squid-cache.

org
Squid Proxy

RSA Secured Implementation Guide for RSA DLP Network

Last Modified: August 30 , 2011
th

Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description Squid Proxy www.squid-cache.org Squid Proxy 3.1 Squid is a caching proxy for the Web supporting HTTP, HTTPS, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems and is licensed under the GNU GPL.

squid-cache.org
Squid Proxy

Solution Summary
Squid is a fully-featured HTTP/1.0 compliant proxy working towards HTTP/1.1. Squid offers access control, authorization and logging environment to develop web proxy and content serving applications. Squid 3.1 sends all HTTP and HTTPS traffic to the DLP ICAP Server for inspection.

Partner Integration Overview

Protocols Supported Webmails Supported Remediation Actions Available HTTP POST/GET/PUT, HTTPS POST/GET/PUT Gmail, Yahoo! Mail, MSN Mail (Hotmail) Allow, Audit, Block, Encrypt

-2-

squid-cache.org
Squid Proxy

Partner Product Configuration

Introduction
Squid acts as an agent, accepting requests from clients (such as browsers) and passes them to the appropriate Internet server. Using the ICAP protocol, Squid can forward this traffic to the RSA DLP server to be inspected and analyzed. Based on your corporate policies defined within DLP, the request can be audited, denied or allowed. The real benefit of Squid emerges when the same data is requested multiple times, since a copy of the on-disk data is returned to the client, speeding up Internet access and saving bandwidth. Small amounts of disk space can have a significant impact on bandwidth usage and browsing speed.

Before You Begin

This section provides instructions for integrating the partners product with the RSA Data Loss Prevention (DLP) Suite. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Installing and Configuring the Squid Proxy

Download and compile Squid according to the instructions on the squid-cache.org website. Squid needs to be compiled with the --enable-ssl and --enable-icap-client switches to enable SSL and ICAP protocol support. A sample configuration script can be found below.

Note: The precompiled binary package of Squid does NOT contain SSL support.

-3-

squid-cache.org
Squid Proxy

Note: Your Squid switches may differ depending on the hardware, environment and options you choose.

Sample Squid Configure Script

Once Squid is compiled and installed successfully, youll need to test the server. To do so, set the proxy server setting in your web browser to point to the Squid server and make sure you can browse through the proxy. Do not continue until you have verified this step is working.

-4-

squid-cache.org
Squid Proxy

Generating the SSL keys

To enable SSL support within Squid, use the openssl toolkit, which comes on the Ubuntu OS by default, to generate the RSA Private Key and Certificate Signing Request (CSR).
1. Type in the following commands: # openssl genrsa -des3 -out server.key 1024 # openssl req -new -key server.key -out server.csr Country Name (2 letter code) [AU]: Country State of Province Name (full name) [Some-State]: State Locality Name (eg, city) []: Locality Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Organizational Unit Name (eg, section) []: Section Common Name (eg, YOUR name) []: Name Email Address: []: email@company.com A challenge password []: An optional company name []: #cp server.key server.key.org # openssl rsa -in server.key.org -out server.key #openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Copy the server.key and server.crt files into the /etc/squid3 directory.

2.

Configuring Squid
The configuration file for Squid (squid.conf) is located in the /etc/squid3 directory. Open this file with the text editor of your choice and complete the steps below.
1. First, turn on ICAP support by adding the following lines to the bottom of the squid.conf file, each on a blank line: icap_enable on icap_service service_1 reqmod_precache 0 icap://192.168.1.1:1344/srv_conalarm icap_send_client_ip on

Note: The IP address 192.168.1.1 represents the IP address of your RSA DLP ICAP Server. 2. Next, allow HTTP transactions to be sent to the ICAP server by adding the following line: adaptation_access service_1 allow all

3.

To enable SSL support, locate the line in the squid.conf that reads: http_port 3128 Modify the line to read: http_port 3128 ssl-bump cert=/etc/squid3/server.crt key=/etc/squid3/server.key

4.

To make sure Squid always forwards the request without using any peers, which is needed for SSL support, add: always_direct allow all Finally, allow SSL requests by adding the follow line to the end of the file. ssl_bump allow all

5.

-5-

squid-cache.org
Squid Proxy

Configuring Squid for Response Mode (respmod)

Squid Proxy also supports response mode which can be used alone or with request mode (configured above) by adding the following lines to the configuration file:
icap_service service_2 reqmod_precache 0 icap://192.168.1.1:1344/srv_conalarm adaptation_access service_2 allow all Note: For more information regarding parameters in the squid.conf file, reference the Squid Users Guide and Squid Configuration Directives page.

-6-

squid-cache.org
Squid Proxy

Configuring RSA Data Loss Prevention Suite

Note: Before you can start utilizing Squid Proxy, an RSA DLP Network ICAP Server must be deployed and properly configured. For instructions, see the RSA DLP Network Deployment Guide.

Once you have deployed the RSA DLP ICAP server, there are a number of steps required to configure the ICAP Server for proper inspection of HTTP/HTTPS content:
Enabling Detection of Content in URLs Configuring Content Blades to Detect Content in URLs and HTTP Forms Configuring HTTPS Encrypt Policy Actions

Enabling Detection of Content in URLs

The steps to enable content detection in URLS are as follows:
1. From the RSA DLP Enterprise Manager, select the Admin tab Preferences.

2.

Under Network Preferences, select the Detect Content in URLs checkbox.

3.

Click Save to preserve your changes.

