IRONPORT PROXY SERVERS - cesnet

IRONPORT PROXY SERVERSIvan Ivanovic, RCUB/BUCCCampus network monitoring workshopBrno, April 2012.connect • communicate • collaborate

Geant3 – NA3T4BPD’sNA3T4 – Creation of BPD documentsMembersUNINETCESNETCSC/FUNETAMRESTopicsPhysical infrastructure (9)Campus Networking (10)Wireless (7)Network Monitoring (7)Real Time Communication (5)Security (4)connect • communicate • collaborate

Belgrade CampusWhy cache servers?Until recently we have used five Squid proxy servers.Cache servers (Legacy – Slow Links - Hit rate ~30%)Free softwareKobson service (allowed access only through proxy servers)AMRES AUP policy demands usage of proxy serversProblemsDecentralized managementOne person manage allSlow response to user requestNot so much security featuresconnect • communicate • collaborate

Acquisition of IronPort proxy servers“Connecting school” projectConnect to the internet more than 2000 schoolsSafe Internet for kidsGovernment reaction!6 IronPort S670 Web security appliances2 IronPort C370 Email security appliances1 IronPort M160 Management applianceAdditional equipment (Servers, UPS, Rack….)First firewalls device in RCUB/AMRESconnect • communicate • collaborate

BenefitsIncreased security and controlWEB reputation filteringMalware filtering (Webroot)URL filteringTraffic controlProtocol and User agents filteringApplication filteringObject filtering (MIME types)Many more……Cloud service for our end users!connect • communicate • collaborate

IronPort Cloud serviceHow does it work?!Centralized management through the web access.connect • communicate • collaborate

IronPort Cloud serviceHow does it work?!End users can login to the management appliance and configure theiraccess policies.connect • communicate • collaborate

IronPort Cloud serviceHow does it work?!LDAP is used for authentication and authorization.connect • communicate • collaborate

Access policiesAdmin ViewMatches IPaddressPPconnect • communicate • collaborate

Web Security - PoliciesCustom configurationConfigured by end usersGlobal configurationRCUB configuresconnect • communicate • collaborate

Web Security - Global PolicyProtocol and user agentsAllowedFTP over HTTPHTTPHTTPSNative FTPAllowed HTTP connect methodPorts: 20, 21, 443, 2083, 4443, 563, 2096, 8443, 8080Custom User AgentsEverything allowed (Web browsers)connect • communicate • collaborate

Web Security - Global PolicyURL filteringURL category (Denied)Child PornFilter AvoidanceGamblingHate SpeechIllegal DrugsPornOther 59 categories are allowedCustom URL Category Filtering“Eksplicitno pusteni sajtovi” (Explicitly allowed sites)CabFiles (Windows update cabinet files)Every category could be managed differentlyBlock MonitorRedirect WarnAllowTime-basedconnect • communicate • collaborate

Web Security - Global PolicyApplications Visibility and ControlDefault Actions for Application Types is Monitorconnect • communicate • collaborate

Web Security - Global PolicyObjects settingsAllow everythingWeb Page ContentFlashJavaScriptAll ImagesMiscellaneousCalendar Dataconnect • communicate • collaborate

Web Security - Global PolicyReputation and Anti-Malware SettingsAnti-Malware Settings – Webroot (Denied)DialerHijackerPhishing URLTrojan DownloaderTrojan HorseTrojan PhisherWormOther MalwareWBRSconnect • communicate • collaborate

User configurationManuallyproxy.rcub.bg.ac.rs:8080DNS round-robin resolvingAuto-detect proxy settingsUsing wpad.dat filehttp://wpad.ac.rs/wpad.datAutomatic proxy configuration URLUsing proxy.pac fileTested but not usedForce usersWCCP used for eduroamPBR can be also usedconnect • communicate • collaborate

