Difference: WebProxy (1 vs. 6)

Revision 62017-11-03 - WilliamSeligman

Line: 1 to 1
 
META TOPICPARENT name="Computing"

Secure connections at Nevis

Line: 174 to 174
 

One-time configuration

Changed:
<
<		Open System Preferences > Network and click on the + symbol. Add a VPN Interface of type "Cisco IPsec", give it a good new name (I used VPN (Nevis), and click on "Create".
>
>		Open System Preferences > Network and click on the + symbol. Add a VPN Interface of type "Cisco IPsec", give it a good new name (I used VPN (Nevis)), and click on "Create".
  Server address: 129.236.255.60
Click on "Authentication Settings"

Revision 52012-05-11 - WilliamSeligman

Line: 1 to 1
 
META TOPICPARENT name="Computing"

Secure connections at Nevis

Line: 147 to 147
  This is the same account/procedure as with the firewall's proxy above: You can stop by the office of WilliamSeligman (room 116) at Nevis; it takes about three minutes to create a VPN account on the firewall. An alternative is to e-mail me and arrange for an account. Don't tell me your Nevis password! Instead, I'll probably assign you a random password using the apg command.
Changed:
<
<

Install the Cisco VPN client

>
>

Configure a VPN client.

If you don't have a Macintosh running Snow Leopard or later, you'll have to get and configure the VPN client program from CIsco.

Install the Cisco VPN client

  Download the version of the client for your operating system. You'll have to go through the procedure of registering as a Guest user on the Cisco web site. Follow Cisco's instructions to install the software.
Changed:
<
<

Using the VPN client

>
>

Using the VPN client

  On the Cisco VPN client, you need to create a new connection:
Line: 166 to 170
  Then click on "Connect". Enter your VPN account name and password.
Added:
>
>

Mac VPN client

One-time configuration

Open System Preferences > Network and click on the + symbol. Add a VPN Interface of type "Cisco IPsec", give it a good new name (I used VPN (Nevis), and click on "Create".

Server address: 129.236.255.60
Click on "Authentication Settings"
Shared secret: higgsino
Group Name: Nevis
Click "OK"
Account name = the VPN account name created on the firewall
Leave the password blank; the server will prompt for it each time even if you fill this in.
Click on "Connect"

Using the built-in Mac VPN client

It is a good idea to click on "Show VPN status in menu bar". You get a one-click solution to open a VPN connection. Otherwise, you'll have to go to the Network Preferences Pane and click on the "Connect" button each time.

 That's it. You should now be able to directly connect to any system on the local network; e.g., winnie.nevis.columbia.edu.

Revision 42011-08-05 - WilliamSeligman

Line: 1 to 1
 
META TOPICPARENT name="Computing"

Secure connections at Nevis

Line: 36 to 36
 
ssh -fxNL 8888:proxy.nevis.columbia.edu:3128 <user>@proxy.nevis.columbia.edu
Changed:
<
<		where <user> is the name of your account on the Nevis Linux cluster. You will be prompted to enter your Nevis password (unless you've set up an ssh private key).
>
>		where <user> is the name of your account on the Nevis Linux cluster. You will be prompted to enter your Nevis password (unless you've set up an ssh private key).
 
Windows
Line: 135 to 135
 

VPN network connection

Added:
>
>

Why use VPN?

 By using VPN, you can establish a direct connection to the local network at Nevis from the outside.

Normally, to access a machine on the local network, you use ssh to login to one of the workgroup servers, then ssh again to the local machine. But there are times when this become inconvenient or complicated; e.g., accessing a Windows machine at Nevis. A VPN connection can be a simpler solution.

Line: 162 to 164
 Password: higgsino
Confirm Password: higgsino
Added:
>
>		Then click on "Connect". Enter your VPN account name and password.
 That's it. You should now be able to directly connect to any system on the local network; e.g., winnie.nevis.columbia.edu.

