Secure Proxy on Cloud

Download PDF
5 downloads 94470 Views 77KB Size Report
Comment
balancing, caching, compression, application firewall, single sign on or server obfuscation. Secure Proxy on Cloud can be described as Security as a Service ...
JUNE 2016

1

Secure Proxy on Cloud ¨ ur Ural, Efe Erdur Ozg¨ Cyber Security Department Middle East Technical University Ankara, Turkey Email: ozgur.ural, [email protected]

Abstract—Since the internet has emerged, lots of malicious content have taken its place on the internet. For many years, different types of technologies have been developed and used to protect endpoints from these malicious contents such as firewalls, IPS devices etc. These on-premise solutions work well in terms of security. However, the cost of these products is expensive, installing/configuring is troublesome and even maintaining of these systems are hard and expensive. To overcome this problem, we came up with the idea of creating the secure boxes on the cloud. In this document, implementation details of secure proxy on cloud project are explained. Everything that can be developed about the project is explained and implemented issues are stated. Short term development plans and long term development plans are shared. This paper also surveys related literature researches. Keywords—Proxy, cloud computing, content filter, web traffic, proxy cache, web security.

I. I NTRODUCTION A proxy server is a software system that acts as an intermediary between an endpoint device and another server from which a user or client is requesting a service. It has two types; forward (simply known just as a ”proxy”) and reverse proxy. Forward proxy is used to retrieve data from another web site on behalf of the original requester. It is mostly used for content filtering, email security, NATing, caching etc. Reverse proxy, on the other hand, typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. It is mostly used for load balancing, caching, compression, application firewall, single sign on or server obfuscation. Secure Proxy on Cloud can be described as Security as a Service product. It is an example of forward proxy that works on cloud and offers IP privacy over internet, accessing content of blocked sites by the government, block specific sites and increased traffic rate with the help of its caching mechanism. It interrupts the web traffic, analyses it and forwards the related traffic to destination according to user customized configuration. This document is created to describe these features in detail. Also short term and long term development plans are shared in the document. II. L ITERATURE R ESEARCH URL filtering systems are used to prevent internet users from browsing malicious or undesirable websites. A good URL lookup method is is essential for these systems. A URL lookup engine is proposed in a paper published on 2010 IEEE

International Conference for URL filtering systems. It is a combination of a URL compression algorithm and a multiple string matching based matching algorithm. The proposed URL lookup engine can achieve excellent memory utilization and good URL lookup performance to store the URL blacklist with the ability of prefix matching [1]. Caching schemes are used to access and circulate Web objects. Web caching helps to increase system’s fault tolerance and reduce the overall bandwidth. In a paper, published on World Wide Web in 2001, an overview of preserving a history record for cached Web objects is presented. In their cache content replacement method, the web objects reference number in a certain time period is the most important parameter. The method is experimented and simulated in a real workload of Web cache. [2]. Cloud computing brings lots of new challenges for access control and data security when users share data cloud servers. In order to confidentiality, current methods usually use cryptographic methods.In a paper published in International Journal of Computer Trends and Technology in 2011, mentions enforcing and defining access policies based on data attributes and allowing the data owner to delegate most of the computation and they proposed a scheme which is highly efficient and provably secure under existing security models [3]. III. D EVELOPMENT I SSUES A. Security of the Product First thing to consider about security of the product is the security of virtual machine itself. We have used digitalocean as the cloud infrastructure provider for our product. Since digitalocean manages the network properties of the VM, nothing implemented manually for network issue. However, since we have created a virtual machine and implemented some services on it, it is a must to provide both the security of the VM and application, as well. 1) Operating System Security: As the operating system, we have used Ubuntu 14.04.4 LTS. We have used stateful firewall -iptables on Linux- to drop unexpected packets and only allow to our external IP addresses. For this purpose, we have used default drop methodology. To drop all packets; root# iptables -A INPUT -j DROP root# iptables -A OUTPUT -j DROP

JUNE 2016

2

After that, we needed to allow the incoming packets coming from our IPs. For this purpose we inserted the following rules.

described in ”Section 5”. And ”Section 6” describes the long term plans which are less important or hardest to implement.

root# iptables -A INPUT -p tcp -s 213.14.87.114 –sport 1024:65535 -d 146.185.176.173 –dport 8888 -m state –state NEW,ESTABLISHED -j ACCEPT

IV. I MPLEMENTED F EATURES A. HTTP/HTTPS Proxy All http and https data are forwarded to the cloud proxy by setting the proxy settings of the browser with our products IP and port. These data is logged and forwarded to real destination if it does not match with any blocking rule.

root# iptables -A OUTPUT -p tcp -s 146.185.176.173 –sport 8888 -d 0/0 –dport 1024:65535 -m state state ESTABLISHED -j ACCEPT •

First rule is inserted for allowing incoming tcp requests to operating system. It only allows the packets with source IP of 213.14.87.114, source port of anything between 1024:65535(since HTTP request are sent by nonspecial ports) and destination port with 8888(listening port of our service). • Second rule works also with same logic for the first rule, but allows the outgoing packets from the virtual machine. Actually, these rules are enough for proxy to run without error; however, we have also inserted the following rules to allow ssh connections to the VM to manage it remotely. root# iptables -A INPUT -p tcp –dport 22 -j ACCEPT root# iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT 2) Application Security: To ensure the security of the application, we have used squids security interface. All of the required parameters are written in the squid.conf file. We have used default drop policy in squid, as well, specified a domain for our IP addresses and allowed only that IPs. To achieve that, we have added following parameters to squid configuration file.

