Menu
homeExcel

Standard solutions for organizing Internet access for small organizations. Review of options for organizing access to corporate network services from the Internet

Entries: 4

Remote Internet access control (parental control)

This guide describes the process of setting up computers running operating systems Windows family XP, 7 or Linux (Ubuntu) for remote control of access to Internet sites.

The manual does not describe in detail how to work with the Rejector service, which will be discussed below, it only allows you to configure your computer in such a way as to take full advantage of its capabilities.

All tools used are free or open source software.

Introduction

The Internet is an excellent tool for studying, relaxing or communicating with friends. But in addition to the network useful information, there is also something undesirable for your child. In addition, surfing the Internet for many hours can distract you from other important activities, such as homework, sports, sleep, or socializing with peers. Therefore, it is necessary to monitor the child’s online activities.

There are many different control methods, but they are not always effective. Persuasion and educational conversations can work for a very short time, because being on the Internet can captivate a child so much that he forgets about all the persuasion. And bans can negatively affect the development of useful skills for searching and learning on the Internet.

In such cases, special programs for restricting and controlling access to the network will help you. With their help, you can protect your child from the negative influences of the Internet, but at the same time provide freedom of action. One such tool is the Rejector Internet Access Control System.

Rejector is a centralized project for controlling access to the Internet. It will allow you to protect children and teenagers from dangerous information. Essentially, Rejector is a DNS server with the ability to control it remotely.

How it works?

    You register, add your IP, configure access parameters. You can use the service without registration, but then you will not be able to use all its features.

    Your computers are configured so that everything DNS queries were sent to Rejector DNS servers 95.154.128.32 and 176.9.118.232.

    Each request is checked against your settings, such as blocked categories or sites, allowed or blocked sites, bookmark lists or scam sites, and if blocked, the request is redirected to the blocking page.

    You can customize this page as you wish.

    Allowed requests that pass the check go into the general request cache for quick delivery to all clients.

More detailed description You can find the Rejector product on the official website rejector.ru

Instructions for setting up the system

1. Create a user with normal rights

Typically, when installing an operating system, a user with Administrator rights is created. Such a user can perform all possible actions provided by the operating system, including deleting the system itself.

To exclude the reversibility of all our further actions on the user side, which we take control of, we will create a user with limited rights, and for the Administrator - we will use a password.

IN Windows system this is done through the Control Panel; V Linux creation user is available through System Settings.

2. Set up a network connection

Rejector is a service that is essentially a DNS server. To work with it, you first need to configure network connection so that DNS queries are sent to Rejector DNS servers 95.154.128.32 and 176.9.118.232.

This is done differently on Windows and Linux.

Windows XP

Windows Vista

Detailed instructions are located at

Windows 7

Detailed instructions are located at

On most operating systems Linux family used to configure the network Network program Manager. In order to change the DNS server, do the following:

    Press RMB on the connection indicator and, in context menu, select the item Change connection

    If you are using DHCP server when connecting to the Internet, then in the IPv4 parameters we change Setting method on Automatic (DHCP, address only)

    In field DNS Servers enter two addresses separated by commas 95.154.128.32, 176.9.118.232

    Making a connection Available to all users And Automatically connected

3. Register on the Rejector website

In principle, this is where we could start. But now that one of the difficulties is behind us, we do this easily and simply. Follow the link and fill out simple form for registration.

4. Add a managed network

By registering on the service, we can create the required number of networks or, which, in principle, is the same thing - clients that we will manage. Networks (Clients) are identified on the service by their IP address. Therefore, in order to control Internet access of a computer, you need to know its IP address. For now, let's just create a Network through the Control Panel on the Rejector website at.

Fill out the Add Network form. Network name - here you can indicate your child's name if he has his own computer and you want to control it. Status- most likely you will have Dynamic IP address(rare providers provide a Static address for their clients for free), so we select this switch. Network ID- you can write in Latin the name you specified in the first field.

5. Sending IP address

For the service to work, it needs to constantly “know” the client’s IP address, which can change from connection to connection (Dynamic IP address). This is the main problem that this guide addresses.

The service developers themselves offer the Rejector Agent program, which sends the client’s IP address to the server. But, this program cannot work autonomously. Therefore, we will take advantage of the other opportunity provided. Namely, updating using an HTTP request (description at the link).

