Build and Deploy Secure Squid Proxy Server with Dansguardian for Network Protection by krabah

VIEWS: 2,247 PAGES: 31

More Info
									Global Open Versity, ICT Security Labs        Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1




                         Global Open Versity
     IT Security & Network Defense Hands-on Labs Training Manual

    Build & Deploy Secure Squid Proxy Server with DansGuardian
                      for Network Protection
                                         Kefa Rabah
                            Global Open Versity, Vancouver Canada
                                    krabah@globalopenversity.org
                                     www.globalopenversity.org


Table of Contents                                                                                    Page No.


BUILD & DEPLOY SECURE SQUID PROXY SERVER WITH DANSGUARDIAN FOR NETWORK
PROTECTION                                                                                                      3

Introduction                                                                                                    3

Part 1: Install CentOS 5 Server                                                                                 4
  Step 1: Install Required Packages                                                                             4
  Step 2: Webmin installation and configuration                                                                 5

Part 3: Squid installation and configuration                                                                   5
  Step 1: Install Squid Proxy Server                                                                           5
  Step 2: Implement Access Control Lists (ACLs)                                                                7
    Step 2.1: Restricting Web Access By Time                                                                   8
    Step 2.2: Restricting Web Access to Specific Websites                                                      9
  Step 3: Squid Proxy Server Mac Address based filtering                                                      10
  Step 4: How to test if your squid proxy is working correctly?                                               11
    Step 4.1: Running Squid in a Logging mode                                                                 11
    Step 4.2: Squid cache proxy by running Squid in debug-mode                                                12
  Step 5: Manually Configuring Web Browsers to Use Your Squid Server                                          12
    1. Setting Proxy Server on IE                                                                             12
    2. Setting Proxy Server on Mozilla Firefox                                                                13
  Step 6: Integrating Squid Server with Firewall                                                              14
  Step 7: Test Squid with Port Redirection to port 3128                                                       16

Part 4: Installing and configuring DansGuardian with antivirus plug-in                                        17
  Step 1: Update Repositories - IMPORTANT!!!                                                                  17
    1. RPMForge for CentOS5                                                                                   17
    2. EPEL repository configuration                                                                          17
  Step 2: Install DansGuardian Web Filter                                                                     18
  Step 3: Configure DansGuardian (DG) Web Content Filter                                                      20
  Step 4: Configuring the DG Web Filter                                                                       20
  Step 5: Test Proxy Server                                                                                   23
  Step 6: Redirect traffic                                                                                    24
    Option 1: Using Shorewall Firewall                                                                        24
    Option 2: Using Iptables                                                                                  24
  Step 7: Setup Client Machine                                                                                25
                                                                                                                1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org                          EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs        Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1



  Step 8: Web Traffic Monitoring                                                                               25

Part 5: Adding BlackList                                                                                       25

Part 6: Lockdown Squid Proxy Server against Malware                                                            26
  Step 1: Installing and configuring anti-virus software ClamAV                                                26

Part 7: Lock it Down with MailScanner Antivirus solution                                                       28
  Step 1: Install & Setup MailScanner on CentOS5/RHE5                                                          29

Part 8: Need More Training on Linux:                                                                           29
  Secure Firewall Administration Training                                                                      29
  Linux Administration Training                                                                                29

Part 9: Hands-on Lab Assignments                                                                               30




A GOV Open Access Technical Academic Publications
Enhancing education & empowering people worldwide through eLearning in the 21st Century


                                                                                                                2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org                           EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs       Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1



                         Global Open Versity
     IT Security & Network Defense Hands-on Labs Training Manual

       Build & Deploy Secure Squid Proxy Server with Dansguardian
                         for Network Protection
By Kefa Rabah, krabah@globalopenversity.org                         July 29, 2010             GTS Institute



Introduction
People quickly and easily access volumes of research on the Internet and correspond with a mouse click.
For more and more companies, content filtering is part of the large battle to combat all kinds of online
threats, including hackers, worms and viruses and plethora of malware not mention ever increasing fishing
activities by cybercriminals. Today schools and colleges are reeling from bandwidth hogging by students
who spent most of their time multimedia streaming. In comes Squid proxy server.

Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web
server by caching frequently requested web pages; to caching web, DNS and other computer network
lookups for a group of people sharing network resources; to aiding security by filtering traffic. Squid has
extensive access controls and makes a great server accelerator. It also reduces bandwidth usage. Although
primarily used for HTTP and FTP, Squid includes support for several other protocols including TLS, SSL,
Internet Gopher and HTTPS. In 2010, work got under way to include IPv6 and ICAP support. Squid web
site claims that if working in front of the server application, it can improve performance by up to four times.
Squid is especially efficient in case of (probably unexpected) high traffic to one or several particular
pages, as in this case near 100% of caching can be achieved. It runs on most available operating systems,
including Windows and is licensed under the GNU GPL.


