Louwrentius

Computer nerds are self sufficient when it comes to fixing their computer. Non-computer experts have to find some other person with greater computer knowledge to repair their computer or phone. That person will then be able to access all data stored on their computer or phone.

By handing over their computer to a third party, such as a computer repair shop, they are giving their personal data to a stranger. And it is so easy for that stranger to access this data. So they will.

This is not only true for computers, but especially for phones. If you are a women, you should be extra concerned. It is so easy to obtain access to your photos. And people do.

The only safe thing to do is either:

1. encrypt your computer with full disk encryption (Truecrypt?);
2. wipe all internal hard drives.

Both actions will make it impossible for the computer technician to resolve any operating system or software related issues. Also, it will be harder to diagnose hardware failure. And if you erase the computer, who is going to reinstall it?

A third option would be to implement a secure file container where a user would put personal information. But this concept is way too hard to understand and implement for most users.

So in the end most people must find a person they can trust and who is willing to fix their computer. But that is never a safe bet.

So assuming that you must trust your computer to a person you don't know too well, it is smart to never store any content, especially personal pictures or videos on your computer that you would not want them to see.

I had to turn in my iMac for repair because the internal hard drive was dying. So I erased the entire disk by overwriting it with zeros. This takes a few hours, but it guarantees that my data will not fall in the wrong hands. Honestly, I don't have any data I'd really want to hide, but still, it's my data and I don't want it in the hands of unknown people.

Security is all about a defence-in-depth strategy. Create multiple layers of defence. Every layer presenting a different set of challenges, requiring different skill sets and technology. So every layer will increase the time and effort to compromise your environment.

A content-scanning proxy server may provide you with one of these defensive layers. A content scanning proxy checks all data for malware. It blocks all content presumed to be infected. This may prevent numerous infections of company computers. Basically, the proxy server is virusscanning all network traffic.

But there is a severe limitation. Any data requested through an SSL-connection (https://) cannot be scanned, precisely because it is encrypted. So if a blackhat is smart and serves all malware through HTTPS, a content scanning proxy will not stop that malware. There are man-in-the-midle solutions that do allow you to inspect SSL traffic, but there are some limitations and this is outside the scope of this post.

As I believe that most malware is still being served through unencrypted HTTP sites, a content-scanning proxy does create an extra layer of defence. I think it is worth the effort.

So I decided to create a content-scanning proxy based on available open-source software. In this case, open-source as in free to use in commercial settings.

So in this post I will document how to setup a content-scanning proxy based on Squid 3.1, c-icap version 1, the Squidclamav module and the Clamav anti-virus scanner.

The basis of this proxy server is Ubuntu 12.10 LTS.

Important:

How does it work?

The Squid proxy server must pass all content to the Clamav daemon. Squid can't do that by itself. It's needs some glue service. For this purpose, a standard protocol has been designed called 'ICAP'. The c-icap daemon, combined with the squidclamav module, is the glue between the proxy server and the anti-virus software. The fun thing about c-icap is that you can add extra content scanning features if you want, just by adding those modules. You can decide to implement additional commercial anti-virus products in addition to Clamav.

Installing Clamav and c-icap + development files

1. apt-get install clamav-daemon c-icap  libicapapi-dev apache2
2. freshclam (update clamav on the spot)

Apache or any other HTTP server with CGI support is required to display virus-warnings to end-users.

Installing squidclamav module for c-icap

Do not install squidclamav with apt-get, this version seems to contain bugs that prevent pages from loading properly. The latest version straight from the vendor does work properly.

1. cd /usr/src/
2. download the source from: 
"http://sourceforge.net/projects/squidclamav/"
3. tar xzf squidclamav-6.8.tar.gz
4. cd squidclamav-6.8
5. ./configure
6. make -j 2
7. make install

Squid configuration

Please download my sample Squid.conf configuration. The icap lines are of interest.

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=0 \ 
    icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 \ 
    icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all
adaptation_access service_resp allow all

It is the icap:// URL that calls a particular icap service (squidclamav) that processes all data.