To update Client information via an HTTP request in background, we need the Curl program. This program is capable of sending HTTP casts to the Internet via the command line. We will set the parameters for this program in the script; for Windows this will be a bash file for Linux - sh.

Curl is freely available and has a Windows version, so we'll use it in both environments. For Windows latest version The programs can be downloaded from the link. To install, just unpack the contents of the resulting archive into the C:\WINDOWS\SYSTEM32 folder (this will make it easier to launch the program). In a Linux operating system, it will most likely already be installed.

6. Script for regularly updating the IP address

The site offers the following HTTP request http://username: [email protected]/ni...,
which will update the IP address value. We will substitute it as a parameter for the curl program.

The address update request must be sent from the computer that we want to control. Due to the fact that the text terminal processes commands in a special way, the request text had to be changed slightly. The script text for Windows and Linux is given below.

For Windows

:loop
curl "http:// login%%40mail-server.com:password@updates.rejector.ru/nic/update?hostname= net-name"
# Make a delay of 300 seconds
ping -n 300 127.0.0.1 > NUL
echo 111
goto loop

Where login%%40mail-server.com is your mailbox with which you registered on Rejector (the @ sign is replaced by %%40); password - password; net-name is the name of the network on the Rejector service. Place the script text in a regular text file, replace the extension with .bat and you will get an executable script.

For Linux

#! /usr/bin/sh
while true; do curl -u [email protected]:password "http://updates.rejector.ru/nic/update?hostname=... sleep 300; done;

Everything here is similar to the entry for Windows. Write this text to a text file with the extension sh.

Both scripts contain the Rejector account password in clear text, so it is necessary to hide their contents from view for the average user. This is implemented differently in Linux and Windows

In order to prohibit viewing and editing of this created by us, it is necessary to change the owner and group of the file to root and deny everyone except the owner access to the file. If you have the skills to work in command line, then you need to go using the command CD to the directory with the script file and execute the command chown root:root skcrypt.sh And chmod 700 script.sh.,To do the same in graphical shell, you need to run it first file manager with administrator rights, find the script file and change Rights, using the context menu.

Without going into how you can change file permissions similar to Linux, I applied the following solution. Let's transform our executable file to an EXE file to hide its contents. For this purpose we will use free program Bat To Exe Converter. I suggest downloading its Russified version from the link or on the official website of the program. The program does not require any explanation in operation. At the input we put our bat file, at the output we get an exe file.

7. Set it to start automatically

Left to do last step. Let's do it automatic start programs along with system startup. This is done differently in Linux and Windows.

We log in as Administrator and move our executable file.exe to the PogramFiles folder. In the user's home directory, find the folder Main menu, in it Programs, Autorun where we place the shortcut from our program (this can be done by dragging the program itself while holding down Shift key). Ready.

Place the executable file in the folder /usr/bin. Let's edit the launch file local applications systems /etc/rc.local, adding a line in it before exit 0.

/usr/bin/script.sh

Where script.sh- the name of our file.

This completes the system setup. You can go to the Rejector service and configure the network operating mode.

In addition to traffic accounting, ICS makes it possible to limit access to the Internet, and also allows you to completely control the data transfer speed. This is one of the most effective complexes that allows you to manage user access corporate network in Internet.

Full control for efficient use of the corporate network

Internet restriction is one of the urgent tasks when creating and maintaining a corporate network. It's no secret that often office employees do not use Internet access to solve work problems. As a result, work productivity is significantly reduced, which means business efficiency suffers.

ICS has wide possibilities, including making it possible to restrict access, and also allows you to set restrictions on Internet traffic by IP or by selected URLs on the network. All restrictions may apply to different categories and user groups. This ensures efficient use of the corporate network, which improves productivity and also reduces the cost of provider services.

It is possible to easily control the Internet speed on your company’s network through the use of Proxy-server and Firewall. This gives confidence that all employees are using World Wide Web only for solving work problems. As a result, office efficiency increases significantly and profits grow.

Controlling Internet use using ICS

Thanks to the use of ICS, it is ensured convenient control user access to the Internet on a corporate network, which can be implemented in several ways. You can limit Internet traffic using flexible settings. The following functions are offered:

  • if the blocking is violated, a specific message is issued or the user is redirected to a specific site;
  • it is possible to set a temporary restriction of Internet access;
  • control of traffic and visited resources using content filtering - access to resources of a certain category is blocked.

