Seon SmartProxy

From Seon
Revision as of 15:40, 15 November 2011 by Admin (talk | contribs) (Seon SmartProxy server)
Jump to: navigation, search

What is Seon SmartProxy

Seon SmartProxy is a software product which enables you to maintain OFTP2 Proxy activities in a very secure manner. This includes:

  • Partner verification upon session initialization before OFTP2 takes place
  • OFTP2 message syntax verification
  • TLS termination in the DMZ
  • configurable outgoing IP address
  • No configuration values needed in DMZ
  • Secure backend communication via https
  • Support for both incoming and outgoing connections
  • Manageable logging activities supporting intrusion detection systems
  • Extended logging of all activities

Differences against Seon Proxy

Seon Proxy supports to forward any TCP/IP package from any source port to any destination via a combination of Seon proxyserver and proxyclient. The protocol used on top of this connection is not under control of this Seon proxy.

Seon SmartProxy terminates the encrypted session of OFTP2 TLS sessions at its end-point (proxy server), verifies any traffic and forwards it securely to the inside proxy client, where it is being transported to the Seon receive daemon. This enables the Seon SmartProxy to analyze the complete traffic used in the communication stream, so invalid packages lead to session termination.

The design of the Seon SmartProxy is that the proxy server and proxy client use as less information as needed for operation. Everything needed for operation is communicated to a secure backend via https.

Involved programs

The used components for the implementation of an Seon SmartProxy are:

  • Seon SmartProxy server
  • Seon SmartProxy client
  • Seonapi, accessed via https

Licensing

Seon Proxy is licensed via a license file at the Seon Proxy (not client) side: only one license is needed to keep the system up and running. This license is based on an Seon Proxy ID on the proxy server side, which can be easily obtained via a command line parameter:

dmz:~ # /opt/seon/proxy/seon_proxyserver2 -L
Seon Proxy ID: c6bc8d9b37c5e36333a41acdda653aaef7fd4a00459eeb32a8a41059e23017c8px

This Seon Proxy ID is needed for license generation, which can be done for test purposes on the product website at http://www.seon.de/key.

The valid license will be searched by default at

/etc/seon_proxy.lic

but an alternative location can be given with the commandline option "-l":

dmz:~ # /opt/seon/proxy/seon_proxyserver2 -l /usr/licenses/seon_proxy.lic

Logging

The logging of all activities is important for the Seon SmartProxy. It consists of the following parts:

Seon SmartProxy server and client logging

The logging behaviour of the daemons is configured in the corresponding files in the same directory the binaries reside. They are:

  • seon_proxyserver.logrc
  • seon_proxyclient.logrc

The location must be in the binary directory, so you can start the binary from any position, it will search the configuration files in any case in its own directory.

Configure the logging behaviour to your needs according to log4c standard logging mechanism. The new logger layout "seon_layout" and appender "seon_appender" are Seon's own implementations for daily logger: every process logs into the same file, the files itself are being appended by a datestamp. Rolling to another logfile is done automatically.

Seonapi logging

The Seonapi is being used for all backend communication, so you configure the logfile and path in "Configuration" -> "Logging" -> "Absolute path to logfile of Seon API" and set the loglevel accordingly. The configuration takes place directly after saving.

Seon API proxy system log event script

According to requests, the Seonapi starts an event script for every critical situation the Seon SmartProxy arises. This event script is configurable at "Configuration" -> "Events" -> "Seon API proxy system log event script"

Handling system logging

Since situations can occur very often and and a high frequency, Seon offers to ignore system logs. In the area "Configuration" -> "Proxy" -> "Log message ignore configuration" you can dynamically add and remove text message entries with a description, the matching text contained in the message (which must noch be exactly the text since the message will be searched for an occurance case-insensitively fro the given text) and a validity timeframe. The Seon send queue daemon cleans old entries of this configuration and logs this into the system log. If a message is being matched by a configuration, the Seonapi logs this in INFO mode to the configured log file.

PID files

Both the Seon OFTP2 SmartProxy server and client create PID files containing the process ID of the process itself. The position of these PID files is the directory where the binary is located. If a PID file exists on startup, the daemon will fail to start stating the references process ID. You then have to check if this process really exists:

  • If yes, send the process a SIGHUP (1) signal to terminate. The PID fill will be deleted, the logfile will contain a logging entry stating this situation in DEBUG level.
  • If not, delete the stale PID file

Dynamic logging of daemons

The daemons can receive signals and will then change their logging behaviour on-the-fly. Since every active connections corresponds to an own process, you can send individual processes their own signals for problem analysis. The signal numbers and their loglevels are:

  • 20: TRACE
  • 21: DEBUG
  • 22: INFO
  • 23: ERROR
  • 24: FATAL

Each change of loglevel will be logged in the logfile with the selected log level.

Example 1: change loglevel to INFO for running Seon OFTP2 SmartProxy client with PID 82735

kill -22 82735

Example 2: change loglevel to FATAL for running Seon OFTP2 SmartProxy server with PID 21521

kill -24 21521

Seon SmartProxy server

The Seon SmartProxy server is the part which connects to the outside world and which must be reachable via a defined port on the internet. The port on which the server listens to is configured in the Seon administrative panel, "Configuration" -> "TCP/IP" -> "TCP/IP port of OFTP server (TLS)".

Command line parameters for the server are listed by calling the binary with the parameter "-h":

dmz:/opt/seon/proxy seon$ ./seon_proxyserver2 -h
Seon Proxy daemon build 20111115

usage:
-h: this help text
-v: display version
-i [<IP of device>]:<port>: accept from (optional) device on given port for internal connections.
                            defaults: IP of device: 0.0.0.0 (any)
                            --------- port: 2878
-L: print out Seon Proxy ID (basis for license)
-l <license file>: point to readable license file (default: /etc/seon_proxy.lic)

After having started the server, it listens on an internal port for the Seon SmartProxy client to connect. This port number can be changed by parameter "-i", in addition to a confiured IP address to listen on.

Only after a successful connect of a Seon SmartProxy client, the Seon SmartProxy server is able to retrieve its configuration from the backend and start listening on the configured TCP/IP port for incoming connections.