B. Content Filtering We have integrated diladele web security tool with squid proxy for content filtering. Diladele is a commercial tool and we have used trial version for this project. It is described as ICAP web filtering server in its official web site[4] and most important reason that we have chosen this tool is its support to integrate with squid server. However, the name of the tool in not important in this case, since we have tried to implement a proof of concept for filtering same content in the proxy server considering its URL or website category. We have added the following settings to configuration file of squid to enable ICAP(Internet Content Adaptation Protocol) and content filtering, and to integrate diladele with squid server. icap enable on icap preview enable on icap preview size 4096 icap persistent connections on

acl comodo src 213.14.87.114/32

icap send client ip on

http access allow localhost manager

icap send client username on

http access allow localhost

icap client username header X-Client-Username

http access allow comodo

icap service failure limit -1

http access deny all http port 0.0.0.0:8888 B. Features The main purpose of the project was to interrupt the web traffic and implement some operations on that traffic in terms of security. As a result, many operations or functionalities can be implemented. We determined the most basic functionalities and implemented them for this project. These functionalities are described in detail in ”Section 4”. We also specified the other important, but less important subjects comparing to the basic ones and listed them in the short term plans which are

icap service qlproxy1 reqmod precache icap://127.0.0.1:1344/reqmod

bypass=0

icap service qlproxy2 respmod precache icap://127.0.0.1:1344/respmod

bypass=0

acl qlproxy icap edomains dstdomain ”/opt/qlproxy/etc/squid/icap exclusions domains.conf” acl qlproxy icap etypes rep mime type ”/opt/qlproxy/etc/squid/icap exclusions contenttypes.conf” adaptation access qlproxy1 deny qlproxy icap edomains

JUNE 2016

3

adaptation access qlproxy2 deny qlproxy icap edomains adaptation access qlproxy2 deny qlproxy icap etypes adaptation access qlproxy1 allow all adaptation access qlproxy2 allow all

C. Cache Caching mechanism is implemented in the secure proxy solution on cloud. When there exist a memory hit on our cloud server, it gives it from its own memory[5] With this feature, the cloud proxy server; Blocks unnecessary requests Decreases data usage Increases net speed The following parameters in the squid configuration file are related the caching mechanism of the proxy server. maximum object size 1 GB cache dir ufs /var/spool/squid3 30720 16 256 cache mem 256 MB maximum object size in memory 2048 KB

D. Access Logs The access logs of the product are kept in a single text file named access.log which is presented by squid. The full path of this log file is /var/log/squid3/access.log V.

S HORT T IME D EVELOPMENT P LANS

A. Multi-customer environment The product behaves all different IPs as a single customer for now. In the short term plans, it is planned to create a customer infrastructure. This infrastructure is used to match each IP with related customer. The current features of the product will be improved to work with this multi-customer infrastructure.

C. DNS proxy integration In the current state of the product, although we are forwarding all of the HTTP/HTTPs traffic over the proxy, other protocols are not forwarded and local networks are used for these protocols. Passing all protocols over proxy is needless for now, however, if we manage DNS protocol to pass through the proxy, it would be good feature in terms of IP privacy. For DNS proxy, we are planning the offer the following features; • We are planning to create a DNS server on our client • If the customer wants to use DNS proxy as well, he needs to change DNS forward setting as enabled in the browser • This feature could be used to allow the customers to access the sites which is blocked by DNS records in their countries VI.

L ONG T ERM D EVELOPMENT P LANS

A. Secure (encrypted) connection between endpoint and proxy server We are planning to implement IPSec integration to our product. Client and proxy server will create an VPN connection and all the data between client and server will go through in this tunnel, in a secure(encrypted) manner. Although this is very important feature for the security of the product; since it is a challenging problem and it will take some important time to implement, this feature is in our long term plans. B. Load balancing & High availability When we have multiple customers, we will have to create multiple servers and create a load balancer to distribute the request between this servers. Also, high availability is important to make the product available all the time. For this purpose, we are planning use; • rsync to synchronize the sessions • Linux-HA for high availability C. User management interface User management interface will be added to the solution. Since GUI is not related about the security, it is put in long term plans. In order to make the product user-friendly, it is needed to create a graphical user interface which provides user; • Initiate a customer • Set/change password • Enable/disable caching • Insert URL list to block • Create blacklists/whitelists etc.

B. Authentication Authenticity is very important for each customer to feel secure. Therefore the product will have authentication mechanism including the following specifications; • •

Each customer will create a password on sign up Each customer will have to use username & password to use our proxy

D. Backlog In order to improve the cloud solution afterwards, it could be worked on some other web security issues on the cloud, as IP blacklist check, mail security, malware checking for executable files and so on.

JUNE 2016

4

VII. C ONCLUSION To conclude, the purpose of Secure Proxy on Cloud project can be described as migrating traditional security implementations to cloud servers. As it is described, its easy and cheap installation and configuration processes, easy management process and its structure that allows all of the security features to be gathered under a single roof can be listed as its most important advantages that separate it from the traditional solutions. Considering these advantages, when the future plans implemented, it can be a very useful product for both the corporations and personal usage in terms of web security. R EFERENCES [1]

[2] [3]

[4] [5]

Zhou, Z., Song, T. and Jia, Y., 2010, May. A high-performance url lookup engine for url filtering systems. In Communications (ICC), 2010 IEEE International Conference on (pp. 1-5). IEEE. Vakali, Athena. ”Proxy cache replacement algorithms: A history-based approach.” World Wide Web 4.4 (2001): 277-297. Preiya, V. Sathya, R. Pavithra, and Dr Joshi. ”Secure role based data access control in cloud computing.” International Journal of Computer Trends and Technology (2011): 146-151. http://quintolabs.com/solution.php Caceres, Ramon, et al. ”Web proxy caching: The devil is in the details.” ACM SIGMETRICS Performance Evaluation Review 26.3 (1998): 1115.