In addition, the program allows you to configure various ways authorization. Thus, restricting and controlling access to the Internet can be carried out using the following methods:

  • entering your login and individual password;
  • gaining access to the Internet when logging in under a personal account (“ActiveDirectory”);
  • authorization for a specific IP;
  • use of a special agent program.

User management capabilities

It is possible to combine users local network enterprises into groups depending on any characteristics, for example, organizational structure, job responsibilities, etc. This significantly increases the efficiency of access control in local networks. Each of these groups can be assigned a separate administrator. Internet usage control can include blocking or restricting access separately for any of the existing groups with the ability to set detailed rules.

Internet access may also be provided to other businesses with the ability to set certain restrictions. Moreover, for each of such enterprises a separate group by providing the password to its administrator. This can be called the transfer of a virtual ICS for use by a third party.


Working with remote offices

By purchasing an ICS, you receive a ready-made VPN server, which will provide communication with remote offices of the company using an encrypted tunnel with the ability to control Internet speed for each of them. Communication is provided as efficiently as if remote offices were physically connected to the company's general corporate network.


Buying an ICS

You can buy ICS using the order form on our website.

Our company is actively technical support clients on all issues related to the use of the program. By purchasing an additional Update License (Premium), you place all the worries about installing, configuring and maintaining the ICS in the hands of our specialists - an ideal option for those who want to buy and forget, while receiving maximum benefits from using the ICS. For any advice, please contact the sales department.

Type of organization

Select type of organization Educational institution State-financed organization commercial organization

Prices DO NOT APPLY to private non-governmental institutions and postgraduate institutions vocational education

ICS editions

No ICS required Standard ICS FSTEC

To calculate the cost of FSTEC, contact the sales department

Delivery type

ICS ICS + SkyDNS ICS + Kaspersky Web Filtering

License type

New license Update license

Premium Update License License Extension

Number of users

License extension

C before users


Kivshenko Alexey, 1880

This article contains an overview five options for solving the problem of organizing access to corporate network services from the Internet. The review provides an analysis of options for safety and feasibility, which will help both novice and more experienced specialists understand the essence of the issue, refresh and systematize their knowledge. The materials in the article can be used to justify your design decisions.

When considering the options, let's take as an example the network where you want to publish:

  1. Corporate mail server (Web-mail).
  2. Enterprise terminal server (RDP).
  3. Extranet service for counterparties (Web-API).

Option 1: Flat network

In this option, all nodes of the corporate network are contained in one network common to all (“Internal Network”), within which communications between them are not limited. The network is connected to the Internet via an edge router/ firewall(Further - IFW).

Hosts access the Internet through NAT, and access to services from the Internet through Port forwarding.

Pros of the option:

  1. Minimum functionality requirements IFW(can be done on almost any router, even a home router).
  2. Minimum knowledge requirements for the specialist implementing the option.
Disadvantages of the option:
  1. Minimum level of security. In the event of a hack in which the Intruder gains control of one of the servers published on the Internet, all other nodes and communication channels of the corporate network become available to him for further attacks.
Analogy to real life
Such a network can be compared to a company where staff and clients are in one common room (open space)


hrmaximum.ru

Option 2. DMZ

To eliminate the previously mentioned disadvantage, network nodes accessible from the Internet are placed in a specially designated segment - a demilitarized zone (DMZ). The DMZ is organized using firewalls that separate it from the Internet ( IFW) and from the internal network ( DFW).


In this case, the firewall filtering rules look like this:
  1. From the internal network you can initiate connections to the DMZ and to the WAN (Wide Area Network).
  2. From the DMZ you can initiate connections to the WAN.
  3. From the WAN you can initiate connections to the DMZ.
  4. Initiating connections from the WAN and DMZ to the internal network is prohibited.


