Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Nov 2009
Posts: 15
#1 (permalink)  
Old 11-01-2009, 05:17 PM
Default Bypass network security packet filters using web proxy

I've noticed that the web proxy can be used to bypass network security packet filters. Consider a gateway with three interfaces, one for the WAN, one for the LAN, and one for GUESTS. If GUESTS are normally not permitted to access web servers on the LAN, but are permitted to access the web proxy (to limit web access), than the GUESTS can make requests through the web proxy to access the LAN.

As a simple measure to prevent this, I've tried using URL Filtering to block hosts on the LAN by URL. But this won't cut it as anyone can register a domain name that does not match my URL filters and resolves to a host on my LAN. I've also tried to add network security packet filter rules that block the Astaro LAN IP from accessing any hosts on the LAN - but it seems that the web proxy is exempt from these rules.

What I'd really like is a way to limit the web proxy by destination IP address or IP range. I know how to do this with Squid (acl to_localnet dst <ip range>; http_access deny to_localnet), but is there a way to do this with Astaro?
Reply With Quote
BrucekConvergent's Avatar
Master of Reality
Join Date: Oct 2005
Location: SC, USA
Posts: 4,862
#2 (permalink)  
Old 11-01-2009, 11:32 PM
Default

AFAIK, there isn't a way to do this currently; but I do think this functionality should be added.
__________________
Convergent Information Security Solutions, LLC
Sophos Platinum Solution Partner
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,645
#3 (permalink)  
Old 11-02-2009, 11:09 AM
Default

  1. If GUESTS are not allowed to access the internal network, then your Astaro DNS Proxy and packet filter rules should be configured in such a way that GUESTS cannot resolve names in LAN.
  2. For those inside LAN, if running in transparent mode, accesses inside LAN won't transit the Astaro. If running in a mode that requires pointing browsers at the proxy, be sure to select the browser option to bypass the proxy for local accesses.
  3. In 'Web Security >> HTTP/S', on the 'URL Filtering' tab, block internal addresses. For example, if LAN is 10.11.12.0/24, put //10.11.12.
Does that do what you want?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
RFCat_vk's Avatar
Wizard
Join Date: Aug 2005
Location: Victoria, Australia
Posts: 5,578
#4 (permalink)  
Old 11-02-2009, 12:10 PM
Default

Hi Bob,
let me see if I have understood you correctly.
1/. the guests would only pickup an external DNS from the ASG DHCP server?
I am not sure how you would use a packet filter rule to enforce this?

2 and 3 I understand.

Regards

Ian M
__________________
ASG Home User licence - v9.3** - VM guest on esxi 5.5 host, Astaro AP50 and AP10 (courtesy of Astaro).
ASG Home user licence - v9.3** - Intel DBS1200KPR (e3 1265l v2) AP30 (courtsey of Astaro) 8gb, SSD (100/10 2 user 5-6 devices)
SUM4 Home User licence - v4.*** on esxi 5.5 host
Work essentials licence - v9.3xx - intel D with 2gb.
Reply With Quote
Junior Member
Join Date: Nov 2009
Posts: 15
#5 (permalink)  
Old 11-02-2009, 12:51 PM
Default

I don't think I understand #1 either. What is stopping someone from registering myinternalnetwork.dyndns.org and having it point to 10.11.12.100. Won't this resolve with the DNS server and also bypass the filters setup in #3?
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,645
#6 (permalink)  
Old 11-02-2009, 04:31 PM
Default

Good trick, esev, that might indeed work. I think you could obviate that by creating a separate HTTP Profile in Transparent mode for GUESTS and putting LAN into the transparent mode skiplist (don't check 'Allow HTTP traffic for listed hosts/nets'). GUESTS should not be in "Allowed networks' of the default Profile.

Ian, 'GUESTS -> DNS > Internet : Allow' and otherwise don't put GUESTS into 'Allowed networks' in the DNS proxy. It isn't clear to me at the moment that we would have blocked the proxy from resolving internal addresses if there are static entries in the Astaro DNS instead of in the internal nameserver.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Last edited by BAlfson; 11-02-2009 at 04:35 PM.
Reply With Quote
Junior Member
Join Date: Nov 2009
Posts: 15
#7 (permalink)  
Old 11-02-2009, 05:01 PM
Default

Bob,

That's a good plan! I'll try that. It should take care of most issues. I think however, even if the hosts are in the transparent skip list, a user in the GUESTS network segment could configure their browser to use the proxy on port 8080 (ie. use it non-transparently) and then still get passed the packet filter rules.

I still find it a little strange that the proxy is exempt from the packet filter rules. I'm guessing it is that way for ease of use. It seems like a reasonable default. But it would be nice that if an admin specifically configures the packet filter to deny the web proxy access to a subnet that such a rule actually works.
Reply With Quote
Junior Member
Join Date: Nov 2009
Posts: 15
#8 (permalink)  
Old 11-02-2009, 08:46 PM
Default

As I suspected, even in transparent mode, a user can configure their browser to use the proxy non-transparently and get around the packet filters. I think this is a bug, you shouldn't be able to subvert the packet filter rules by using the proxy. I've submitted a feature request to add a filter by ip address in the web proxy.

For now, I've just gone in via the console and added the rules to iptables manually. I'm wondering what would break if I switched the ordering of the rules on the iptables OUTPUT filter to place the auto-generated rules (that permit the proxy) after the user generated rules. That way any user-generated deny/drop rules would take precedence over the automatic rules. I'll wait a bit to see what happens with the feature request.
Reply With Quote
RFCat_vk's Avatar
Wizard
Join Date: Aug 2005
Location: Victoria, Australia
Posts: 5,578
#9 (permalink)  
Old 11-02-2009, 10:04 PM
Default

Hi esev,
I am not sure that your example of the dydns registration would work because the 10.x.x.x network is internal and there is no way of relating the internal address to the external address. That would drive a dns insane trying to workout which 10.x.x.x it was really meant to point at.

Bob, your packet filter rule while limiting the GUESTS to external DNS does not stop them resolving any external advertised servers on the local LAN and being able to come into the ASG from the external interface. I can access my ASG on its external interface from inside by using its dydns entry.

Ian M
__________________
ASG Home User licence - v9.3** - VM guest on esxi 5.5 host, Astaro AP50 and AP10 (courtesy of Astaro).
ASG Home user licence - v9.3** - Intel DBS1200KPR (e3 1265l v2) AP30 (courtsey of Astaro) 8gb, SSD (100/10 2 user 5-6 devices)
SUM4 Home User licence - v4.*** on esxi 5.5 host
Work essentials licence - v9.3xx - intel D with 2gb.
Reply With Quote
Junior Member
Join Date: Nov 2009
Posts: 15
#10 (permalink)  
Old 11-02-2009, 10:34 PM
Default

Quote:
Originally Posted by RFCat_vk View Post
Hi esev,
I am not sure that your example of the dydns registration would work because the 10.x.x.x network is internal and there is no way of relating the internal address to the external address. That would drive a dns insane trying to workout which 10.x.x.x it was really meant to point at.
It'll work. To test, I registered the example above. myinternalnetwork.dyndns.org now really does resolve to 10.11.12.100
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 05:16 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.