Revision 32011-08-02 - WilliamSeligman

Line: 1 to 1
 
META TOPICPARENT name="Computing"
Changed:
<
<

Nevis web proxy

>
>

Secure connections at Nevis

 
Changed:
<
<		The information on this page is of use to you only if:
  • You have a computer running on an insecure network; e.g., a laptop on a wireless network at an airport; and
  • You have an account on the Nevis Linux cluster.
>
>		While you work inside Nevis, your computers are protected by our firewall. When you use a system outside of Nevis, you can still take advantage of our network security by making a secure connection. There are two types available:
  • A web proxy
  • VPN (Virtual Private Network)
 
Changed:
<
<		Warning: This procedure described on this page is not difficult, but it is certainly not trivial. Eventually, the web-browser developers will make this procedure automatic. Until then, if you want a secure web connection, you have to configure it manually.
>
>

Web proxies

 
Changed:
<
<

What it's for

>
>

Why use a web proxy?

  It has now become trivially easy to "hijack" an insecure network connection on a public network. Here is an example.

In particular, laptops that connect using public wireless networks are especially vulnerable to having their web sessions "hijacked." As the article states, one way to solve this problem is through a web proxy, that is, an intermediate server that re-directs all the network traffic from your web browser. Since a good fraction of the scientists associated with Nevis have laptops that they use on public networks such as those at airports, it makes sense to have a web proxy server at Nevis.

Changed:
<
<

How to use it

>
>

The Nevis proxy server

 
Changed:
<
<		To make a secure connection to a web proxy requires two steps:
>
>		The advantage of this method is that it can be used by anyone with an account at Nevis. The disadvantage is that it's harder to set up.
 
Changed:
<
<

Forward a secure port from your laptop to the web proxy

>
>		To make a secure connection to a proxy server requires two steps:

Forward a secure port from your laptop to the web proxy

  The simplest way to accomplish this step is to use SSH.

Important: The following commands create an SSH session that runs as a background process. It can be cut off by anything that would cut off a regular SSH session; e.g., closing the lid of your laptop to put it in hibernation, then going to another airport. You must enter the following command every time you want to set up port forwarding. (Yes, this is the biggest pain of this entire process. This may be a good time to learn about command aliases.)

Changed:
<
<

Mac or Linux

>
>
Mac or Linux
  If your laptop runs Mac OS X or Linux, ssh will already be installed. Open a terminal window and type the following command:
Line: 36 to 38
  where <user> is the name of your account on the Nevis Linux cluster. You will be prompted to enter your Nevis password (unless you've set up an ssh private key).
Changed:
<
<

Windows

>
>
Windows
  Install PuTTY if you have not already done so. Assuming you've installed the program in its default location C:\Program Files\PuTTY:
  • Select "Run..." from the Start menu.
Line: 49 to 51
  Alternatively, a user can store an ssh connection to proxy.nevis.columbia.edu in PuTTY. Select "Close Window on Exit->Never" under the Session and check "Don't start a shell or command at all" under Connection->SSH. Then under "Connection->SSH->Tunnels" enter "8888" as source port and "proxy.nevis.columbia.edu:3128" as destination port, click Add, and then go back to "Session" and save this information. Opening this stored connection should then be equivalent to the command given above.
Changed:
<
<

Set up the proxy in your web browser

>
>

Set up the proxy in your web browser

  This is a one-time procedure. You may want to turn off the proxy setting off (for example, if you've lost the SSH connection or you're on a secure network) but you normally don't have to type it into your browser preferences again.
Changed:
<
<

Firefox (or any Mozilla-style browser)

>
>
Firefox (or any Mozilla-style browser)
 
  • Go into the browser preferences:
    • On Linux, this is "Preferences..." from the Edit menu.
Line: 70 to 72
  The next time you load a web page, your browser will prompt you for your Nevis account name and password.
Changed:
<
<

Safari on Mac OS X

>
>
Safari on Mac OS X
 
  • Start up "System Preferences" under the Apple menu.
  • Select the "Network" preference panel.
Line: 86 to 88
  The next time you load a web page, the Keychain program will ask for permission to access your account information; click on "Always allow".
Changed:
<
<

Internet Explorer on Windows

>
>
Internet Explorer on Windows
 
  • Select "Internet Options" under Tools.
  • Click on the "Connections" tab.
Line: 99 to 101
  The next time you load a web page, your browser will prompt you for your Nevis account name and password.
Changed:
<
<

Skip SSH?

>
>

Skip SSH?

  If you're technically inclined, you might have realized that it's not "mechanically" necessary to do port-forwarding via SSH. It far simpler just to put in proxy.nevis.columbia.edu for the proxy server, and 3128 for the proxy port.

