Proxedo Network Security Suite 2 Reference Guide

BalaSys

Copyright © 2021 BalaSys IT Security.

Copyright 2021 BalaSys IT Security.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaSys.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

Linux™ is a registered trademark of Linus Torvalds.

Windows™ 10 is registered trademarks of Microsoft Corporation.

The BalaSys™ name and the BalaSys™ logo are registered trademarks of BalaSys IT Security.

The PNS™ name and the PNS™ logo are registered trademarks of BalaSys IT Security.

AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.

Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

BalaSys is not responsible for any third-party websites mentioned in this document. BalaSys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaSys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

October 31, 2024

Table of Contents

Preface
1. Summary of contents
2. Terminology
3. Target audience and prerequisites
4. Products covered in this guide
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Feedback
1. How PNS works
1.1. PNS startup and initialization
1.2. Handling incoming connections
1.2.1. Handling packet filtering services
1.2.2. Handling application-level services
1.3. Proxy startup and the server-side connection
2. Configuring PNS proxies
2.1. Policies for requests and responses
2.1.1. Default actions
2.1.2. Response codes
2.2. Secondary sessions
2.3. Embedded protocol analysis
2.3.1. Proxy stacking
2.3.2. Program stacking
3. The PNS SSL framework
3.1. The SSL and TLS protocols
3.1.1. The SSL handshake
3.2. Handling TLS and SSL connections in Application-level Gateway
3.2.1. Behavior of the SSL framework
3.2.2. Session reuse in SSL and TLS connections
3.2.3. Understanding Encryption policies
3.2.4. Configuring Encryption policies
3.2.5. Certificate verification options
3.2.6. Protocol-level TLS settings
3.2.7. Enabling STARTTLS
3.2.8. Configuring keybridging
3.3. Related standards
3.4. Encryption options reference
3.5. X.509 Certificates
3.5.1. X.509 Certificate Names
3.5.2. X.509 Certificate Revocation List
3.5.3. X.509 Online Certificate Status Protocol (OCSP) stapling
3.5.4. X.509 Certificate hash
3.5.5. X.509 CRL hash
4. Proxies
4.1. General information on the proxy modules
4.2. Attribute values
4.3. Examples
4.4. Module AnyPy
4.4.1. Related standards
4.4.2. Classes in the AnyPy module
4.4.3. Class AbstractAnyPyProxy
4.4.4. Class AnyPyProxy
4.5. Module Ftp
4.5.1. The FTP protocol
4.5.2. Proxy behavior
4.5.3. Related standards
4.5.4. Classes in the Ftp module
4.5.5. Class AbstractFtpProxy
4.5.6. Class FtpProxy
4.5.7. Class FtpProxyAnonRO
4.5.8. Class FtpProxyAnonRW
4.5.9. Class FtpProxyRO
4.5.10. Class FtpProxyRW
4.6. Module Http
4.6.1. The HTTP protocol
4.6.2. Proxy behavior
4.6.3. Related standards
4.6.4. Classes in the Http module
4.6.5. Class AbstractHttpProxy
4.6.6. Class HttpProxy
4.6.7. Class HttpProxyNonTransparent
4.6.8. Class HttpProxyURIFilter
4.6.9. Class HttpProxyURIFilterNonTransparent
4.6.10. Class HttpProxyURLCategoryFilter
4.6.11. Class HttpWebdavProxy
4.6.12. Class NontransHttpWebdavProxy
4.7. Module Plug
4.7.1. Proxy behavior
