4.3: Proxy - Configuration
can set that all destinations can be accessed by the LAN group, with the exception of INVALID destination group and blacklist porn, in an undefined period (always).
Source groups list
To modify the LAN group you just have to click on the name. You can insert a new origin group clicking on Insert link. Settings:
• Machine groups: You can associate to this group an existing machine group;
• Machines: Lists the machines that are registered in IPBrick and provides direct association to the origin group;
• IP subnets: Provides subnets association, defining the network IP and its mask;
• IP machines: Provides machine association to the group by IP;
• IP ranges: You can set IP ranges with proxy access.
By default the proxy have a source group called LAN where only the IP Subnet is used (Figure 4.6).
Figure 4.4: Proxy - Rules 1/2
If you choose the proxy with authentication mode, it’s possible to filter the web access’s not only by machines IP but using LDAP too. In Figure 4.7 we can see an example of a source group represented only by a LDAP group.
Destination groups
Destination groups (Figure 4.8) are like a group (identified by name) of access web servers. This destinations are configurable with their definitions in:
• Domains: You may configure FQDN1 access, by domain or by TLD2 acces-sadding a record to each line. Some possible denial examples:
FQDN example:
www.sapo.pt www.marca.es Domain example:
sapo.pt marca.es
1Fully Qualified Domain Name
2Top Level Domains
4.2 Proxy 91
Figure 4.5: Proxy - Rules 2/2
TLD example:
pt es
• Extensions: In order to prevent certain files download through web pages you need to deny access to some file extensions. The following example shows that the download of three file extensions won’t be possible.
Example of extensions denial:
mp3 mov mpg
• Words in URL: You can deny in this field the access to pages that contain certain words after the domain (after the slash). An example for two words:
Denial example for word in the URL:
video jokes
The following sites would be denied:
http://www.mtv.com/music/video/
Figure 4.6: Proxy - Source groups
Figure 4.7: Proxy - Source groups - LDAP filter
http://en.wikipedia.org/wiki/Video http://kids.yahoo.com/jokes
4.2 Proxy 93
Figure 4.8: Proxy - Destination groups
List of time spaces
This option lets you specify periods to be used afterwards in Access Lists. This periods could be week days or hours.
Access Lists
There is already a pre-configured access list in IPBrick specifying this: At-tempts to access sites made from LAN origin which aim sites not included in the destination group INVALID nor the porn blacklist, in an undefined period (24 hours) are accepted. Because there are no more lines created, all the remaining will be blocked (Figure 4.9).
Access lists have the following structure:
• Source: Origin group identification that is aimed by the rule;
• Destination: Destination groups identification that are aimed by the rule;
– Available Groups: You can make for the created destination groups the following rules: Access to included sites ONLY IN destination group x; Access to sites NOT IN destination group x; Access to sites ALLOW IN destination group x;
– Blacklists: Lets you select which blacklists are activated. Example:
If the porn list is selected, every sites that are out of the list can be accessed.
• Period: The time period (already inserted) that the rule is active;
• Policy: This is not configurable, the value is always to deny all that is not set in the access lists.
Access lists should be ordered by rules from generic to specific. The generic rules should be placed at the top and more specific rules should be placed at the bottom (as in the firewall case). If there are several access lists you can order them clicking on Order by.
Figure 4.9: Proxy - Access Lists
Remote Proxy
In this option you can indicate a list of remote proxy servers. These servers should provide web access because they usually have a huge cache, increasing the speed of web access (Figure 4.10).
• List of remote proxy servers: You can use several web proxy’s and after that order that list;
4.2 Proxy 95
• Dont use remote proxy for the following sites: If you don’t want to use remote proxy for certain sites, you must indicate them here.
Figure 4.10: Proxy - Remote Proxy
Other configurations Blacklists
In this context, blacklists are set as site lists organized by several categories that are considered inconvenient. You can find here the following options (Figure 4.11):
• Url for update: Address that provides the file download with the list of sites to block - by default this is the squidGuard URL. The file is automat-ically uncompressed to the system. To update the list immediately click Update;
• Current file MD5SUM: MD5 Hash of the file if it’s calculated. It lets you check file integrity;
• Available categories: Categories list present in the compilation (usually they are considered unsuited to LAN use)
– ads: List of advertisement sites;
– aggressive: List of violent content sites;
– audio-video: List of music and video content sites;
– drugs: List of drug related content sites;
– gambling: List of gambling sites;
– hacking: List of hacking sites;
– mail: List of sites that provide free webmail services;
– phishing: List of sites about phishing;
– porn: List of sites with pornographic content;
– proxy: List of sites that provide anonymous proxy service;
– warez: List of sites with pirate software content.
Content access management
Sets the number of simultaneous filtering processes that depends on the ma-chine performance and the present CPU load. The default is five processes.
Proxy cache options
• Cache enabled: Activates the Proxy cache service. If the cache is activated, every page accessed by the origin groups are stored in the server. Example:
If the page www.google.com is in the cache, the browser will only access to IPBrick, instead of accessing the google web server, providing a better band width management.
• Cache size: Maximum cache size. If the limit is reached, the older cache files are removed.
• Cache location: The default is the /var partition. If you choose a big cache size it’s a good option to choose the /home1 or /home2 partition.
All this settings can be viewed at Figure 4.11.
4.2.2 Statistics
Advanced Web Statistics 6.4 is the software that generates several important statistics for the network administrator, like detailed cache statistics, accesses (Fig-ure 4.12).
There are different statistics types:
• Global statistics: Global network statistics;
• Statistics by machine: You have to select the machine you want from a list of LAN machines. The purpose is to give individual statistics for each machine;
• User statistics: If proxy configuration has authentication, it’s displayed here a user list. You have to select the user from this list to have their individual statistics.
4.2 Proxy 97
Figure 4.11: Proxy - Other configurations