Web Proxy Autodiscovery ProtocolWPADfunction FindProxyForURL(url, host) {// If URL has no dots in host name, send traffic direct.if (isPlainHostName(host))return "DIRECT";// If specific URL needs to bypass proxy, send traffic direct.if (shExpMatch(url,"*.rcub.bg.ac.rs*") ||shExpMatch(url,"*.amres.ac.rs*") ||shExpMatch(url,"*localhost*") ||shExpMatch(url,"*127.0.0.*") ||shExpMatch(url,"*10.*") ||shExpMatch(url,"*172.16.*") ||shExpMatch(url,"*192.168.*"))wpad.ac.rsreturn "DIRECT";// If IP address is internal or hostname resolves to internal IP, send direct.var resolved_ip = dnsResolve(host);if (isInNet(resolved_ip, "147.91.0.0", "255.255.0.0") ||isInNet(resolved_ip, "160.99.0.0", "255.255.0.0") ||isInNet(resolved_ip, "91.187.128.0", "255.255.224.0") ||isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))return "DIRECT";// All other traffic uses below proxies, in fail-over order.return "PROXY proxy.amres.ac.rs:8080; PROXY 147.91.1.41:8080; PROXY 147.91.1.42:8080; PROXY 147.91.1.43:8080;DIRECT";Autoconfigurationwpad.rcub.bg.ac.rsOPwpad.bg.ac.rsconnect • communicate • collaborateO

IronPort MonitoringSystem monitoring (NetIIS)Proxy functionality (Nagios http_check plugin)– Minimum two web sites– Watching for the response timeCPU and MemoryIronPort custom monitoring and alerting systemAlert - Email notificationconnect • communicate • collaborate

IronPort Log AnalysisSquid based log format (by default)Log format could be customizedIronPort proxy keeps logs from last 10 days locally by defaultCustomization is requiredHow to analyze log filesIronPort management device have centralized reporting (Splunkengine) – requires additional licenseAll IronPort proxy devices have their own reporting system (notcentralized)Sawmill for IronPort1335097134.337 32 147.91.36.35 TCP_REFRESH_HIT/200 695 GEThttp://www.smedia.rs/img/btnminus.gif - DIRECT/www.smedia.rs image/gif DEFAULT_CASE_11-AMRES_all_to_Internet-AMRES_all-NONE-NONE-NONE-DefaultGroup -)connect • communicate • collaborate

IronPort Log Analysisconnect • communicate • collaborate

IronPort Log Analysisconnect • communicate • collaborate

IronPort Log AnalysisLog CollectionFive IronPort devices are pushingfiles to SawmillCustom Linux script is merging fivefiles in oneSorting by timestampSawmill is processing sorted fileFile is compressed and sent to thestorage via iSCSIUser can login and see Sawmillreportsconnect • communicate • collaborate

Gigabytes/h4.10.12 19:001:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AM1:00 PM7:00 PM1:00 AM7:00 AMIronPort Log AnalysisLog file size4,504,003,503,002,502,001,50Raw (391.3GB)Zip (46.2GB)1,000,500,00connect • communicate • collaborate

IronPort system problemsIronPort flawsLack of scheduling machanism (crontab-like backup)– Administrator must manually start mechanism of SCP backupHardware problems– Disk replacement– Management device replacementSoftware AsyncOS problems– WBRS uses proxy ip address (different score for same site)– CAB files caused high CPU load– Wrong site classificationSawmill flawsSlow performanceSawmill becomes unavailable during log files processing (xh.05min– xh.30min)Popularization of service is neededconnect • communicate • collaborate

uTorrent problemMozilla Firefox pluginRequest sent on 127.0.0.1 go to proxy serverIncreasing log file size (30%)Introducing load on Proxy CPU and memoryUsers hidden behind NATOTHERS147.91.x6.35147.91.xx9.1147.91.x2.52147.91.xx5.223160.99.x5.171147.91.x6.291.187.xx6.291.187.xx4.125147.91.x11.182connect • communicate • collaborate

Thank you!connect • communicate • collaborate