What are the advantages and drawbacks of using DNS wildcard redirection?



Similar documents
Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

Linux Squid Proxy Server

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Configuring WCCP v2 with Websense Content Gateway the Web proxy for Web Security Gateway

Secure Web Appliance. Reverse Proxy

Introduction to Network Operating Systems

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Step-by-Step Configuration

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Java Secure Application Manager

Appendix D: Configuring Firewalls and Network Address Translation

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1

Network Configuration Settings

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

Securing Networks with PIX and ASA

Third Party Integration

Configuration Guide. BES12 Cloud

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

ΕΠΛ 674: Εργαστήριο 5 Firewalls

BASIC ANALYSIS OF TCP/IP NETWORKS

Deploying F5 to Replace Microsoft TMG or ISA Server

Chapter 7. Firewalls

Introduction to Firewalls

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Network Agent Quick Start

CIS 433/533 - Computer and Network Security Firewalls

Configuring Network Address Translation (NAT)

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

F-Secure Internet Gatekeeper

WorldSkills Hong Kong Competition Test Project IT Network Systems Administration (Linux Module) English Version only 只 提 供 英 文 版 本

Proxy Server, Network Address Translator, Firewall. Proxy Server

CSE543 - Computer and Network Security Module: Firewalls

Load Balancing Clearswift Secure Web Gateway

Load Balancing Bloxx Web Filter. Deployment Guide

Cisco Configuring Commonly Used IP ACLs

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Set Up a VM-Series Firewall on the Citrix SDX Server

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Use Domain Name System and IP Version 6

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

CS Computer and Network Security: Firewalls

Firewalls. Ahmad Almulhem March 10, 2012

Lab - Observing DNS Resolution

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

How To Guide Edge Network Appliance How To Guide:

VMware Identity Manager Connector Installation and Configuration

- Domain Name System -

Cyclope Internet Filtering Proxy. - Installation Guide -

Apache Server Implementation Guide

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

LabTech Installation Prerequisites

Networking Guide Redwood Manager 3.0 August 2013

How to Add Domains and DNS Records

NEFSIS DEDICATED SERVER

What is included in the ATRC server support

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Lab Configuring Access Policies and DMZ Settings

INTRODUCTION TO FIREWALL SECURITY

1 You will need the following items to get started:

CS Computer and Network Security: Firewalls

Smoothwall Web Filter Deployment Guide

Lesson Plans Managing a Windows 2003 Network Infrastructure

Cork Institute of Technology Master of Science in Computing in Education National Framework of Qualifications Level 9

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

Bypassing Network Access Control Systems

Design and Implementation of an IP based authentication mechanism for Open Source Proxy Servers in Interception Mode

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

ASA/PIX: Load balancing between two ISP - options

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Configuring Network Address Translation

McAfee Web Filter Deployment Guide

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

Cisco AnyConnect Secure Mobility Solution Guide

HOW TO CONFIGURE PASS-THRU PROXY FOR ORACLE APPLICATIONS

Setup Guide Revision C. McAfee SaaS Web Protection Service

Subscriber Traffic Redirection

Optimum Business SIP Trunk Set-up Guide

TelePresence Migrating TelePresence Management Suite (TMS) to a New Server

Interconnecting Cisco Network Devices 1 Course, Class Outline

How to Scale out SharePoint Server 2007 from a single server farm to a 3 server farm with Microsoft Network Load Balancing on the Web servers.

LAN TCP/IP and DHCP Setup

Step-by-Step Configuration

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Chapter 5 Customizing Your Network Settings

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

SSL Enforcer Documentation

SuperLumin Nemesis. Administration Guide. February 2011

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

Configuring PA Firewalls for a Layer 3 Deployment

Table des matières 1 Cœur Routeur Configuration Fichiers de configuration... 1

How to Configure Captive Portal

Transcription:

How does DNS wildcard redirection work? How does DNS wildcard redirection work? DNS wildcard redirection leverages the DHCP scope options available from the DHCP server to force noncompliant systems to use a specific DNS server. DNS wildcard redirection allows all local name resolution requests to succeed for computers on the same DNS domain. All foreign server addresses are translated into the IP address of the remediation portal. The effect is that all requests (including non-http requests) to resources outside of the domain are redirected to the remediation portal web server. However, you should note that this may result in unanticipated side effects. When an HTTP request is made from a client in the quarantine VLAN, the following occurs: The end user opens a web browser and the browser attempts to access the configured home page. If the user s home page is set to the URL http://technet.microsoft.com/security/default.aspx, a DNS lookup is initiated from the client to the DNS server listed in the client s TCP/IP settings (this list of DNS servers is normally configured using DHCP for client s using dynamic addressing) for the host technet from the microsoft.com domain. The DNS server notes that it is an authoritative root server, meaning that it will not ask another DNS server for an answer to a DNS query, and searches its forward lookup zones for a match to this query. The DNS server looks inside the.com zone, and will not see a Microsoft domain, but it will see a DNS wildcard entry that matches the query. [* CNAME <IP address of the portal server>] The DNS wildcard entry returns the IP address of the portal server to the client, and the client sends an HTTP GET request to the following: Connect to <IP address of portal server> on port 80... ok GET /security/default.aspx HTTP/1.1 Host: technet.microsoft.com Due to the redirection, the connection is made to the portal server on port 80 asking for the page at {{CONTEXT_ROOT}}/security/default.aspx with a hostname of technet.microsoft.com. The Tomcat web server on the portal server checks the path to determine if the page exists (on a default standalone installation the {{CONTEXT_ROOT}} is C:\Program Files\Common Files\McAfee\Tomcat\webapps, so the path checked would be C:\Program Files\Common Files\McAfee\Tomcat\webapps\security\default.aspx. Normally, if the page exists it would be returned to the client. However, for this page to be provided, the web server would have to be configured to handle all possible URLs, which is not possible. Since this page will not be found, the web server instead returns a 404 Not Found error page. To implement this remediation strategy, you would redirect all 404 errors to the remediation portal page at /Portal/default.htm. At this point, the client s web request has been redirected to the remediation portal. Once at the portal, the user should be presented with hyperlinks pointing to repositories where remediation software (current DATs, MS Hotfixes, etc.) exists. If the hyperlinks point to servers inside the current domain, then name resolution should work. If the hyperlinks reference hosts that the local domain s DNS zone cannot resolve, then the host portion of the URL must be replaced with an IP address. What are the advantages and drawbacks of using DNS wildcard redirection? Advantages DNS wildcard redirection is easier than Transparent Proxy Interception to implement. Drawbacks Quarantined systems do not have access to the Internet, which would include Windows Update and McAfee.com. 1

How does transparent proxy interception work? A Windows server is required in the quarantine VLAN to act as a web server and DNS server. Update content is required and must be available inside the local domain, preferably on the remediation portal server. All non-local network traffic accessed via a domain name is re-routed, not just HTTP traffic. Changes and customizations are required to the remediation portal included with the McAfee Policy Enforcer software, including: Changing all relative src and href references to absolute paths. Replacing the 404 error page on the remediation portal web server with a descriptive webpage that explains what end users must do to remediate, or replacing the 404 error page with a redirection to the remediation portal. Entering all Universal Resource Indicators, including Universal Naming Conventions and Universal Resource Locators that point into the custom portal with static IP addresses in place of the server name. This makes sure that noncompliant systems can access the pages without getting improperly redirected to the remediation page. Ensuring that any non-local resources can be reached. Ensuring that any and all non-local domain name resolution returns the IP address of the remediation portal web server. This remediation strategy only works for systems that use DHCP to obtain their network configuration information. Systems that configure their DNS information manually cannot be remediated. How does transparent proxy interception work? Transparent proxy interception requires some significant configuration of a Linux operating system, including adding some basic routing functionality, a mechanism to re-write URLs, and a proxy server (Squid). It also requires either a layer-four switch to intercept the HTTP requests, or Policy Based Routing (PBR) on a layer-three Cisco router. The basic concept is to intercept HTTP requests coming from clients in the Quarantine VLAN, forward these requests to the router portion of a Linux server, and use this router to re-write the port number of the request in order to forward it to the Squid Daemon running on the server. Squid then passes the URL to a Redirector process which initiates a filter employing Access Control Lists (ACLs) to determine if the request should be allowed. If allowed, the URL is passed in a normal manner to Squid, which proxies the request to the web server. If the URL is not allowed, the URL itself is rewritten and passed back to Squid which proxies the connection. However, before implementing such a strategy, be aware of the following advantages and disadvantages. When an HTTP request is made from a client in the Quarantine VLAN, the following will occur. A user opens a web browser and the browser attempts to access the configured home page. If the users homepage is set to the URL http://technet.microsoft.com/security/default.aspx, a DNS lookup is initiated from the client to the DNS server listed in the clients TCP/IP settings for the host technet from the domain microsoft.com. The IP address is correctly resolved and a TCP/IP connection to the website is attempted. The client sends a TCP SYN request to port 80 that is intercepted by the network routing device. If the router is a layer-four switch, the 2