4.7.2. Related standards
4.7.3. Classes in the Plug module
4.7.4. Class AbstractPlugProxy
4.7.5. Class PlugProxy
4.8. Module Pop3
4.8.1. The POP3 protocol
4.8.2. Proxy behavior
4.8.3. Related standards
4.8.4. Classes in the Pop3 module
4.8.5. Class AbstractPop3Proxy
4.8.6. Class Pop3Proxy
4.8.7. Class Pop3STLSProxy
4.9. Module Smtp
4.9.1. The SMTP protocol
4.9.2. Proxy behavior
4.9.3. Related standards
4.9.4. Classes in the Smtp module
4.9.5. Class AbstractSmtpProxy
4.9.6. Class SmtpProxy
4.10. Module Telnet
4.10.1. The Telnet protocol
4.10.2. Proxy behavior
4.10.3. Related standards
4.10.4. Classes in the Telnet module
4.10.5. Class AbstractTelnetProxy
4.10.6. Class TelnetProxy
4.10.7. Class TelnetProxyStrict
4.11. Module Imap
4.11.1. The IMAP protocol
4.11.2. Proxy behavior
4.11.3. Related standards
4.11.4. Classes in the Imap module
4.11.5. Class AbstractImapProxy
4.11.6. Class ImapProxy
4.11.7. Class ImapProxyStrict
4.12. Module Ldap
4.12.1. The LDAP protocol
4.12.2. Proxy behavior
4.12.3. Configuring policies for LDAP requests
4.12.4. Simple Authentication and Security Layer (SASL) on LDAP messages
4.12.5. Related standards
4.12.6. Classes in the Ldap module
4.12.7. Class AbstractLdapProxy
4.12.8. Class LdapProxy
4.12.9. Class LdapProxyRO
4.13. Module Mime
4.13.1. The MIME protocol
4.13.2. Proxy behavior
4.13.3. Related standards
4.13.4. Classes in the Mime module
4.13.5. Class AbstractMimeProxy
4.13.6. Class MimeProxy
4.14. Module Modbus
4.14.1. Classes in the Modbus module
4.14.2. Class AbstractModbusProxy
4.14.3. Class ModbusProxy
4.15. Module MSRpc
4.15.1. The RPC protocol
4.15.2. Proxy behavior
4.15.3. Classes in the MSRpc module
4.15.4. Class AbstractMSRpcProxy
4.15.5. Class MSRpcProxy
4.16. Module Radius
4.16.1. The RADIUS protocol
4.16.2. Proxy behavior
4.16.3. Related standards
4.16.4. Classes in the Radius module
4.16.5. Class AbstractRadiusProxy
4.16.6. Class RadiusProxy
4.16.7. Class RadiusProxyStrict
4.17. Module Sip
4.17.1. The SIP protocol
4.17.2. Related standards
4.17.3. Classes in the Sip module
4.17.4. Class AbstractSipProxy
4.17.5. Class SipProxy
4.18. Module Socks
4.18.1. The SOCKS protocol
4.18.2. Proxy behaviour
4.18.3. Related standards
4.18.4. Classes in the Socks module
4.18.5. Class AbstractSocksProxy
4.18.6. Class SocksProxy
4.19. Module SQLNet
4.19.1. The SQL*Net protocol
4.19.2. Proxy behavior
4.19.3. Related standards
4.19.4. Classes in the SQLNet module
4.19.5. Class AbstractSQLNetProxy
4.19.6. Class SQLNetProxy
4.20. Module Ssh
4.20.1. The Secure Shell protocol
4.20.2. Proxy behavior
4.20.3. Related standards
4.20.4. Classes in the Ssh module
4.20.5. Class AbstractSshProxy
4.20.6. Class SshProxy
4.20.7. Class SshProxySftpOnly
4.20.8. Class SshSFtpProxy
4.20.9. Class SshScpProxy
4.21. Module TFtp
4.21.1. The TFtp protocol
4.21.2. Proxy behavior
4.21.3. Related standards
4.21.4. Classes in the TFtp module
4.21.5. Class AbstractTFtpProxy
4.21.6. Class TFtpProxy
4.22. Module Vnc
4.22.1. Classes in the Vnc module
4.22.2. Class AbstractVncProxy
4.22.3. Class VncProxy
5. Core
5.1. Module Auth
5.1.1. Authentication and authorization basics
5.1.2. Authentication and authorization in PNS
