NON-PROXY Implementaiton

Discuss and get help integrating CacheGuard Appliance into your network
Post Reply
jdolence
Posts: 2
Joined: 29 Jun 2017 14:28

NON-PROXY Implementaiton

Post by jdolence » 29 Jun 2017 14:46

I have a very special use case where I need to configure CacheGuard for inspection only.
Is it possible for CacheGuard OS to:
  • 1. Act Transparently - traffic will be steered to the device.
    2. NO DNS resolution
    3. NO caching
    4. NO HTTP protocol inspection
    5. Forward received traffic from inside interface to an outside interface without NAT
    6. Perform URL inspection & allow a local blacklist to be maintained
    7. Perform AV inspection perhaps using dansguardian AV

User avatar
david
Posts: 148
Joined: 08 Aug 2015 20:38

Re: NON-PROXY Implementaiton

Post by david » 29 Jun 2017 17:11

Hi,

Thank you for your post. In answer to your questions:

- You can implement CG as a transparent Gateway. Refer to http://www.cacheguard.net/doc/guide/transparent.html for further information.
- The embedded DNS can be disabled but your own external DNS.
- The caching can be disabled.
- HTTP protocol is only inspected in reverse (proxy) mode (to protect Web servers) so there is no protocol inspection in transparent forwarding mode (but URL inspection only).
- In transparent mode, incoming Web requests from the internal interface of CG are transparently intercepted by the embedded proxy so outgoing Web requests are sent using the external IP address of CG (so you'll get a kind of NAT).
- You can allow or deny URLs using your own regular expressions and list of domain names and URLs.
- CG embeds it own AV (based on ClamAV) so you don't need to connect it to an external AV.

I hope that my answers are clear enough. If you need clarifications, please don't hesitate to posts your questions here.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

jdolence
Posts: 2
Joined: 29 Jun 2017 14:28

Re: NON-PROXY Implementaiton

Post by jdolence » 29 Jun 2017 18:40

David,

Thanks for the quick reply. I started testing before seeing your response.

You identified the only problem I am having: - In transparent mode, incoming Web requests from the internal interface of CG are transparently intercepted by the embedded proxy so outgoing Web requests are sent using the external IP address of CG (so you'll get a kind of NAT).

I need the outgoing requests to use the ip address that CG received on the inside interface (e.g. spoofing or bridged). Just pass it through. At Layer 2/3, these interfaces are totally separated and the MACs are unique.

Is there anyway to do this?
Is there anyway to get to the actual OS?

So close, yet so far away.

Thanks,
Jeff

User avatar
david
Posts: 148
Joined: 08 Aug 2015 20:38

Re: NON-PROXY Implementaiton

Post by david » 29 Jun 2017 19:13

Hi,

To achieve what you are looking for, you need a facility that can operate at the IP level. Unfortunately CG does not integrate such a facility (at least not yet).

Maybe you can have a look at http://www.netfilter.org/projects/libne ... index.html. Of course I understand that building a solution based on raw Linux/NetFilter may not be as straightforward as a solution based on CG.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Post Reply