How does transparent proxy interception work? request is forwarded to the Squid server (the server rewrites the frame headers with the MAC address of the Squid server and forwards the frames out the port that the server is connected to). If the routing device is a layer-three Cisco router, the request is run through a route map configuration. If the request matches the ACL used to define the redirect traffic, it is forwarded to a next-hop IP address, namely the Squid server. Once the packet has reached the Squid server, a packet filter is run on the request, and because the request is to an IP address that does not match the Squid Server s IP address, the packet is forwarded to the Squid Daemon for processing. This same packet filter may be used to re-write the request from a request for port 80 to a request for port 3128 (default squid port) or any other port you have configured Squid to listen on. The Squid Daemon accepts the incoming packet and sends an acknowledgement back to the client spoofing the web server s IP address. Once the client and Squid server have completed the TCP handshake, the client sends an HTTP GET request for the user s homepage. GET /security/default.aspx HTTP/1.1 Host: technet.microsoft.com The Squid process rebuilds the original URL using the host header http://technet.microsoft.com/security/default.aspx this URL is passed to a Redirector package (such as Jsered or squidguard) which uses an ACL filter (basically a list of domains, URLs and/or regular expressions stored in a config file) to see if this domain is allowed. If it is, the request is forwarded and the Squid server will proxy the connection to the web server. If the filter does not match, the URL is rewritten to match the URL of the Portal server. The Squid server then proxies the connection to the Portal server. What are the advantages and drawback of using transparent proxy interception? Advantages Allows Clients to access specific sites on the Internet (such as NAI.com and WindowsUpdate.Microsoft.Com) under the control of a proxy server while still redirecting hosts to the remediation portal. Allows remediation content to be fetched from the source; no need to pre-stage updates and content in the local LAN. Universal Resource Indicator s in the portal itself will use normal name resolution and, when configured on the proxy, will be accessible in a normal manner. Administrators have the ability to allow or disallow other non-http traffic access to the Internet. Drawbacks Difficult configuration. Requires two server machines, one running Linux to act as the proxy and one running Windows to act as the Portal. May require Linux expertise. Requires moderate Networking abilities. If a Cisco router is used in place of a layer 4 switch, it will increase the CPU usage on the router, sometimes significantly. All websites not specifically allowed through the proxy server will be redirected to the portal. This is not a one-time captive portal in which only the initial web request is redirected to the portal. 3

Setting up a browser redirection Setting up a browser redirection You can set up a browser redirection that sends end users of noncompliant, unmanaged systems to the remediation portal the next time they open a browser after being quarantined. We recommend using one of the following methods of browser redirection: Setting up DNS wildcard redirection. Setting up transparent proxy interception. Setting up DNS wildcard redirection This installation requires knowledge of how to properly set up a DNS domain, and the ability to properly configure a DNS server. 1 Install, patch, and configure a Windows 2003 Server 2 Install and configure DNS on this server. DNS must be configured as follows: a Create a forward lookup zone with a single period as the name of the zone (this implements a root server). b Create a second forward lookup zone as a stub zone, which points to the current DNS servers in the company. In the root zone (.), add the Top Level Domains (TLDs). Right-click on the root zone and click Add Domain and add the list shown in the diagram as separate domains. In each of these domains, a single DNS wildcard entry is required that points to the Portal/DNS server. Host name = * Type = Alias(CNAME) Data = <FQDN of the remediation portal> The fully-qualified domain name (FQDN) of the remediation portal is obtained by browsing into the local domain s (mpe.local) stub zone, and selecting the Name Server (NS) record of the portal server. A single DNS wildcard entry in the root domain is not possible on a Windows 2003 DNS Server, so separate entries must be created for each TLD. The current list of TLDs can be acquired from IANA at http://www.iana.org/gtld/gtld.htm. In addition to the generic TLDs, the two-character country codes may be added, especially if the domain in question spans countries. The current list of country codes can be found at http://www.iana.org/cctld/cctld-whois.htm. Test the DNS configuration by adding this Portal/DNS server s IP address to the DNS server settings (TCP/IP properties of the network connection) of one of your computers, and do NSLookup queries to hosts in your local domain (the IP addresses should correspond to the actual IP addresses of those hosts), and queries to hosts outside of your network, such as www.microsoft.com (this query should return the IP address of your Portal/DNS server. C:\>nslookup jan-dc01 Server: remediation01.xyz1.local Address: 194.12.96.243 Non-authoritative answer: Name: jan-dc01.xyz1.local Address: 194.12.96.2 C:\>nslookup www.microsoft.com Server: remediation01.xyz1.local Address: 194.12.96.243 Name: remediation01.xyz1.local Address: 194.12.96.243 Aliases: www.microsoft.com 4