Advantages of the option:
  1. Increased network security against hacking individual services. Even if one of the servers is hacked, the Intruder will not be able to access resources located on the internal network (for example, network printers, video surveillance systems, etc.).
Disadvantages of the option:
  1. Moving servers to the DMZ in itself does not increase their security.
  2. An additional firewall is required to separate the DMZ from the internal network.
Analogy to real life
This version of the network architecture is similar to the organization of work and client areas in a company, where clients can only be in the client area, and staff can be in both the client and work areas. The DMZ segment is precisely an analogue of the client zone.


autobam.ru

Option 3. Dividing services into Front-End and Back-End

As noted earlier, placing a server in a DMZ in no way improves the security of the service itself. One of the options to correct the situation is to divide the functionality of the service into two parts: Front-End and Back-End. Moreover, each part is located on a separate server, between which it is organized networking. Front-End servers, which implement the functionality of interaction with clients located on the Internet, are placed in the DMZ, and Back-End servers, which implement the remaining functionality, are left on the internal network. For interaction between them on DFW create rules that allow initiation of connections from Front-End to Back-End.

As an example, consider a corporate Post service, serving clients both from within the network and from the Internet. Clients from inside use POP3/SMTP, and clients from the Internet work through the Web interface. Typically, at the implementation stage, companies choose the simplest method of deploying the service and place all its components on one server. Then, as the need to ensure information security, the functionality of the service is divided into parts, and the part that is responsible for servicing clients from the Internet (Front-End) is transferred to a separate server, which interacts via the network with the server that implements the remaining functionality (Back-End). In this case, the Front-End is placed in the DMZ, and the Back-End remains in the internal segment. For communication between Front-End and Back-End on DFW create a rule that allows initiation of connections from Front-End to Back-End.

Advantages of the option:

  1. IN general case attacks directed against the protected service can “stumble” over the Front-End, which will neutralize or significantly reduce possible damage. For example, attacks such as TCP SYN Flood or slow http read aimed at a service will lead to the fact that the Front-End server may become unavailable, while the Back-End will continue to function normally and serve users.
  2. In general, the Back-End server may not have access to the Internet, which if it is hacked (for example, by a locally running malicious code) will make it difficult remote control them from the Internet.
  3. Front-End is well suited for hosting an application-level firewall (for example, Web application firewall) or an intrusion prevention system (IPS, for example snort).
Disadvantages of the option:
  1. For communication between Front-End and Back-End on DFW a rule is created that allows the initiation of a connection from the DMZ to the internal network, which creates threats associated with the use of this rule from other nodes in the DMZ (for example, through the implementation of IP spoofing attacks, ARP poisoning, etc.)
  2. Not all services can be divided into Front-End and Back-End.
  3. The company must implement business processes for updating firewall rules.
  4. The company must implement mechanisms to protect against attacks from Intruders who have gained access to a server in the DMZ.
Notes
  1. IN real life even without dividing servers into Front-End and Back-End, servers from the DMZ very often need to access servers located on the internal network, so the indicated disadvantages of this option will also be true for the previous option considered.
  2. If we consider the protection of applications running via the Web interface, then even if the server does not support the separation of functions into Front-End and Back-End, the use of http reverse proxy server(for example, nginx) as a Front-End will minimize the risks associated with denial of service attacks. For example, SYN flood attacks can make the http reverse proxy unavailable while the Back-End continues to work.
Analogy to real life
This option is essentially similar to the organization of work, in which assistants - secretaries - are used for highly loaded workers. Then the Back-End will be the analogue of a busy employee, and the Front-End will be the analogue of a secretary.


mln.kz

Option 4: Secure DMZ

The DMZ is a part of the network accessible from the Internet, and, as a result, subject to the maximum risk of host compromise. The design of the DMZ and the approaches used in it should provide maximum survivability in conditions where the Intruder has gained control of one of the nodes in the DMZ. As possible attacks, consider attacks to which almost everyone is susceptible Information Systems, working with default settings:

Protection against DHCP attacks

Despite the fact that DHCP is intended to automate the configuration of IP addresses of workstations, in some companies there are cases when IP addresses for servers are issued through DHCP, but this is quite bad practice. Therefore, to protect against Rogue DHCP Server, DHCP starvation, it is recommended to completely disable DHCP in the DMZ.

Protection against MAC flood attacks

To protect against MAC flood, switch ports are configured to limit the maximum intensity of broadcast traffic (since these attacks usually generate broadcast traffic). Attacks involving the use of specific (unicast) network addresses will be blocked by MAC filtering, which we discussed earlier.