5.1.3. Classes in the Auth module
5.1.4. Class AbstractAuthentication
5.1.5. Class AbstractAuthorization
5.1.6. Class AuthCache
5.1.7. Class AuthenticationPolicy
5.1.8. Class AuthorizationPolicy
5.1.9. Class BasicAccessList
5.1.10. Class InbandAuthentication
5.1.11. Class NEyesAuthorization
5.1.12. Class PairAuthorization
5.1.13. Class PermitGroup
5.1.14. Class PermitTime
5.1.15. Class PermitUser
5.1.16. Class ServerAuthentication
5.1.17. Class VAAuthentication
5.2. Module AuthDB
5.2.1. Classes in the AuthDB module
5.2.2. Class AbstractAuthenticationBackend
5.2.3. Class AuthenticationProvider
5.2.4. Class VAS2AuthenticationBackend
5.3. Module Chainer
5.3.1. Selecting the network protocol
5.3.2. Classes in the Chainer module
5.3.3. Class AbstractChainer
5.3.4. Class ConnectChainer
5.3.5. Class FailoverChainer
5.3.6. Class MultiTargetChainer
5.3.7. Class RoundRobinChainer
5.3.8. Class SideStackChainer
5.3.9. Class StateBasedChainer
5.4. Module Detector
5.4.1. Classes in the Detector module
5.4.2. Class AbstractDetector
5.4.3. Class CertDetector
5.4.4. Class DetectorPolicy
5.4.5. Class HttpDetector
5.4.6. Class SniDetector
5.4.7. Class SshDetector
5.5. Module Encryption
5.5.1. TLS parameter constants
5.5.2. Classes in the Encryption module
5.5.3. Class AbstractVerifier
5.5.4. Class Certificate
5.5.5. Class CertificateCA
5.5.6. Class ClientCertificateVerifier
5.5.7. Class ClientNoneVerifier
5.5.8. Class ClientOnlyEncryption
5.5.9. Class ClientOnlyStartTLSEncryption
5.5.10. Class ClientTLSOptions
5.5.11. Class DHParam
5.5.12. Class DynamicCertificate
5.5.13. Class DynamicServerEncryption
5.5.14. Class EncryptionPolicy
5.5.15. Class FakeStartTLSEncryption
5.5.16. Class ForwardStartTLSEncryption
5.5.17. Class PrivateKey
5.5.18. Class SNIBasedCertificate
5.5.19. Class ServerCertificateVerifier
5.5.20. Class ServerNoneVerifier
5.5.21. Class ServerOnlyEncryption
5.5.22. Class ServerTLSOptions
5.5.23. Class StaticCertificate
5.5.24. Class TLSOptions
5.5.25. Class TwoSidedEncryption
5.6. Module Ids
5.6.1. Classes in the Ids module
5.6.2. Class Ids
5.6.3. Class IdsPolicy
5.7. Module Keybridge
5.8. Module Matcher
5.8.1. Classes in the Matcher module
5.8.2. Class AbstractMatcher
5.8.3. Class CombineMatcher
5.8.4. Class DNSMatcher
5.8.5. Class MatcherPolicy
5.8.6. Class RegexpFileMatcher
5.8.7. Class RegexpMatcher
5.8.8. Class SmtpInvalidRecipientMatcher
5.8.9. Class WindowsUpdateMatcher
5.9. Module NAT
5.9.1. Classes in the NAT module
5.9.2. Class AbstractNAT
5.9.3. Class FWMark
5.9.4. Class GeneralNAT
5.9.5. Class HashNAT
5.9.6. Class LinkAvailabilityPFNat
5.9.7. Class NAT46
5.9.8. Class NAT64
5.9.9. Class NATPolicy
5.9.10. Class RandomNAT
5.9.11. Class StaticNAT
5.10. Module Notification
5.10.1. Classes in the Notification module
5.10.2. Class AbstractNotificationMethod
5.10.3. Class EmailNotificationMethod
5.10.4. Class NotificationPolicy
5.11. Module Proxy
5.11.1. Functions in module Proxy
5.11.2. Classes in the Proxy module
5.11.3. Functions
5.11.4. Class Proxy
5.12. Module Resolver
5.12.1. Classes in the Resolver module
5.12.2. Class AbstractResolver
5.12.3. Class DNSResolver
5.12.4. Class HashResolver
5.13. Module Router