Setting up a browser redirection 3 Install the MPE remediation portal as a standalone portal server on this DNS server. 4 Edit the WEB.xml file in the C:\Program Files\Common Files\McAfee\TomCat\Conf folder. Browse to the middle of the document before the <servlet mapping> tag. Before the <session-config> tag, add the following: <error-page> <error-code>404</error-code> <location>/portal/default.htm</location> </error-page> 5 Edit the default.htm and rescan.htm file located at C:\Program Files\Common Files\McAfee\Tomcat\webapps\Portal to change all relative <href> and <src> tags to absolute by adding /Portal/ to the front of the tag. For example, change the tag: <link href= styles.css type= text/css rel= stylesheet > to <link href= /Portal/styles.css type= text/css rel= stylesheet > 6 Edit the DHCP Scope Options for the quarantine VLAN. On your DHCP server, find the scope serving the quarantine VLAN clients, and change the DNS server s IP addresses to the IP address of the Portal/DNS server. Remove any WINs server IP addresses. Setting up transparent proxy interception Use the following procedure to set up the transparent proxy interception strategy. 1 Download the Linux distribution of your choice and the following packages: a squidguard (http://www.squidguard.org/) b IPTables (http://www.netfilter.org/) c Squid (http://www.squid-cache.org/) 2 Recompile Linux according to directions found on Squid s homepage a General CONFIG_NET=y CONFIG_NET_FASTROUTE=n CONFIG_SYSCTL=y b Networking CONFIG_NETFILTER=y CONFIG_INET=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_REDIRECT=y c File System CONFIG_PROC_FS=y 3 Configure the Operating System: /ect/sysctl.conf net.ipv4.ip_forward =1 4 Create the IPTables rules that will forward packets to Squid, and save the rules to /etc/sysconfig/iptables (/sbin/service iptables save) iptables -t nat -A PREROUTING -i <interface> -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -i <interface> -p tcp -d <ip address of squid/portal> --dport 80 -j ACCEPT 5 Configure Squid a See http://squid.visolve.com/squid/squid24s1/contents.htm for more information. b Squid.conf 5

Setting up a browser redirection httpd_accel_port 3128 httpd_accel_host virtual httpd_accel_uses_host_header on httpd_accel_with_proxy on redirect_program /usr/local/squid/bin/ 6 Configure squidguard a See http://www.squidguard.org/config/ for information. b Define your domain and/or URL white lists store in filesystem. c Define the ACL inside the conf file: logdir /usr/local/squidguard/log dbhome /usr/local/squidguard/db dest Whitelist { domainlist whitelist/domains urllist whitelist/urls } acl { default { pass whitelist all redirect http://remediation01/portal/default.htm } } 7 Configure the Cisco Switch: router(config)# ip access-list extended httptraffic router(config-ext-nacl)# permit TCP <quar ip subnet> any eq www router(config-ext-nacl)# deny any any router(config-ext-nacl)# exit router(config)# route-map wwwcapture permit 10 router(config-route-map)# match ip address httptraffic router(config-route-map)# set ip default next-hop <ip address of the Squid server> router(config-route-map)# exit router(config)# int VLAN999 {interface of the quar vlan} router(config-if)#ip policy route-map wwwcapture router(config-if)#end 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information