-7-

squid-cache.org
Squid Proxy

Configuring Content Blades to Detect Content in URLs and HTTP Forms

The second step for ICAP configuration is to ensure that for any given policy, the associated content blades are configured to detect content in URLs and HTTP forms. To do this, perform the following steps via the DLP Enterprise Manager:
1. Select the Policiestab Content Blades Content Blade Manager.

2.

Ensure that (as in the US Social Security Number example provided below) the option to detect content in URLs or HTML forms is Enabled for the given content blade.

3.

Save your changes and verify that this option is enabled for any other relevant content blades.

Configuring HTTPS Encrypt Policy Actions

You may also optionally configure the default behavior of the ICAP Server if the Encrypt & Audit policy is being used in conjunction with HTTPS traffic. To change this, perform the following steps:
1. Select the ICAP Server device on the Admin tab.

-8-

squid-cache.org
Squid Proxy

2.

Select your ICAP Server in the left-hand pane. Click Edit and select the appropriate HTTPS policy action. Consult the Enterprise Manager online help for more information on the behavior of each option presented.

3.

Click Save to preserve your changes.

End User Experience

Depending on the way you have configured your policies, a user may or may not be notified when a violation occurs. The following screenshots demonstrate what a user would see when attempting to send an email with sensitive content via Gmail.
Note: The screenshots provided below are for example purposes only. Individual Webmail clients may behave slightly differently in the way they process blocked messages or attachments. 1. The user browses to the Gmail and composes a new message.

-9-

squid-cache.org
Squid Proxy

2.

The user enters credit card data in the body of the email which violates corporate policy.

3.

Upon clicking the Send button, the Block policy is invoked and the user sees the following message in the web browser.

- 10 -

squid-cache.org
Squid Proxy

Certification Checklist for RSA Data Loss Prevention Suite

Date Tested: August 30 , 2011 Product Name RSA DLP Enterprise Manager RSA DLP Network ICAP Server Squid Proxy Certification Environment Version Information
8.8.0.10143 8.8.0.10143 3.1.9
th

Operating System
Windows Server 2003 CentOS Ubuntu 10.10

Protocol HTTP (GET)

Policy Allow Audit Block Content Result

URL encoded with sensitive content URL encoded with sensitive content URL encoded with sensitive content

Protocol HTTP (POST)

Policy Allow Allow Allow Allow Allow Audit Audit Audit Audit Audit Block Block Block Block Block Content Binary file with sensitive content Plaintext file with sensitive content Plaintext form with sensitive content URL encoded with sensitive content Multipart POST with sensitive content Binary file with sensitive content Plaintext file with sensitive content Plaintext form with sensitive content URL encoded with sensitive content Multipart POST with sensitive content Binary file with sensitive content Plaintext file with sensitive content Plaintext form with sensitive content URL encoded with sensitive content Multipart POST with sensitive content Result

Protocol HTTP (PUT)

Policy Allow Audit Block Content Result

Plaintext form with sensitive content Plaintext form with sensitive content Plaintext form with sensitive content

- 11 -

squid-cache.org
Squid Proxy

Protocol HTTPS (GET)

Policy Allow Audit Block Content Result

URL encoded with sensitive content URL encoded with sensitive content URL encoded with sensitive content

Protocol HTTPS (POST)

Policy Allow Allow Allow Allow Allow Audit Audit Audit Audit Audit Block Block Block Block Block Encrypt Encrypt Encrypt Content Binary file with sensitive content Plaintext file with sensitive content Plaintext form with sensitive content URL encoded with sensitive content Multipart POST with sensitive content Binary file with sensitive content Plaintext file with sensitive content Plaintext form with sensitive content URL encoded with sensitive content Multipart POST with sensitive content Binary file with sensitive content Plaintext file with sensitive content Plaintext form with sensitive content URL encoded with sensitive content Multipart POST with sensitive content ICAP Settings -- HTTPS encrypt policy action Allow ICAP Settings -- HTTPS encrypt policy action Audit ICAP Settings -- HTTPS encrypt policy action Block Result

Protocol HTTPS (PUT)

Policy Allow Audit Block Content Result

Plaintext form with sensitive content Plaintext form with sensitive content Plaintext form with sensitive content

- 12 -

squid-cache.org
Squid Proxy

Web Mail Yahoo! Mail

Policy Allow Allow Allow Audit Audit Audit Block Block Block Content Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Result

Web Mail MSN Mail

Policy Allow Allow Allow Audit Audit Audit Block Block Block Content Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Result

- 13 -

squid-cache.org
Squid Proxy

Web Mail Gmail

Policy Allow Allow Allow Audit Audit Audit Block Block Block Content Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Submit sensitive content as email attachment Submit sensitive content in email body Submit sensitive content in email subject line Result

Protocol Response Mode (RespMod)

Policy Allow Audit Block
JJO

Content SharePoint, Microsoft OWA, HTTP, HTTPS SharePoint, Microsoft OWA, HTTP, HTTPS SharePoint, Microsoft OWA, HTTP, HTTPS
= Pass = Fail

Result

N/A = Non-Available Function

- 14 -

squid-cache.org
Squid Proxy

Known Issues
When issuing an HTTP or HTTPS GET request with Internet Explorer 8, you receive the following error message from the Squid Proxy server:

This issue has been fixed in DLP version 8.5.1.10047 and later.

- 15 -

squid-cache.org
Squid Proxy

Appendix
To enable debug mode for the Squid Proxy server, add the following line to the end of the squid.conf file and restart the server. debug_options ALL,9 Debug messages appear in the /var/log/squid3/cache.log file.

- 16 -