Squidclamav icap module configuration

The configuration is stored in /etc/squidclamav.conf, and this is what I used:

maxsize 5000000
redirect http://proxy.company.local/cgi-bin/clwarn.cgi
clamd_ip 127.0.0.1
clamd_port 3310
timeout 1
logredir 0
dnslookup 1

Of interest is the redirect url, which tells the user that a virus is found. That line redirects the user towards a page as shown at the beginning of this post. You can customise this page with CSS, for example, you can add the company logo to make it more official.

c-icap configuration

This is the configuration I use:

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600  
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344 
User c-icap
Group nogroup
ServerAdmin you@your.address
ServerName Anti-Virus-Proxy
TmpDir /tmp
MaxMemObject 1048576
DebugLevel 0
ModulesDir /usr/lib/c_icap
ServicesDir /usr/lib/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so
Service squidclamav squidclamav.so

Configuring Apahce web server

The warning page should be put in /usr/lib/cgi-bin. You may have to copy clwarn.cgi into this directory. Also make sure that your Apache configuration contains a directive like:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
</Directory>

Automatic proxy configuration through DHCP and WPAD

To make the entire setup extra nice, use your DHCP configuraiton to inform clients about the proxy configuration. Clients must be configured to autodetect proxy settings for this to work.

Put a wpad.dat in the root directory of your http server:

function FindProxyForURL(url, host)
{
    if (dnsDomainIs(host, "localhost")) return "DIRECT"; 
    if (isInNet(host, "127.0.0.0", "255.0.0.0")) return "DIRECT";
    if (isPlainHostName(host)) return "DIRECT";
    if (isInNet(host, "192.168.0.0", "255.255.255.0")) return "DIRECT";
    return "PROXY proxy.company.local:3128";
}

And also add the appropriate mime type for .dat files in /etc/mime.types

application/x-ns-proxy-autoconfig           dat

Restart the apache webserver after these modifications.

Now add the proxy to the DNS configuration of your DNS server like proxy.company.local.

Most important, add this directive to the general portion of the configuration file:

option local-proxy-config code 252 = text;

Add this directive to the particular scope for your network:

option local-proxy-config "http://proxy.company.local/wpad.dat";

Restart your DNS and DHCP server.

Monitoring proxy performance

The cagemgr.cgi file provides very detailed information about the performance of your Squid proxy. This is more relevant regarding actual cahcing performance than for anti-virus scanning, but this may be of interest. Especially the 'general runtime information' is of interest, as it shows the hit-rate, memory usage, etc.

First, make sure you take the appropirate precautions as not to expose this page to the entire company network without some protection, as it can contain sensitive information.

If you have installed squid-cgi just browse to http://your.proxy.server/cgi-bin/cachemgr.cgi

Some example data:

Cache information for squid:
    Hits as % of all requests:  5min: 10.3%, 60min: 4.1%
    Hits as % of bytes sent:    5min: 81.4%, 60min: 5.2%
    Memory hits as % of hit requests:   5min: 0.0%, 60min: 14.8%
    Disk hits as % of hit requests: 5min: 0.0%, 60min: 74.1%

Final words

This whole configuration shouldbe sufficient to setup a content-scanning proxy server. I have no experience how well this solution performs and you may have to do some benchmarks if your own to determine if it is capable of handling the traffic users generate. The fun thing about this setup is that it is modular. For example, you can have one Squid + HTTP box, and a separate host just for the c-icap service and Clamav service.

Besides the whole content scanning part, a proxy server, based on some non-scientific tests, does seem to improve performance for end-users. It may save you an expensive upgrade to a faster corporate internet connection.

Security is about defense-in-depth. It bogles my mind why it is so difficult to implement defense-in-depth security in web applications. 99.9% of applications use a single database account, with root-like privileges. Easiest for the developer of course, and the database is just a data store. It is not understood for what it really is. Your database is your only and last defensive layer that you have before the attacker compromises your data. Use it well.

For example, you can use your database to protect you against high-impact attacks such as SQL-injection.

I created a presentation about this topic a while ago You can download this presentation here:

http://mini.louwrentius.com/static/files/designingsecureapplications.pdf

A short summary of the points made.

• Truly understand your application and their requirements.
• Do not create a monolithic application, create separate applications. For example, at least separate front office and back office.
• Run those applications under different operating system users or ideally on different servers, residing in different network segments.
• It suddenly makes sense to put your database server in a separate secure network segment as opposed to running it on the same box as the application server.
• Do not use a single database account with root-like privileges.
• Create separate database accounts for separate application components. Only assign those privileges required for that application. White-list privileges within the database. This is key.
• Understand that for end-user authentication, 'select username,password from user' kinda privs is not required!
• Use stored procedures and functions wisely. By only providing access to functions, views and stored procedures, while preventing access to tables, you can significantly reduce the impact of SQL-injection or other application level security breaches.
• In any case, understand that an attacker can never obtain more database privileges than the database account used. Even if the entire application server is compromised. This is especially important for your internet-facing applications.
• Use your database as an extra layer of defense.