5.13.1. The source address used in the server-side connection
5.13.2. Classes in the Router module
5.13.3. Class AbstractRouter
5.13.4. Class DirectedRouter
5.13.5. Class InbandRouter
5.13.6. Class TransparentRouter
5.14. Module Rule
5.14.1. Evaluating firewall rules
5.14.2. Sample rules
5.14.3. Adding metadata to rules: tags and description
5.14.4. Classes in the Rule module
5.14.5. Class PortRange
5.14.6. Class Rule
5.15. Module Service
5.15.1. Naming services
5.15.2. Classes in the Service module
5.15.3. Class AbstractService
5.15.4. Class DenyService
5.15.5. Class PFService
5.15.6. Class Service
5.16. Module Session
5.16.1. Classes in the Session module
5.16.2. Class StackedSession
5.17. Module SockAddr
5.17.1. Classes in the SockAddr module
5.17.2. Class SockAddrInet
5.17.3. Class SockAddrInet6
5.17.4. Class SockAddrInetHostname
5.17.5. Class SockAddrInetRange
5.17.6. Class SockAddrUnix
5.18. Module Stack
5.18.1. Classes in the Stack module
5.18.2. Class AbstractStackingBackend
5.18.3. Class RemoteStackingBackend
5.18.4. Class StackingProvider
5.19. Module Zone
5.19.1. Classes in the Zone module
5.19.2. Class Zone
5.20. Module Vela
6. Core-internal
6.1. Module Cache
6.2. Module Core
6.3. Module Dispatch
6.3.1. Zone-based service selection
6.3.2. Classes in the Dispatch module
6.3.3. Class CSZoneDispatcher
6.3.4. Class Dispatcher
6.4. Module Globals
6.5. Module Stream
6.5.1. Classes in the Stream module
6.5.2. Class Stream
A. Additional proxy information
A.1. TELNET appendix
A.2. RADIUS appendix
A.3. SQL*Net appendix
B. Global options of PNS
B.1. Setting global options of PNS
blob
audit
options
C. PNS manual pages
vas — Authentication Server
vas.cfg vas(8) configuration file.
vcf — Content Filtering Server
vcf.cfg vcf(8) configuration file format
vms — Vela Management Server engine
vms.confConfiguration file format for the Vela Management Server (vms(8)).
vms-integrity — VMS Database Integrity Checker
instances.conf vela(8) instances database
policy.py vela(8) policy file.
vela — Vela Firewall Suite
velactl — Start and stop vela instances.
velactl.conf velactl(8) configuration file.
vela-zone-helper — Zone helper daemon
vela-zone-helper.conf vela-zone-helper(8) configuration file
vela-geoip-helper — GeoIP helper daemon
vela-geoip-helper.conf vela-geoip-helper(8) configuration file
vavupdate — Updates the various AntiVirus engine's databases.
vavupdate.options vavupdate(8) configuration files.
vqc — Vela Quarantine Checker
D. Proxedo Network Security Suite End-User License Agreement
D.1. 1. SUBJECT OF THE LICENSE CONTRACT
D.2. 2. DEFINITIONS
D.3. 3. LICENSE GRANTS AND RESTRICTIONS
D.4. 4. SUBSIDIARIES
D.5. 5. INTELLECTUAL PROPERTY RIGHTS
D.6. 6. TRADE MARKS
D.7. 7. NEGLIGENT INFRINGEMENT
D.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
D.9. 9. LICENSE FEE
D.10. 10. WARRANTIES
D.11. 11. DISCLAIMER OF WARRANTIES
D.12. 12. LIMITATION OF LIABILITY
D.13. 13.DURATION AND TERMINATION
D.14. 14. AMENDMENTS
D.15. 15. WAIVER
D.16. 16. SEVERABILITY
D.17. 17. NOTICES
D.18. 18. MISCELLANEOUS
E. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
Index of Proxy attributes
Index of Core attributes
Index of all attributes