Today, Linux content filtering allows administrators to configure and manage Internet access across the
entire network and to block unwanted Web content like pornography, shopping Web sites, games and
gambling, or searching for jobs while on company time at a workplace. The combination with different anti
virus software makes it even more powerful and helps to protect our own system against the common
threats. This hands-on training manual contains all the necessary information for installing and
understanding the architectural layout of the implementation of Squid proxy server, Dansguardian Web
filter, ClamAd. On Linux CentOS-5 In this its assumed that students/trainees understand how to install OS
and other programs and have a basic understanding of Linux CentOS5/RHEL5 and firewall knowhow.
This includes installing Linux CentOS/RHEL5 and RPM packages, editing files, making directories,
compiling software and understanding general UNIX commands. In this training session, I’ll explain how to
install and configure Squid, DansGuardian and ClamAV.

CentOS is a community-supported, free and open source operating system based on Red Hat Enterprise
Linux. It exists to provide a free enterprise class computing platform and strives to maintain 100% binary
compatibility with its upstream distribution .CentOS stands for "Community ENTerprise Operating
System". CentOS is the perfect server for people who need an enterprise class operating system stability
without the cost of certification and support and pocket burning baggage that comes with proprietary
software. And the beauty is CentOS is free.
                                                                                                               3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org                         EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs         Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1




Solution:
In this Lab session, you’ll learn how to setup virtual network on VMware (you may also use any other
virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Sun). Next you will learn how to install
and configure Linux CentOS5 (VM1) with two NIC adapters. On the Linux VM1, I’ll show you how to install
& configure a DHCP server and Shorewall firewall on it. You’ll also learn how to install & configure a
second Linux CentOS5 (VM2) machine to use for testing your firewalled network connectivity to public
network (Internet). Finally you’ll have an opportunity to do the Hands-on Labs home assignment labs to
test what you have learned in this lesson. Once you’re done with this labs session you should have gained
an experience and capability to enable you to plan design implement and deploy a simple but secure
Home/SMB office network infrastructure.

Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out a good training manual entitled “Install Guide Linux CentOS5 Server v1.1” to
get you started.

It’s also assumed that you have a good understanding of working with Linux-based firewall e.g., Shorewall
and its configuration to lookdown the network. It’s also assumed that you know how to install and
configure Shorewall on Linux CentOS5, if not go ahead and pop over to scribd.com and check out a good
training manual entitled “Build & Deploy Secure Shorewall Firewall Protected Network v1.1” to get you
started.



Part 1: Install CentOS 5 Server

Step 1: Install Required Packages
It is now time to specify which programs you wish to install on your system. There are thousands of
packages available for Mandrake Linux, and to make it simpler to manage the packages have been
placed into groups of similar applications. We just need a basis system. For that reason you should select
the following groups:

    •   Console Tools
    •   Development
    •   Gnome server (or KDE)

Additionally you need the following packages:

    •   Squid
    •   Webmin
    •   Shorewall (or use iptables) firewall
    •   Perl




                                                                                                                 4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org                           EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs      Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1



Please use the CentOS Software: - to perform an update of your software, from the Terminal window
issue the command "yum update" the system will be connected to the nearest FTP server and will get
security updates, bugfixes and normal updates.




Step 2: Webmin installation and configuration
It is time to get Webmin running. Webmin is a web-based interface for system administration for UNIX.
Using any browser that supports tables and forms (and Java for the File Manager module), you can setup
user accounts, Apache, DNS, MySQL, file sharing and so on.

Webmin consists of a simple web server, and a number of CGI programs which directly update system
files like "/etc/inetd.conf" and "/etc/passwd". The web server and all CGI programs are written
in Perl version 5, and use no non-standard Perl modules. Please get more information about Webmin
here.

Honestly, we really do not need Webmin to get everything running, but it is a excellent tool for a LINUX
system administrator and it will help us to configure Squid and DansGuardian and of course Shorewall
firewall.

1. After the installation please check if Webmin is already running:

    /etc/init.d/webmin status

2. If not, please start it like this:

    /etc/init.d/webmin start

3. You can now use the Webmin interface with your favorite browser via the following URLs:
   https://localhost:10000 or http://youdomain:10000 or https://IP-address:1000

4. We’re done with this section.



Part 3: Squid installation and configuration


Step 1: Install Squid Proxy Server
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP
data objects. The software is designed to operate on any modern UNIX system. The current stable
version is 2.6.

5. To install Squid, using Yum command, do the following:

    yum install squid -y
                                                                                                              5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org                         EBT107 – Secure Firewall System Administration Training
Globa
								
To top