Protection against UDP flood attacks

Defence from of this type attacks are carried out similarly to protection against MAC flood, except that filtering is carried out at the IP level (L3).

Protection against TCP SYN flood attacks

To protect against this attack, the following options are possible:
  1. Protection at the network node using TCP SYN Cookie technology.
  2. Firewall-level protection (subject to subnetting the DMZ) by limiting the intensity of traffic containing TCP SYN requests.

Protection against attacks on network services and Web applications

There is no universal solution to this problem, but established practice is to implement software vulnerability management processes (identification, installation of patches, etc., for example), as well as the use of intrusion detection and prevention systems (IDS/IPS).

Protection against authentication bypass attacks

As for the previous case universal solution there is no such problem.
Usually in case large number unsuccessful attempts authorization accounts are blocked to avoid guessing authentication data (for example, a password). But this approach is quite controversial, and here's why.
Firstly, the Intruder can carry out the selection of authentication information with an intensity that does not lead to the blocking of accounts (there are cases when the password was selected over several months with an interval between attempts of several tens of minutes).
Secondly, this feature can be used for denial of service attacks, in which the attacker will deliberately carry out a large number of authorization attempts in order to block accounts.
Most effective option attacks of this class will be prevented by the use of IDS/IPS systems, which, when detecting password guessing attempts, will not block account, and the source where this selection comes from (for example, block the IP address of the Violator).

The final list of protective measures for this option:

  1. The DMZ is divided into IP subnets with a separate subnet for each node.
  2. IP addresses are assigned manually by administrators. DHCP is not used.
  3. On network interfaces, to which DMZ nodes are connected, MAC and IP filtering, restrictions on the intensity of broadcast traffic and traffic containing TCP SYN requests are activated.
  4. Automatic negotiation of port types is disabled on switches and the use of native VLAN is prohibited.
  5. A TCP SYN Cookie is configured on DMZ nodes and internal network servers to which these nodes connect.
  6. Software vulnerability management is implemented for DMZ nodes (and preferably the rest of the network).
  7. IDS/IPS intrusion detection and prevention systems are being implemented in the DMZ segment.
Advantages of the option:
  1. High degree of security.
Disadvantages of the option:
  1. Increased requirements for the functionality of equipment.
  2. Labor costs for implementation and support.
Analogy to real life
If we previously compared the DMZ with a client area equipped with sofas and ottomans, then a secure DMZ will be more like an armored cash register.


valmax.com.ua

Option 5. Back connect

The protection measures considered in the previous version were based on the fact that there was a device on the network (switch / router / firewall) capable of implementing them. But in practice, for example, when using virtual infrastructure(virtual switches often have very limited opportunities), similar device there may not be.

Under these conditions, many of the previously discussed attacks become available to the Violator, the most dangerous of which will be:

  • attacks that allow you to intercept and modify traffic (ARP Poisoning, CAM table overflow + TCP session hijacking, etc.);
  • attacks related to the exploitation of vulnerabilities in internal network servers to which connections can be initiated from the DMZ (which is possible by bypassing filtering rules DFW due to IP and MAC spoofing).
The next important feature, which we have not previously considered, but which does not cease to be less important, is that automated workstations (AWS) of users can also be a source (for example, when infected with viruses or Trojans) of harmful effects on servers.

Thus, we are faced with the task of protecting the servers of the internal network from attacks by the Intruder both from the DMZ and from the internal network (infection of the workstation with a Trojan can be interpreted as actions of the Intruder from the internal network).

The approach proposed below is aimed at reducing the number of channels through which an Intruder can attack servers, and there are at least two such channels. The first is the rule on DFW, allowing access to the internal network server from the DMZ (even if limited by IP addresses), and the second is open on the server network port, on which connection requests are expected.

You can close the specified channels if the internal network server itself builds connections to the server in the DMZ and does this using cryptographically protected network protocols. Then there won't be any open port, no rules on DFW.

But the problem is that ordinary server services do not know how to work in this way, and to implement this approach it is necessary to use network tunneling, implemented, for example, using SSH or VPN, and within the tunnels allow connections from the server in the DMZ to the internal network server .

