Per Missions

Download Per Missions

Post on 03-Dec-2014

130 views

Category:

Documents

5 download

Embed Size (px)

TRANSCRIPT

<p>FreeProxy Internet SuiteWorking with Permissions </p> <p>DocumentVersion1.0,24May2007 AppliestoFreeproxyInternetSuiteV3.9build1632orlater</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>Contents1 2 3 Purpose .................................................................................................................................................................1 Permissions,ResourcesandAuthenticationOverview .................................................................................2 UsersandGroups ................................................................................................................................................3 3.1 BuiltinGroups ..............................................................................................................................................3 3.2 Userdefinedgroups .....................................................................................................................................3 Authentication .....................................................................................................................................................4 4.1 IsAuthenticationNecessary? .....................................................................................................................4 4.2 WhichAuthenticationMethod? .................................................................................................................4 Resources ..............................................................................................................................................................6 5.1 Resourceattributes........................................................................................................................................6 5.2 HTTPProxyResourceTypes.......................................................................................................................6 5.3 Usingwildcards.............................................................................................................................................8 Permissionprocess ..............................................................................................................................................9 6.1 Howtheprocessworks ................................................................................................................................9 6.2 Theorderofprocessing................................................................................................................................9 6.3 Processinglogic .............................................................................................................................................9 6.4 CheckResourcesFunction .........................................................................................................................10 6.5 Checkpermissionsfunction.......................................................................................................................11 Examplesandapplications...............................................................................................................................12 7.1 Limitingaccesstoalluserstocertainsites ..............................................................................................12 7.2 Limitingaccesstoallsiteswithexceptions .............................................................................................12 7.3 ForcinguserstoauthenticateFreeProxyUsers ....................................................................................13 7.4 ForcinguserstoauthenticateWindowsUsers .....................................................................................13 7.5 WorkingwithWindowsGroups...............................................................................................................14 7.6 Providingdifferentlevelsofaccess ..........................................................................................................14 7.7 RestrictingaccessbasedonIPaddress.....................................................................................................16 7.8 Restrictingusersfromsharingcredentials ..............................................................................................17 7.9 OtherresourcetypesforHTTPProxy......................................................................................................17 Appendix:SOCKS .............................................................................................................................................19 8.1 AuthenticationMethods.............................................................................................................................19 8.2 Socksprotocol..............................................................................................................................................19 8.3 SOCKSresourcepermissions ....................................................................................................................19</p> <p>4</p> <p>5</p> <p>6</p> <p>7</p> <p>8</p> <p>V1.0,24May2007</p> <p>Pagei</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>Change History Version 1 Date 24May2007 Who GregRobsonGarth Comment Initialversion </p> <p>V1.0,24May2007</p> <p>Pageii</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>1</p> <p>Purpose</p> <p>Theabilitytocontrolaccesstotheinternetiscrucialforanumberofreasons.Thefirstisareductionin internetcostsbypreventingunnecessarydownloads,thesecondistoenableyou,theSystems Administrator,toimplementyourcompanyssecuritypolicyandthirdlyitistohelppreventunwanted accesstoanimportantresourcebothfromwithinyourintranetandfromtheoutside. ThepurposeofthisguideistoexplainhowtocontrolaccesstotheservicesprovidedbytheFreeProxy InternetSuite(FIS).Anunderstandingoftheterminologyandconceptswillallowyoutoimplement rigorousandpreciseaccesspermissions. ThisdocumentfocusesonHTTPauthentication.</p> <p>V1.0,24May2007</p> <p>Page1</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>2</p> <p>Permissions, Resources and Authentication Overview</p> <p>Beforestarting,youshouldbefamiliarwiththeterminologyusedintheFreeProxyInternetSuite. Authentication:Authenticationistheprocessofensuringthattheuseridandpasswordyouareusingis valid.ForHTTP,thecontextforauthenticationisusuallyadomain.IfyouauthenticateusingNTLM,then thecontextisaWindowsdomain.IfauthenticatingusingBasicorDigest,thenyoucannamethedomain. Inthecaseofotherprotocols,thenauthenticationwillnormallyoccurbysimplyvalidatingthatyouruser idandpasswordisvalid.Untilsuchtimeasauserdoesauthenticatetheyaregivenasubstituteuseridof DefaultUser. Resources:Aresourceissomethingoverwhichyoucanexertcontrol.Forexample,accesstotheHTTP proxyisaresource,accesstoaparticularURLisaresource.Alltheseresourcesprovidesomeservice totheenduser.Foreachoftheseresources,youcancontrolwhousestheresourceandthetimesduring whichtheycanbeused. ResourcePermission:Apermissionisthegrantingofarightofaccesstoaparticularuser,foraccesstoa particularresourceataparticulartime.Theusermayormaynotbeauthenticated.Inthisdocumentand otherFreeProxydocumentationthisisknownaseitheraResourcePermission(permissiontoforauserto accessaparticularresource)orsimplyaPermission.</p> <p>V1.0,24May2007</p> <p>Page2</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>3</p> <p>Users and Groups</p> <p>UserscanbespecifiedinFISortheycanbereferencedfromaWindowsDomaincontroller.ForallHTTP relatedoperations,theusermustbeamemberofagroup.</p> <p>3.1 Built in GroupsBuiltingroupsaredefinedinFISandcannotbechanged.Thereare2builtingroups: AllUsers:AllusersincludingtheJohnDoeofusersDefaultUser,areamemberofthisgroup. WindowsUsers:Membersofthisgroupareuserswhichhavealreadysuccessfullyauthenticatedwitha windowsdomaincontrollerorActiveDirectory.</p> <p>3.2 User defined groupsAllofthepermissionsettingisdonewithgroupsandnotusers.Thereare2typesofuserdefinedgroups. FreeProxyGroups:YoucandefineagroupinFreeProxyandgiveitaname.Thisgroupwouldonlybe knownwithintheconfinesofFreeProxy.Userscanbeassignedtothegroupsandthenthegroupcanbe usedtospecifywhohaspermissiontoaccessaresource. WindowsGroups:IfyoualreadyhaveanestablishedWindowsDomainwithawindowsdomain controllerorActiveDirectory,youcanimportthegroupintoFIS.Thisdoesnotactuallyimportthe usersintoFreeProxybutratherregistersthegroupnameasoneoftheavailablegroupsyoucanuseto assigntoaresourcepermission.WhentheFreeProxyserverprogramruns,itwillimporttheusersbefore startingandagainatregularintervals.Youspecifytheintervalwhenimportingthegroup.</p> <p>V1.0,24May2007</p> <p>Page3</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>4</p> <p>Authentication</p> <p>4.1 Is Authentication Necessary ?Untilsuchtimeasthewebserviceorproxy(eg:FreeProxy)requestsusercredentials,theonlyidentifying informationassociatedwithyourHTTPmessageisyourIPaddress;andthismaybesufficientforan internalnetworkwhereallaccessisthesameforeveryone.Youcanstilllockoutundesirablewebsitesbut doingsolocksouteveryonewithoutdiscrimination.Youalsocannotreportonindividualaccessand usageunlessyoucanmapanIPaddresstoauser. Soinanswertothequestion,isauthenticationnecessary?,itdependsonwhetheryouneeduser informationornot,or,whetheryouneedtograntspecificaccessrightstospecificindividuals.Ifyou dont,thenauthenticationisnotnecessaryandallusersarenamedDefaultUsers.Ifyoudo,thenitis.