IRONPORT PROXY SERVERS - cesnet
IRONPORT PROXY SERVERS - cesnet IRONPORT PROXY SERVERS - cesnet
IRONPORT PROXY SERVERSIvan Ivanovic, RCUB/BUCCCampus network monitoring workshopBrno, April 2012.connect • communicate • collaborate
- Page 2 and 3: Geant3 - NA3T4BPD’sNA3T4 - Creati
- Page 4 and 5: Acquisition of IronPort proxy serve
- Page 6 and 7: IronPort Cloud serviceHow does it w
- Page 8 and 9: IronPort Cloud serviceHow does it w
- Page 10 and 11: Web Security - PoliciesCustom confi
- Page 12 and 13: Web Security - Global PolicyURL fil
- Page 14 and 15: Web Security - Global PolicyObjects
- Page 16 and 17: User configurationManuallyproxy.rcu
- Page 18 and 19: IronPort MonitoringSystem monitorin
- Page 20 and 21: IronPort Log Analysisconnect • co
- Page 22 and 23: IronPort Log AnalysisLog Collection
- Page 24 and 25: IronPort system problemsIronPort fl
- Page 26: Thank you!connect • communicate
<strong>IRONPORT</strong> <strong>PROXY</strong> <strong>SERVERS</strong>Ivan Ivanovic, RCUB/BUCCCampus network monitoring workshopBrno, April 2012.connect • communicate • collaborate
Geant3 – NA3T4BPD’sNA3T4 – Creation of BPD documentsMembersUNINETCESNETCSC/FUNETAMRESTopicsPhysical infrastructure (9)Campus Networking (10)Wireless (7)Network Monitoring (7)Real Time Communication (5)Security (4)connect • communicate • collaborate
Belgrade CampusWhy cache servers?Until recently we have used five Squid proxy servers.Cache servers (Legacy – Slow Links - Hit rate ~30%)Free softwareKobson service (allowed access only through proxy servers)AMRES AUP policy demands usage of proxy serversProblemsDecentralized managementOne person manage allSlow response to user requestNot so much security featuresconnect • communicate • collaborate
Acquisition of IronPort proxy servers“Connecting school” projectConnect to the internet more than 2000 schoolsSafe Internet for kidsGovernment reaction!6 IronPort S670 Web security appliances2 IronPort C370 Email security appliances1 IronPort M160 Management applianceAdditional equipment (Servers, UPS, Rack….)First firewalls device in RCUB/AMRESconnect • communicate • collaborate
BenefitsIncreased security and controlWEB reputation filteringMalware filtering (Webroot)URL filteringTraffic controlProtocol and User agents filteringApplication filteringObject filtering (MIME types)Many more……Cloud service for our end users!connect • communicate • collaborate
IronPort Cloud serviceHow does it work?!Centralized management through the web access.connect • communicate • collaborate
IronPort Cloud serviceHow does it work?!End users can login to the management appliance and configure theiraccess policies.connect • communicate • collaborate
IronPort Cloud serviceHow does it work?!LDAP is used for authentication and authorization.connect • communicate • collaborate
Access policiesAdmin ViewMatches IPaddressPPconnect • communicate • collaborate
Web Security - PoliciesCustom configurationConfigured by end usersGlobal configurationRCUB configuresconnect • communicate • collaborate
Web Security - Global PolicyProtocol and user agentsAllowedFTP over HTTPHTTPHTTPSNative FTPAllowed HTTP connect methodPorts: 20, 21, 443, 2083, 4443, 563, 2096, 8443, 8080Custom User AgentsEverything allowed (Web browsers)connect • communicate • collaborate
Web Security - Global PolicyURL filteringURL category (Denied)Child PornFilter AvoidanceGamblingHate SpeechIllegal DrugsPornOther 59 categories are allowedCustom URL Category Filtering“Eksplicitno pusteni sajtovi” (Explicitly allowed sites)CabFiles (Windows update cabinet files)Every category could be managed differentlyBlock MonitorRedirect WarnAllowTime-basedconnect • communicate • collaborate
Web Security - Global PolicyApplications Visibility and ControlDefault Actions for Application Types is Monitorconnect • communicate • collaborate
Web Security - Global PolicyObjects settingsAllow everythingWeb Page ContentFlashJavaScriptAll ImagesMiscellaneousCalendar Dataconnect • communicate • collaborate
