2 \gdef\currentsectionname{Proxies}
3 %%\subsection{Intercepting proxy solutions and reverse proxies}
5 Within enterprise networks and corporations with increased levels of paranoia or at least some defined security requirements it is common \textbf{not} to allow direct connections to the public internet.
7 For this reason proxy solutions are deployed on corporate networks to intercept and scan the traffic for potential threats within sessions.
9 For encrypted traffic there are four options:
12 \item Block the connection because it cannot be scanned for threats.
13 \item Bypass the threat-mitigation and pass the encrypted session to the client, which results in a situation where malicious content is transferred directly to the client without visibility to the security system.
14 \item Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client (effectively MITM).
15 \item Deploy special Certificate Authorities to enable Deep Packet Inspection on the wire.
18 While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client's connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner.
20 Conclusion: Don't forget to check your proxy solutions SSL-capabilities. Also do so for your reverse proxies!
22 %% ----------------------------------------------------------------------
24 As of squid-3.2.7 (01 Feb 2013) there is support for the OpenSSL NO\_Compression option within squid config (CRIME attack) and if you combine that in the config file, with an enforcement of the server cipher preferences (BEAST Attack) you are safe.
28 \configfile{squid.conf}{1363-1363,1379-1379}{Cipher selection and SSL options in Squid}
29 %% http://forum.pfsense.org/index.php?topic=63262.0
31 % see squid.conf, repeating the options here does not help.
32 \todo{Patch here? Definitely working for 3.2.6!}
33 For squid Versions before 3.2.7 use this patch against a vanilla source-tree:
35 --- support.cc.ini 2013-01-09 02:41:51.000000000 +0100
36 +++ support.cc 2013-01-21 16:13:32.549383848 +0100
38 "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
41 +#ifdef SSL_OP_NO_COMPRESSION
43 + "NO_Compression", SSL_OP_NO_COMPRESSION
52 %% ----------------------------------------------------------------------
54 %% https://kb.bluecoat.com/index?page=content&id=KB5549
55 \subsubsection{Tested with Versions}
60 BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.
62 \paragraph*{Only allow TLS 1.0,1.1 and 1.2 protocols:}
67 $(config ssl)edit ssl-device-profile default
68 $(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2
72 \paragraph*{Select your accepted cipher-suites:}
76 Enter configuration commands, one per line. End with CTRL-Z.
77 $(config)proxy-services
78 $(config proxy-services)edit ReverseProxyHighCipher
79 $(config ReverseProxyHighCipher)attribute cipher-suite
80 Cipher# Use Description Strength
81 ------- --- ----------------------- --------
82 1 yes AES128-SHA256 High
83 2 yes AES256-SHA256 High
84 3 yes AES128-SHA Medium
86 5 yes DHE-RSA-AES128-SHA High
87 6 yes DHE-RSA-AES256-SHA High
89 13 yes EXP-RC2-CBC-MD5 Export
91 Select cipher numbers to use, separated by commas: 2,5,6
95 The same protocols are available for forward proxy settings and should be adjusted accordingly:
96 In your local policy file add the following section:
99 DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)
102 Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (misconfigured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)
105 %% ----------------------------------------------------------------------
107 % See http://www.apsis.ch/pound
108 % See https://help.ubuntu.com/community/Pound
110 \subsubsection{Tested with Versions}
115 \subsubsection{Settings}
116 \configfile{pound.cfg}{31}{HTTPS Listener in Pound}