This will work. It's also foolish. If you do this, you will still be prompted for your Nevis account name and password when you access web pages, and that information will be sent over the network in clear text. It's also possible that this will still enable a sniffer to capture your web session cookies, which is the point of this exercise.

So don't skip the SSH port forwarding.

Added:
>
>

The firewall's proxy server

The advantage of this method is that it's much easier to set up than the elaborate method above.

The disadvantages are:

  • You need to have a separate VPN account created on our firewall.
  • The firewall's web connection has a problem with web pages that use sophisticated scripting techniques. In particular, the Google home page slows to a crawl as it tries to predict what you're going to type.

To make a secure web connection using our firewall:

Create a VPN account

You can stop by the office of WilliamSeligman (room 116) at Nevis; it takes about three minutes to create a VPN account on the firewall.

An alternative is to e-mail me and arrange for an account. Don't tell me your Nevis password! Instead, I'll probably assign you a random password using the apg command.

Connect to the firewall via your web browser.

The URL is https://129.236.255.60

If you see a message about certificates, indicate that you accept it.

At the screen, you'll be prompted for the username and password you created during the previous step. Type the URL of the web page you want to visit in the Cisco screen. Note the icons which will be, by default, on the top right-hand corner of every page; tooltips will appear when you hover the mouse over them.

VPN network connection

By using VPN, you can establish a direct connection to the local network at Nevis from the outside.

Normally, to access a machine on the local network, you use ssh to login to one of the workgroup servers, then ssh again to the local machine. But there are times when this become inconvenient or complicated; e.g., accessing a Windows machine at Nevis. A VPN connection can be a simpler solution.

Here are the steps; the first two only have to be done once.

Create a VPN account

This is the same account/procedure as with the firewall's proxy above: You can stop by the office of WilliamSeligman (room 116) at Nevis; it takes about three minutes to create a VPN account on the firewall. An alternative is to e-mail me and arrange for an account. Don't tell me your Nevis password! Instead, I'll probably assign you a random password using the apg command.

Install the Cisco VPN client

Download the version of the client for your operating system. You'll have to go through the procedure of registering as a Guest user on the Cisco web site. Follow Cisco's instructions to install the software.

Using the VPN client

On the Cisco VPN client, you need to create a new connection:

Connection Entry - can be anything; e.g., "Nevis"
Description - again, can be anything or left blank
Host - 129.236.255.60

Group Authentication
Name: Nevis
Password: higgsino
Confirm Password: higgsino

That's it. You should now be able to directly connect to any system on the local network; e.g., winnie.nevis.columbia.edu.

Revision 22010-11-29 - WilliamSeligman

Line: 1 to 1
 
META TOPICPARENT name="Computing"

Nevis web proxy

Line: 47 to 47
  where <user> is the name of your account on the Nevis Linux cluster. A new window will open, and you will be prompted to enter your Nevis password. If everything works, you won't see anything more happen in the new window.
Added:
>
>		Alternatively, a user can store an ssh connection to proxy.nevis.columbia.edu in PuTTY. Select "Close Window on Exit->Never" under the Session and check "Don't start a shell or command at all" under Connection->SSH. Then under "Connection->SSH->Tunnels" enter "8888" as source port and "proxy.nevis.columbia.edu:3128" as destination port, click Add, and then go back to "Session" and save this information. Opening this stored connection should then be equivalent to the command given above.
 

Set up the proxy in your web browser

This is a one-time procedure. You may want to turn off the proxy setting off (for example, if you've lost the SSH connection or you're on a secure network) but you normally don't have to type it into your browser preferences again.

Revision 12010-11-04 - WilliamSeligman

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="Computing"

Nevis web proxy

The information on this page is of use to you only if:

  • You have a computer running on an insecure network; e.g., a laptop on a wireless network at an airport; and
  • You have an account on the Nevis Linux cluster.

Warning: This procedure described on this page is not difficult, but it is certainly not trivial. Eventually, the web-browser developers will make this procedure automatic. Until then, if you want a secure web connection, you have to configure it manually.

What it's for

It has now become trivially easy to "hijack" an insecure network connection on a public network. Here is an example.

In particular, laptops that connect using public wireless networks are especially vulnerable to having their web sessions "hijacked." As the article states, one way to solve this problem is through a web proxy, that is, an intermediate server that re-directs all the network traffic from your web browser. Since a good fraction of the scientists associated with Nevis have laptops that they use on public networks such as those at airports, it makes sense to have a web proxy server at Nevis.