General scheme The operation of this option looks like this:

  1. An SSH/VPN server is installed on a server in the DMZ, and an SSH/VPN client is installed on a server in the internal network.
  2. The internal network server initiates the construction of a network tunnel to the server in the DMZ. The tunnel is built with mutual authentication of the client and server.
  3. The server from the DMZ, within the constructed tunnel, initiates a connection to the server in the internal network, through which the protected data is transmitted.
  4. A local firewall is configured on the internal network server to filter traffic passing through the tunnel.

The use of this option in practice has shown that network tunnels It's convenient to build with OpenVPN because it has the following important properties:

  • Cross-platform. You can organize communication on servers with different operating systems.
  • Possibility of building tunnels with mutual authentication of client and server.
  • Possibility of using certified cryptography.
At first glance it may seem that this scheme is unnecessarily complicated and that since you still need to install a local firewall on the internal network server, it is easier to make the server from the DMZ, as usual, connect to the internal network server, but do it over an encrypted connection. Indeed, this option will solve many problems, but it will not be able to provide the main thing - protection against attacks on internal network server vulnerabilities carried out by bypassing the firewall using IP and MAC spoofing.

Advantages of the option:

  1. Architectural reduction of the number of attack vectors on the protected internal network server.
  2. Ensuring security in the absence of network traffic filtering.
  3. Protecting data transmitted over the network from unauthorized viewing and modification.
  4. The ability to selectively increase the level of security of services.
  5. The ability to implement a two-circuit protection system, where the first circuit is provided using firewalling, and the second is organized on the basis of this option.
Disadvantages of the option:
  1. Implementation and maintenance of this protection option requires additional labor costs.
  2. Incompatible with network systems intrusion detection and prevention (IDS/IPS).
  3. Additional computing load on servers.
Analogy to real life
The main idea of ​​this option is that confidant establishes a connection with an untrusted person, which is similar to the situation when, when issuing loans, Banks themselves call the potential borrower back to check the data.
  • corporate networks
    • Add tags

    The school portal supports Internet access management.

    Management is carried out through integration with the Squid proxy server.

    To change access rights, go to the menu: Service → Internet access....

    This action is available only to representatives of the school administration.

    To give access to the Internet, just check the box next to the user name (student, teacher), or the whole class. To revoke access, you need to uncheck the box. Changes are applied after clicking the "Save" button.

    In order for a machine on the local network to access the Internet, guided by the permission configured in the Portal, you need to configure it to use a proxy server.

    The proxy server address is the address of your school server on the local network where the School Portal is installed. Proxy port - 3128 .

    When a user accesses the Internet through a proxy server, a login and password will be required from School portal.

    To reliably prevent Internet access bypassing the proxy server, it is worth checking that the school server does not provide Internet routing to the machines of interest, and also that the machines do not have access through a switch, modem, router, Wi-Fi and other equipment educational institution, to which staff and students have online access.

    Content filtration systems (SCF)

    Both the absence of SCF and integration with multiple providers are supported.

    The SCF setting is located in the left column of the Internet access management page.

    Some SCFs require registration to manage lists of prohibited resources (for example, social media, obscene materials, collections of abstracts, etc.). Such settings are changed in the web interfaces on the SCF website itself, and not in the Portal. User support on filtration quality issues is provided by the organization servicing SCF. The Portal only allows you to enable or disable sending requests to SCF DNS servers from the school’s proxy server and nothing more.

    SCF, similar to access to the Internet, applies only to machines that are configured strictly through the school proxy server.

    Important! The operation of the SCF after switching on must be checked according to your expectations, since the Portal cannot automatically check this for you. The terms and conditions for the provision of SCF may be changed by their manufacturers at any time. It is worth subscribing to news from the service you use.

    What to do if the Portal displays the message “Function disabled” or something does not work.

    The checks and actions in this part of the article are provided only for Ubuntu Server 10.04 LTS:

    All actions must be performed as the root user.