List of Examples

2.1. Customizing FTP commands
2.2. Using the POLICY action
2.3. Default and explicit actions
2.4. Customizing response codes
2.5. Example PlugProxy allowing secondary sessions
2.6. Program stacking in HTTP
3.1. Accepting invalid certificates
3.2. Configuring FTPS support
4.1. FTP protocol sample
4.2. Customizing FTP to allow only anonymous sessions
4.3. Configuring FTPS support
4.4. Example HTTP transaction
4.5. Proxy style HTTP query
4.6. Data tunneling with connect method
4.7. Implementing URL filtering in the HTTP proxy
4.8. 404 response filtering in HTTP
4.9. Header filtering in HTTP
4.10. URL redirection in HTTP proxy
4.11. Redirecting HTTP to HTTPS
4.12. Using parent proxies in HTTP
4.13. URL filtering HTTP proxy
4.14. POP3 protocol sample
4.15. Example for allowing only APOP authentication in POP3
4.16. Example for converting simple USER/PASS authentication to APOP in POP3
4.17. Rewriting the banner in POP3
4.18. SMTP protocol sample
4.19. Example for disabling the Telnet X Display Location option
4.20. Rewriting the DISPLAY environment variable
4.21. IMAP protocol sample
4.22. Rewriting IMAP capability response
4.23. Changing the greeting string in IMAP
4.24. IMAP arguments in use
4.25. Example Ldap entry
4.26. Example of the commands usage
4.27. Example mail header containing MIME message
4.28. Example PNG format picture attachment
4.29. Example multipart message
4.30. Example usage of MimeProxy module, denying applications
4.31. Customising RPC to allow connection to service "11223344-5566-7788-99aa-bbccddeeff00"
4.32. Example RadiusProxy config
4.33. Disabling video traffic in SIP
4.34. SOCKS and HTTP traffic
4.35. Enabling and disabling SSH channels
4.36. Enabling only SFTP connections
4.37. Restricting local forwarding
4.38. Modifying the keypair used in public-key authentication
5.1. A simple authentication policy
5.2. Caching authentication decisions
5.3. A simple authorization policy
5.4. BasicAccessList example
5.5. A simple PairAuthorization policy
5.6. A simple PermitGroup policy
5.7. PermitTime example
5.8. A simple PermitUser policy
5.9. Outband authentication example
5.10. A sample authentication provider
5.11. A sample ConnectChainer
5.12. A DirectedRouter using FailoverChainer
5.13. A DirectedRouter using RoundRobinChainer
5.14. CertDetector example
5.15. HttpDetector example
5.16. SNIDetector example
5.17. SshDetector example
5.18. Loading a certificate
5.19. Loading DH parameters
5.20. Loading a private key
5.21. Whitelisting e-mail recipients
5.22. DNSMatcher example
5.23. RegexpFileMatcher example
5.24. RegexpMatcher example
5.25. SmtpInvalidMatcher example
5.26. WindowsUpdateMatcher example
5.27. GeneralNat example
5.28. Using Natpolicies
5.29. A simple DNSResolver policy
5.30. A simple HashResolver policy
5.31. DirectedRouter example
5.32. InbandRouter example
5.33. TransparentRouter example
5.34. Sample rule definitions
5.35. Tagging rules
5.36. A simple DenyService
5.37. PFService example
5.38. Service example
5.39. SockAddrInet example
5.40. SockAddrInet example
5.41. SockAddrInetHostname example
5.42. SockAddrUnix example
5.43. A simple StackingProvider class
5.44. Using a StackingProvider in an FTP proxy
5.45. Finding IP networks
5.46. Zone examples
5.47. Determining the zone of an IP address
6.1. CSZoneDispatcher example
6.2. Dispatcher example
A.1. An example for the SQL*Net connection string

List of Procedures

1.1. PNS startup and initialization
1.2.1. Handling packet filtering services
1.2.2. Handling application-level services
1.3. Proxy startup and the server-side connection
3.1.1. The SSL handshake
3.2.4.1. Enabling TLS-encryption in the connection
3.2.8. Configuring keybridging
B.1. Setting global options of PNS
   Next