</p> <p>4.2 Which Authentication Method ?Therearecurrently3authenticationmethodsavailableinFreeProxy. Basic Digest NTLM InFreeProxyyoucanselectanyoneoracombinationofauthenticationmethods.Theclientwillbeoffered yourselectionanditwillbeuptotheclienttoselecttheoneitwantstouse.Ifyouonlywanttoprovide onechoiceonlycheckoneoftheoptions. Note:selectinganauthenticationmethoddoesnotforceauthenticationtooccur.Thisisdone whenspecifyingResourcePermissions.Itsquitepossibletoallowsomeresourcestobeaccessed withoutauthenticationandtoforceauthenticationtoaccesstootherresources. Basic BASICisasimpleauthenticationmethod.Itisconsideredinsecurebecausetheuseridandpasswordare notencrypted.Theyareencodedusinganinternetfriendlyencodingbutcaneasilyberevertedbackto theiroriginalform.Neverthelessifyoudonothavearequirementforasecurewebservice,andyouneed</p> <p>V1.0,24May2007</p> <p>Page4</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>theusersname,thenthisisquiteadequate.Atypicalapplicationwouldbeasmallofficewhereyouwork inaworkgroupandyoudonothaveadomaincontrolleroractivedirectory. Digest Digestauthenticationisverysecure.Withthismethodtheuseridandpasswordarenotsenttotheweb serverbutratherahashoftheuseridandpasswordaresent.Soevenwithsophisticatedtools,you cannotdeciphertheauthenticationdata. Theuseridandpasswordarenotdirectlyencryptedbutratherahashoftheuseridandpasswordis encrypted.Soyoucannotconvertthehashbacktoareadableuseridandpassword.Theauthentication worksbyboththeserverandclientcreatingthesameencryptedhash.Ifthehashsarethesame, authenticationisvalidated. Fordigest,theMD5algorithmisused. NTLM NTLMorNTLanManagerauthenticationisbasedonaseriesofchallengesandresponsesbetweenthe ServerandtheClientusingMicrosoftsauthenticationmethod.Theuseridandpasswordareagain hashedinacomplexexchangeandfinallytheresultispassedtotheActiveDirectoryorDomain controllerwhichvalidatesthehashdata.NTLMisONLYavailableinanetworkwhichhasthesefacilities (ADandoradomaincontroller)andcannotbeusedwithoutthem.</p> <p>V1.0,24May2007</p> <p>Page5</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>5</p> <p>Resources</p> <p>5.1 Resource attributesResources,aspreviouslymentioned,arethefacilitiesyouofferyourusers.BoththePortfunctionality (HTTPproxy,SocksProxy,FTPproxyetc)andtheServicefunctionality(Webserver,POPandSMTP server)providetheabilitytocontrolaccesstoitsvariousfeatures. FortheHTTPproxythereareanumberofpossiblepointsofcontrolorResourceTypes.Dependingonthe resource,youcanalsospecifythefollowing: Resourcekey:Thisistheactualresourceinstanceyouaretryingcontrol.InthecaseofaURLorpathfilter itstheURL.SomeresourcessuchastheHTTPProxyServicedonothavearesourcekey. Permisssion;ForbiddenorGranted:Iftheconditionsareright,thenthisconnectioniseithergrantedor forbiddenaccesstotheresource. Calendar:Thisspecifiedthetimesduringwhichtheresourcepermissionisactive.Thisoptionreferstoa calendar. Usergroup:Thegrouptowhichthisresourcepermissionapplies. MustAuthenticate:Ifthisisnotset,thentheuserisnotchallengedtoauthenticate.Adetailed explanationofthisisprovidedfurtheron. Note: Foraparticularresourcepermissiontoapply,theresourcekey,resourcetype,timeofaccessand theusergroupmustALLmatch.Ifanythesefactorsdonotapply,thenthewholeresourcedoes notapply.FreeProxywillnotimplyanythingfromthisfact.Iftheresourcepermissionapplies, thenitwillactontheforbiddenorgrantedindication.Iftheresourcepermissiondoesnotapply, itmakesnofurtherassumptionsandignoresitcompletely.</p> <p>5.2 HTTP Proxy Resource TypesThesearetheresourcesyoucancontrol. HTTPProxyService:ThisresourcecontrolsaccessorentrytotheHTTPProxyservice.</p> <p>V1.0,24May2007</p> <p>Page6</p> <p>FreeProxyInternetSuite:WorkingwithPermissions </p> <p>FullURIorPathFilter:ThisresourcecontrolsaccesstoaURL.TheURLstartsatthefirstpositionafter thehttp://andendsattheendofthecompleteURL.Forexample: http://www.airliners.net/open.file?id=0876776&amp; Start of URL End of URL</p> <p>YoucanusewildcardcharacterstocatchsimilarURLs.IfyoudonotusewildcardsFreeProxywill comparetheactualURLrequestedbytheclienttotheURLinthisfilterandiftheydonotpreciselymatch fromtheStartofURLtotheEndofURLthenthematchwillnobemade.TohaveFreeProxymatch onallURLscontainingwww.airliners.netyoushouldspecifywww.airliners.net*inthesearch argument.Seebelowforadiscussiononsearchargumentsandwildcards. ClientIPAddress:ThisresourcepertainstotheclientIPaddress.ThisistheaddressFreeProxywillsee whentheconnectionismade.TheclientIPaddressisspecifiedasarange.Forexample,192.168.100.1to 192.168.102.2wouldincludethewhole192.168.100.x,192.168.101.xandthefirst2IPaddressesof 192.168.102.xdomains.Thisisaverysecurewayoflimitingclientstoonlythoseonyourlocalintranetfor exampleandcanbeusedinconjunctionwithothercontroltypes. FTPOverHTTP:SomebrowsersenableyoutoaccessFTPsites.Youcanalloworforbidthisfeature. TunnelviaHTTP:tunnelingcanoccurusingabrowserornonbrowserclient.Abrowsersetsupatunnel typicallybeforeswitchingtoHTTPS.AnonbrowserclientcanusethesameHTTPconnectcommandto connecttoanyserverusingtheproxytorelaymessagestoandfromtheserverandclient.Oncethe connectionismadetoaremoteserver,the2partiesdonotnecessarilyneedtocommunicateusingthe HTTPprotocol.Thisfeaturecanbeallowedorforbidden. UseridIPAddressAffinity:youmaywanttoforcetheusertocontinueusingthesameIPaddressfora durationoftimeonceloggedon.Thiswillpreventtheuseridfrombeingshared.Thedurationis expressedinhours. PathandFilenamefilter:ThisismuchliketheURLfilter:exceptitexcludesthedomainandanything afterthepath. http://www.airliners.net/open.file?id=0876776&amp; Start of Path End of Path</p> <p>Youmustusewildcardcharactersunlessyouknowtheexactpath. BanListURLorIPAddress:InadditiontothefilteringofIPaddresses,URLandpaths,youcanalso importalistofbannedsitesandIPaddresses.Thisresourcetiesthebanlisttothisportdefinitionandis requiredifyouwantthebanlisttobeused.Youspe...</p>