    1. Is squid installed?

    Dpkg -s squid3 | grep -i version

    If not, install:

    Apt-get install squid3

    2. Are these parameters in the Portal configuration file?

    Auth = basic htpasswd = /var/www/sp_htpasswd sp_users_allowed = /var/www/sp_users_allowed

    If not, add and run

    Pkill speedy

    3. Is Squid running? Listening on port 3128?

    Examination:

    Netstat -ntlp | grep 3128

    The response should be something like this (1234 is an example, you may have a different process number):

    Tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 1234/(squid)

    How to start Squid:

    /etc/init.d/squid3 start

    * Starting Squid HTTP Proxy 3.0 squid3

    4. Set Squid to autostart:

    Update-rc.d squid3 enable

    5. Create, if not, and set access rights to service files responsible for management by the Portal:

    Touch /var/www/sp_htpasswd /var/www/sp_users_allowed chown www-data.proxy /var/www/sp_htpasswd /var/www/sp_users_allowed chmod 660 /var/www/sp_htpasswd /var/www/sp_users_allowed

    6. The Squid configuration file out of the box is not ready for integration; it needs to be corrected.

    First, make sure it DOES NOT have portal integration (multiple patching is not acceptable):

    Grep "School Portal Internet Control" /etc/squid3/squid.conf

    If the above command line is output, then this step should be skipped.

    However, if the configuration file has been changed in such a way that the line is there, but the integration does not work, take original file configuration from Squid and perform this step on it.

    So, if there is NO line:

    6.1. Removing rules that prevent integration and changing error pages to Russian versions:

    Perl -i-original -p -e "s!^http_access deny all$!#http_access deny all!; s!^# error_directory /usr/share/squid3/errors/templates$!error_directory /usr/share/squid-langpack /ru!;" /etc/squid3/squid.conf

    6.2. Adding an integration fragment:

    Echo " # ============================= # School Portal Internet Control # To disable replace /etc/squid3/squid.conf with /etc/squid3/squid.conf-original # =========================================== auth_param basic program /usr/lib/ squid3/ncsa_auth /var/www/sp_htpasswd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive on acl sp_users_allowed proxy_auth "/var/www/sp_users_allowed" http_access allow sp_users_allowed http_access deny all " > > /etc/squid3/squid.conf

    If such a block appears more than once in the squid.conf file, remove the duplicates, even if everything works. With repetition, each time the admission list is updated from the portal, Squid will sprinkle warnings in its log about redefining the rules.

    6.3. After making changes, Squid needs to be restarted.

    /etc/init.d/squid3 restart

    7. Next, use the web interface of the School Portal to distribute Internet access. You should see a change in the list of allowed portal user logins in the /var/www/sp_users_allowed file after clicking the "Apply" button in the portal web interface.

    Squid access logs (/var/log/squid3) will contain portal user logins. You can use any log analyzers that are compatible with the Squid log format. Integration with the Portal does not violate the default format of logs; the difference is the presence of logins from the portal in the place where there would be a dash in the absence of user authorization.

    8. Check if the firewall on the school server and on the client machines. By default, on a clean Ubuntu Server, the firewall allows all connections; if you interfered with its configuration by any means, ensure that connections from the school’s local network to port 3128 of the server and outgoing connections from the server are allowed.

    The administrator distributes Internet resources for company employees, creating lists of prohibited or allowed domain names, IP addresses, etc. At the same time, he can set restrictions on time or amount of traffic. In case of overspending, access to the Internet is automatically closed.

    Attention: The administrator can always provide management with a report on the network usage of each employee.

    • Flexible system of rules for controlling Internet access:
      • restrictions on operating time, on the amount of sent/received traffic (traffic accounting) per day and/or week and/or month, on the amount of time used per day and/or week and/or month;
      • filters that control user access to unwanted resources (sexual, gaming sites);
      • developed system traffic restrictions And access speed for each user. In case of excessive traffic, Internet access is automatically closed;
      • lists of prohibited or allowed domain names, IP addresses, parts of the URL string, access to which is prohibited/allowed by the administrator;
      • the ability to set a range of allowed and prohibited IP addresses;
      • hourly schedule of the user's work on the Internet;
      • filters that allow you to configure highly efficient “banner cutting”.
    • Counting and viewing statistics user activity according to various parameters (days, sites) for an arbitrary time interval. Viewing Internet statistics of user activity for the current month via HTTP is only possible for users on the local network.
    • Built-in billing system automatically calculates the cost of a user’s work on the Internet based on price, time and/or traffic volume. You can set tariffs for each user individually or for a group of users. It is possible to switch tariffs depending on the time of day, day of the week, or site address.