Web Security - Global PolicyReputation and Anti-Malware SettingsAnti-Malware Settings – Webroot (Denied)DialerHijackerPhishing URLTrojan DownloaderTrojan HorseTrojan PhisherWormOther MalwareWBRSconnect • communicate • collaborate
User configurationManuallyproxy.rcub.bg.ac.rs:8080DNS round-robin resolvingAuto-detect proxy settingsUsing wpad.dat filehttp://wpad.ac.rs/wpad.datAutomatic proxy configuration URLUsing proxy.pac fileTested but not usedForce usersWCCP used for eduroamPBR can be also usedconnect • communicate • collaborate
Web Proxy Autodiscovery ProtocolWPADfunction FindProxyForURL(url, host) {// If URL has no dots in host name, send traffic direct.if (isPlainHostName(host))return "DIRECT";// If specific URL needs to bypass proxy, send traffic direct.if (shExpMatch(url,"*.rcub.bg.ac.rs*") ||shExpMatch(url,"*.amres.ac.rs*") ||shExpMatch(url,"*localhost*") ||shExpMatch(url,"*127.0.0.*") ||shExpMatch(url,"*10.*") ||shExpMatch(url,"*172.16.*") ||shExpMatch(url,"*192.168.*"))wpad.ac.rsreturn "DIRECT";// If IP address is internal or hostname resolves to internal IP, send direct.var resolved_ip = dnsResolve(host);if (isInNet(resolved_ip, "147.91.0.0", "255.255.0.0") ||isInNet(resolved_ip, "160.99.0.0", "255.255.0.0") ||isInNet(resolved_ip, "91.187.128.0", "255.255.224.0") ||isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))return "DIRECT";// All other traffic uses below proxies, in fail-over order.return "<strong>PROXY</strong> proxy.amres.ac.rs:8080; <strong>PROXY</strong> 147.91.1.41:8080; <strong>PROXY</strong> 147.91.1.42:8080; <strong>PROXY</strong> 147.91.1.43:8080;DIRECT";Autoconfigurationwpad.rcub.bg.ac.rsOPwpad.bg.ac.rsconnect • communicate • collaborateO
IronPort MonitoringSystem monitoring (NetIIS)Proxy functionality (Nagios http_check plugin)– Minimum two web sites– Watching for the response timeCPU and MemoryIronPort custom monitoring and alerting systemAlert - Email notificationconnect • communicate • collaborate
IronPort Log AnalysisSquid based log format (by default)Log format could be customizedIronPort proxy keeps logs from last 10 days locally by defaultCustomization is requiredHow to analyze log filesIronPort management device have centralized reporting (Splunkengine) – requires additional licenseAll IronPort proxy devices have their own reporting system (notcentralized)Sawmill for IronPort1335097134.337 32 147.91.36.35 TCP_REFRESH_HIT/200 695 GEThttp://www.smedia.rs/img/btnminus.gif - DIRECT/www.smedia.rs image/gif DEFAULT_CASE_11-AMRES_all_to_Internet-AMRES_all-NONE-NONE-NONE-DefaultGroup -)connect • communicate • collaborate
IronPort Log Analysisconnect • communicate • collaborate
IronPort Log Analysisconnect • communicate • collaborate
IronPort Log AnalysisLog CollectionFive IronPort devices are pushingfiles to SawmillCustom Linux script is merging fivefiles in oneSorting by timestampSawmill is processing sorted fileFile is compressed and sent to thestorage via iSCSIUser can login and see Sawmillreportsconnect • communicate • collaborate
Gigabytes/h4.10.12 19:001:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AMIronPort Log AnalysisLog file size4,504,003,503,002,502,001,50Raw (391.3GB)Zip (46.2GB)1,000,500,00connect • communicate • collaborate
IronPort system problemsIronPort flawsLack of scheduling machanism (crontab-like backup)– Administrator must manually start mechanism of SCP backupHardware problems– Disk replacement– Management device replacementSoftware AsyncOS problems– WBRS uses proxy ip address (different score for same site)– CAB files caused high CPU load– Wrong site classificationSawmill flawsSlow performanceSawmill becomes unavailable during log files processing (xh.05min– xh.30min)Popularization of service is neededconnect • communicate • collaborate
uTorrent problemMozilla Firefox pluginRequest sent on 127.0.0.1 go to proxy serverIncreasing log file size (30%)Introducing load on Proxy CPU and memoryUsers hidden behind NATOTHERS147.91.x6.35147.91.xx9.1147.91.x2.52147.91.xx5.223160.99.x5.171147.91.x6.291.187.xx6.291.187.xx4.125147.91.x11.182connect • communicate • collaborate
Thank you!connect • communicate • collaborate