Hi, all. I've been looking in vain for sample policy.py code for proxy stacking. Can someone please show me what this should look like for a general-HTTPS-browsing scenario, e.g., intranet users need to reach various ecommerce sites on the Internet? I've seen code for doing this with PlugProxy, but I'd much rather do it with PsslProxy and HttpProxy (i.e., with some intelligence ;-). (I hope I'm not assuming too much in thinking this isn't an X.509 nightmare...) Thanks, Mick P.S. I've made an incredible amount of progress this morning thanks to this List. You guys rock! /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Hired Goon Specializing in Information Security | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
On Thu, 2004-01-08 at 17:12, Michael D. (Mick) Bauer wrote:
Hi, all.
I've been looking in vain for sample policy.py code for proxy stacking. Can someone please show me what this should look like for a general-HTTPS-browsing scenario, e.g., intranet users need to reach various ecommerce sites on the Internet? I've seen code for doing this with PlugProxy, but I'd much rather do it with PsslProxy and HttpProxy (i.e., with some intelligence ;-).
(I hope I'm not assuming too much in thinking this isn't an X.509 nightmare...)
At first I create a HttpProxy, whth file matcher to enable and diable URLs, like denying sex, but allow dosexpert: class MyHttpProxy(HttpProxyURIFilter): matcher=RegexpFileMatcher("/etc/zorp/blacklist-http", "/etc/zorp/blacklist-http.ignore") "sex" is in etc/zorp/blacklist-http "dosexpert" is in /etc/zorp/blacklist-http.ignore then i create a https proxy, deriverd from pssl proxy: class MyHttpsProxy(PsslProxy): def config(self): # both side need ssl self.server_need_ssl = TRUE self.client_need_ssl = TRUE # client secret key and cert generated by openssl self.client_cert = '/etc/zorp/myhttps.crt' self.client_key = '/etc/zorp/myhttps.key' # do not check clients certificates (no mutual auth) self.client_verify_type = NONE # strict check of https server certs self.server_verify_type = SSL_VERIFY_REQUIRED_TRUSTED # put the allowed CAs' certs into this directory, so # only the good servers will be allowed, for instance # if you only put verysign CA cert here, only those # servers will be allowed, which owns VS certs # WARNING: never allow sef singed certs;-)))) # you can gain CA certs form apache-ssl deb package self.server_ca_directory = '/etc/zorp/ca.d/' # you want to shutdown each way Read and Write) # separately. self.shutdown_soft = TRUE # now I stack Http Proxy with the previous # URI filtering into the SSL proxy, so sex.com # cannot be visited neither via HTTP and HTTPS... self.stack_proxy = MyHttpProxy that is all
P.S. I've made an incredible amount of progress this morning thanks to this List. You guys rock!
very welcome! -- HÖLTZL Péter BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2 http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6
Peter Hoeltzl wrote:
At first I create a HttpProxy, whth file matcher to enable and diable URLs, like denying sex, but allow dosexpert: [snip]
Thanks for the fast & detailed reply! If I skip the the file matcher (at this point I'm not worried about content filtering), am I right in thinking that plain old HttpProxy still leverages significant intelligence against my connections? What sort of attacks does it defend against? (Cross-site scripting? Really-long URL (GET) requests?) Regards, Mick /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Hired Goon Specializing in Information Security | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
On Thu, 2004-01-08 at 18:08, Michael D. (Mick) Bauer wrote:
If I skip the the file matcher (at this point I'm not worried about content filtering), am I right in thinking that plain old HttpProxy still leverages significant intelligence against my connections? What sort of attacks does it defend against? (Cross-site scripting? Really-long URL (GET) requests?)
Zorp forces strictly the correct usage of the given protocol, which means RFC compliant usage of commands (reqests and responses), correct orders and attributes (lengths, character sets etc). I think developers can give us more details. So if an exploit, a worm or a valid utility;-) keeps the RFC it will get through the proxy. Fortunately majority of the worms, attacks and other bad things do not comply with the protocol (like code red or nimda). If something complies with the protocol it is an nIDS, content vectoring or virus detection issue, not a protocol proxy's task! Zorp's architecture has many layers, but two main layer is the proxy itself, which is writen in C (it is a "stupid" protocol parser) and the python layer, which gives a very powerfull tool to implement your policy and an administrator can create the narrowest channel between the zones. If you see the package zorp modules (binaries) are in /usr/lib/zorp/ and python codes are in /usr/share/zorp/pylib/Zorp/*.py. All .py file begins with a long documentation, which describes how the given proxy works and what kind of attriutes it has. These attributes' defaults has been set to the possible strictest state. It is strong enough to block many attacks. In addition all the proxies can parse the protocol and it is transmitted to the python layer. From the policy you can accept, reject or even change the the given request or response. For example in a Http proxy you can change the user agent to hide your internal architecture (MUAs, browsers, etc): class MyHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request_headers["User-Agent"] = [HTTP_CHANGE_VALUE, "Lynx 2.4.1"] There are alvays an AbstractProxy, which contains the basic settings of the proxy (many of the protocol commands are handled here - please see, but don't be afraid;-) and there are many predefined proxy sets derived from Abstractproxy, which are the most common used proxy sets. ftp is a good example: class FtpProxy(AbstractFtpProxy): class FtpProxyAnonRO(AbstractFtpProxy): class FtpProxyRO(AbstractFtpProxy): class FtpProxyAnonRW(AbstractFtpProxy): class FtpProxyRW(AbstractFtpProxy): class FtpProxyMinimal(FtpProxyRO): If you want to change something, it is enough to derive an own proxy from the most suitable predefined, and change your needs. bye, Péter -- HÖLTZL Péter BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2 http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6
participants (2)
-
Michael D. (Mick) Bauer
-
Peter HOLTZL