    Office information security

    • VPN support Virtual Private Network is a combination of individual machines or local networks in a network, the security of which is ensured by a mechanism for data encryption and user authentication.
    • Built-in firewall prevents unauthorized access to server data and local network by prohibiting connections via certain ports and protocols. The firewall functionality controls access to the necessary ports, for example, to publish a company's web server on the Internet.
    • Kaspersky Antivirus and Panda integrated into the proxy server UserGate, act as filters: intercepting data transmitted via HTTP protocols and FTP. Support for POP3 and SMTP mail protocols is implemented on upper level. This allows you to use the built-in antivirus to scan mail traffic. If the letter contains an attached file with a virus, the proxy server UserGate will delete the attachment and notify the user about this by changing the text of the letter. All infected or suspicious files from letters are placed in special folder in the directory UserGate.
      Administrator UserGate can choose whether to use one anti-virus module or both at the same time. In the latter case, you can specify the order in which each type of traffic is scanned. For example, HTTP traffic will first be scanned by an antivirus from Kaspersky Lab, and then by a module from Panda Software
    • Mail protocol support
      POP3 – and SMTP – proxies in UserGate can work with or without a NAT driver. When working without a driver, the account in mail client on the user side is configured in a special way. When working using a driver (working as a proxy in transparent mode), setting up mail on the user's side is performed in the same way as with direct access to the Internet. Future support for POP3 and SMTP protocols at the top level it will be used to create an antispam module.

    Administration using the UserGate proxy server

    • Network rules
      In a proxy server UserGate Support for NAT (Network Address Translation) and Port mapping technology has been implemented. NAT technology is used to create transparent proxies, and supports protocols other than HTTP or FTP.
      A transparent proxy allows users to work without special settings, and administrators are freed from the need to manually configure user browsers.
    • Additional module Usergate Cache Explorer designed to view the contents of Cache memory. Working with this function is simple: you just need to specify the location of the ug_cache.lst file from cache folders. After reading the contents of this file Usergate Cache Explorer will show a list of cached resources. On the panel Cache management Explorer has several buttons that allow you to filter the Cache content by size, extension, etc. The filtered data can be saved to a folder on your hard drive for further careful study.
    • Port assignment function(Port mapping) allows you to bind any selected port of one of the local IP interfaces to to the required port remote host. Port assignments are used to organize the operation of bank-client applications, games and other programs that require packets to be forwarded to a specific IP address. If you need access from the Internet to a specific network resource, this can also be achieved using the port assignment function.
    • Traffic management: control and account for your network traffic
      The “Traffic Management” function is designed to create rules that control access of local network users to the Internet, to create and change tariffs used UserGate.
      Attention: NAT driver built into the proxy server UserGate, provides the most accurate accounting of Internet traffic.
      In a proxy server UserGate there is a possibility of separation various types traffic, for example, local and foreign Internet traffic. It also monitors traffic, IP addresses of active users, their logins, and visited URLs in real time.
    • Remote administration allows the system administrator to be mobile, because it is now possible to administer the proxy server UserGate remotely.
    • Automatic and manual mailing users of information about their traffic by e-mail, including through servers with SMTP authorization.
    • Connection to cascade proxy with the possibility of authorization.
    • Flexible report generator with the ability to export to MS Excel and HTML.
    • Various ways to authorize users: according to all protocols; by IP address, by IP+MAC, IP+MAC (subscription); by user name and password; using Windows authentication and Active Directory.
    • Importing users from Active Directory - now you don’t have to manually create several hundred users, the program will do everything for you.
    • Task Scheduler allows you to perform one of the predefined actions at a specified time: send statistics, launch a program, establish or terminate a dial-up connection, update anti-virus databases.
    • UserGate supports the following protocols:
      • HTTP (caches);
      • FTP (caches);
      • Socks4, Socks5;
      • POP3;
      • SMTP;
      • Any UDP/TCP protocol via NAT (Network Address Translation) and through port assignment.

    Saving money on using the Internet

    Using built-in filters UserGate blocks the loading of advertising from the Internet and prohibits access to unwanted resources.

    Attention: The administrator can prohibit downloading files of a certain extension, for example jpeg, mp3.

    Also, the program can remember (cache) all visited pages and pictures, freeing up the channel for downloading useful information. All this in to a large extent reduces not only traffic, but also time spent on the line.

    Proxy server UserGate: accounting of your network traffic!