How to use it

To make a secure connection to a web proxy requires two steps:

Forward a secure port from your laptop to the web proxy

The simplest way to accomplish this step is to use SSH.

Important: The following commands create an SSH session that runs as a background process. It can be cut off by anything that would cut off a regular SSH session; e.g., closing the lid of your laptop to put it in hibernation, then going to another airport. You must enter the following command every time you want to set up port forwarding. (Yes, this is the biggest pain of this entire process. This may be a good time to learn about command aliases.)

Mac or Linux

If your laptop runs Mac OS X or Linux, ssh will already be installed. Open a terminal window and type the following command: 

ssh -fxNL 8888:proxy.nevis.columbia.edu:3128 <user>@proxy.nevis.columbia.edu
where <user> is the name of your account on the Nevis Linux cluster. You will be prompted to enter your Nevis password (unless you've set up an ssh private key).

Windows

Install PuTTY if you have not already done so. Assuming you've installed the program in its default location C:\Program Files\PuTTY:

  • Select "Run..." from the Start menu.
  • Type "cmd" in the dialog box.
  • At the terminal prompt, type: 
"c:\Program Files\PuTTY\putty.exe" -ssh -x -N -L 8888:proxy.nevis.columbia.edu:3128 <user>@proxy.nevis.columbia.edu
where <user> is the name of your account on the Nevis Linux cluster. A new window will open, and you will be prompted to enter your Nevis password. If everything works, you won't see anything more happen in the new window.

Set up the proxy in your web browser

This is a one-time procedure. You may want to turn off the proxy setting off (for example, if you've lost the SSH connection or you're on a secure network) but you normally don't have to type it into your browser preferences again.

Firefox (or any Mozilla-style browser)

  • Go into the browser preferences:
    • On Linux, this is "Preferences..." from the Edit menu.
    • On Mac OS X, this "Preferences..." from the Firefox menu.
    • On Windows, this is "Options..." from the Tools menu.
  • Click on the "Advanced" button.
  • Click on the "Network" tab.
  • Next to "Configure how Firefox connects to the Internet" click "Settings"
  • Click on the radio button next to "Manual Proxy configuration".
  • In the box next to "HTTP Proxy:", type localhost
  • In the next box to the right, next to "Port:", type 8888
  • Click on the box next to "Use this proxy server for all protocols"
  • Click "OK" at the bottom of the pane to accept these settings.

The next time you load a web page, your browser will prompt you for your Nevis account name and password.

Safari on Mac OS X

  • Start up "System Preferences" under the Apple menu.
  • Select the "Network" preference panel.
  • Click on the "Advanced..." button near the bottom of the panel.
  • Click on the "Proxies" tab.
  • Click on the line "Web Proxy (HTTP)" to turn it on.
  • Under "Web Proxy Server" type localhost; enter 8888 in the box after the colon.
  • Click on the box next to "Web proxy server requires password"
  • Enter your Nevis account name and password in the appropriate fields.
  • Go back to the left-hand part of the pane and click on "Secure Web Proxy (HTTPS)" and fill out that pane in the same way.
  • Click "OK" at the bottom of the pane.
  • Click "Apply" at the bottom of the panel.

The next time you load a web page, the Keychain program will ask for permission to access your account information; click on "Always allow".

Internet Explorer on Windows

  • Select "Internet Options" under Tools.
  • Click on the "Connections" tab.
  • Click on the "LAN settings" button near the bottom of the panel.
  • Click on the button next to "Use a proxy server for your LAN"
  • In the "Address" field, enter localhost
  • In the "Port" field, enter 8888
  • Click on the "OK" button near the bottom of the panel.
  • Click on "OK" again.

The next time you load a web page, your browser will prompt you for your Nevis account name and password.

Skip SSH?

If you're technically inclined, you might have realized that it's not "mechanically" necessary to do port-forwarding via SSH. It far simpler just to put in proxy.nevis.columbia.edu for the proxy server, and 3128 for the proxy port.

This will work. It's also foolish. If you do this, you will still be prompted for your Nevis account name and password when you access web pages, and that information will be sent over the network in clear text. It's also possible that this will still enable a sniffer to capture your web session cookies, which is the point of this exercise.

So don't skip the SSH port forwarding.

View topic | History: r6 < r5 < r4 < r3 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback