NxFilter v2.2.0 and NxClient v2.0 for safe-search enforcing and URL keyword filtering and more!
540 views
Skip to first unread message
Jinhee
Jun 6, 2014, 1:18:03 AM6/6/14
to nxfil...@googlegroups.com
We are testing new NxFilter and NxClent that are capable of forcing safe-search
and keyword filtering against URL which is only possible through web-proxy based
web-filter. The reason we can do these things with NxFilter which is a dns-filter
is that we ship a web-proxy with NxClient and NxClient now also works as a local
web-proxy.
Some people might be questioning that I was criticizing about a web-proxy based
web-filter for performance issue. Yes, but this local proxy doesn't cause any bottle
neck issue. It's a personal web-proxy installed onto your user PC. So performance is
not an issue as it is a dedicated proxy for one user.
Now we can force safe-search and we can block HTTPS sites and we can do keyword
filtering against URL. Of course this is just a starting point. Theoretically we can
do everything a web-proxy based web-filter can do. Now we don't need to explain
how NxFilter is good compared to a traditional web-proxy based web-filter. NxFilter
includes a web-filter as its agent.
However we still have a problem with deployment. You don't want to install this agent
onto every PC on your network. Besides, NxClient was designed to be a remote user
filtering client so it requires a login token and server IP address for up and running.
To address this problem I was thinking of making it as a multi-purpose agent which can be
used both as an AD single sign-on agent and as a remote user filtering client. But I was
not sure about the deployment problem yet. So I decided to test it as a remote user
filtering client first.
Anyway this is just our starting point. I have many things going on in my mind. Several
designs including a multi-purpose agent which runs as a service having everything in
it or keeping new NxClient with the bundled web-proxy and adding a web-proxy into
NxLogon as well. Just can't decide which is the best yet.
For how to install NxClient read tutorial.
http://www.nxfilter.org/tutorial.php#nxclient
------------------------------------------------------------------------------------------
How it works.
------------------------------------------------------------------------------------------
New NxClient has a web-proxy bundled and it works as a proxy server for IE and Chrome.
It can block user web access based on URL keyword filtering and it can enforce safe-search
on Google, Bing, Yahoo, Youtube. You can setup your own proxy policy on NxFilter GUI. Once
you setup your policy on 'Policy > proxy' NxClient fetches the policy once a minute. You
can disable the web-proxy policy on user or group specific policy like application control.
One thing you need to know is that once you enable safe-search it blocks HTTPS access to
Google, Bing, Yahoo, Youtube. So some of your users might tell you that some sites are not
working. But for google NxFilter creates a CNAME record for redirecting all the Google sites
to 'nosslsearch.google.com'. And Bing and Youtube are using HTTP as the default way of
accessing their site. So you don't get many troubles for that. Only Yahoo uses HTTPS as
their default protocol and they might be appeared as not working. Of course you still can
access Yahoo using HTTP.
* Currently the built-in local proxy only covers Internet Explorer and Chrome. If your
users use the other browsers like Firefox they can get away from your filtering. Of course
they still fall into DNS filtering but you'd better block these browsers using application
control. For example add 'firefox.exe' into 'Blocked process name'.
* Once it starts it changes the proxy settings on Windows registry and it locks the proxy
setup on IE. To unlock it you need to disable the proxy policy or check 'Disable proxy' on
user or group specific policy.
------------------------------------------------------------------------------------------
Changes with NxFilter v2.2.
------------------------------------------------------------------------------------------
- Forcing safe-search option through NxClient added.
- URL keyword filtering through NxClient added.
- Application control through NxClient added.
- NxLogon updated to v1.4 with several fixes.
- CharacterSet encoding removed from NxParam as a redundancy.
- Request object removed from AdminLoginDao.
- javax.naming.PartialResultException ignored by LdapAgent.
- '+' in application control rule changed to '*'.
- Minimum length(4) introduced for application control keyword.
- Empty record check for finding response cache added.
- application -> policy_application.
- Domain to domain redirection added.
- block_domain introduced.
- Fash-flux detection removed.
- IP based ACL for login redirection added.
- err_detail -> reason_detail.
------------------------------------------------------------------------------------------
Changes with NxClient v2.0.
------------------------------------------------------------------------------------------
- Application control added.
- Local proxy added.
- Safe-search enforcing added.
- URL keyword filtering added.
- HTTPS blocking added.
- Bypass Windows command when it's on the other OS.
- NxResolver has been removed from DnsUpdater.
- Alternative DNS can be used upto 6 hours.
------------------------------------------------------------------------------------------
Updating the existing NxClient.
------------------------------------------------------------------------------------------
If you need to update your existing NxClient the simplest way would be overwriting the
files in 'c:\program files\nxclient'. NxClient is a self contained software. It doesn't
rely on any outside file or registry values. So simply replacing the old files with the
new files updating can be done. The only exception is cfg.properties file in /conf directory.
There're server-ip and login-token values in it.
I attached a zip file which contains everything in it. In fact you can install NxClient with
this. Copy all the files from the zip file to some directory and then run '/bin/instsvc.bat'
If you want to uninstall it. run '/bin/unstsvc.bat' and then delete whole directory.
------------------------------------------------------------------------------------------
Download link.
------------------------------------------------------------------------------------------
http://www.nxfilter.org/download/nxfilter-2.2.0-beta-1.exe
http://www.nxfilter.org/download/nxfilter-2.2.0-beta-1.zip
http://www.nxfilter.org/download/nxclient-2.0-beta-1.exe
http://www.nxfilter.org/download/nxclient-2.0-beta-1.zip
Jinhee
and keyword filtering against URL which is only possible through web-proxy based
web-filter. The reason we can do these things with NxFilter which is a dns-filter
is that we ship a web-proxy with NxClient and NxClient now also works as a local
web-proxy.
Some people might be questioning that I was criticizing about a web-proxy based
web-filter for performance issue. Yes, but this local proxy doesn't cause any bottle
neck issue. It's a personal web-proxy installed onto your user PC. So performance is
not an issue as it is a dedicated proxy for one user.
Now we can force safe-search and we can block HTTPS sites and we can do keyword
filtering against URL. Of course this is just a starting point. Theoretically we can
do everything a web-proxy based web-filter can do. Now we don't need to explain
how NxFilter is good compared to a traditional web-proxy based web-filter. NxFilter
includes a web-filter as its agent.
However we still have a problem with deployment. You don't want to install this agent
onto every PC on your network. Besides, NxClient was designed to be a remote user
filtering client so it requires a login token and server IP address for up and running.
To address this problem I was thinking of making it as a multi-purpose agent which can be
used both as an AD single sign-on agent and as a remote user filtering client. But I was
not sure about the deployment problem yet. So I decided to test it as a remote user
filtering client first.
Anyway this is just our starting point. I have many things going on in my mind. Several
designs including a multi-purpose agent which runs as a service having everything in
it or keeping new NxClient with the bundled web-proxy and adding a web-proxy into
NxLogon as well. Just can't decide which is the best yet.
For how to install NxClient read tutorial.
http://www.nxfilter.org/tutorial.php#nxclient
------------------------------------------------------------------------------------------
How it works.
------------------------------------------------------------------------------------------
New NxClient has a web-proxy bundled and it works as a proxy server for IE and Chrome.
It can block user web access based on URL keyword filtering and it can enforce safe-search
on Google, Bing, Yahoo, Youtube. You can setup your own proxy policy on NxFilter GUI. Once
you setup your policy on 'Policy > proxy' NxClient fetches the policy once a minute. You
can disable the web-proxy policy on user or group specific policy like application control.
One thing you need to know is that once you enable safe-search it blocks HTTPS access to
Google, Bing, Yahoo, Youtube. So some of your users might tell you that some sites are not
working. But for google NxFilter creates a CNAME record for redirecting all the Google sites
to 'nosslsearch.google.com'. And Bing and Youtube are using HTTP as the default way of
accessing their site. So you don't get many troubles for that. Only Yahoo uses HTTPS as
their default protocol and they might be appeared as not working. Of course you still can
access Yahoo using HTTP.
* Currently the built-in local proxy only covers Internet Explorer and Chrome. If your
users use the other browsers like Firefox they can get away from your filtering. Of course
they still fall into DNS filtering but you'd better block these browsers using application
control. For example add 'firefox.exe' into 'Blocked process name'.
* Once it starts it changes the proxy settings on Windows registry and it locks the proxy
setup on IE. To unlock it you need to disable the proxy policy or check 'Disable proxy' on
user or group specific policy.
------------------------------------------------------------------------------------------
Changes with NxFilter v2.2.
------------------------------------------------------------------------------------------
- Forcing safe-search option through NxClient added.
- URL keyword filtering through NxClient added.
- Application control through NxClient added.
- NxLogon updated to v1.4 with several fixes.
- CharacterSet encoding removed from NxParam as a redundancy.
- Request object removed from AdminLoginDao.
- javax.naming.PartialResultException ignored by LdapAgent.
- '+' in application control rule changed to '*'.
- Minimum length(4) introduced for application control keyword.
- Empty record check for finding response cache added.
- application -> policy_application.
- Domain to domain redirection added.
- block_domain introduced.
- Fash-flux detection removed.
- IP based ACL for login redirection added.
- err_detail -> reason_detail.
------------------------------------------------------------------------------------------
Changes with NxClient v2.0.
------------------------------------------------------------------------------------------
- Application control added.
- Local proxy added.
- Safe-search enforcing added.
- URL keyword filtering added.
- HTTPS blocking added.
- Bypass Windows command when it's on the other OS.
- NxResolver has been removed from DnsUpdater.
- Alternative DNS can be used upto 6 hours.
------------------------------------------------------------------------------------------
Updating the existing NxClient.
------------------------------------------------------------------------------------------
If you need to update your existing NxClient the simplest way would be overwriting the
files in 'c:\program files\nxclient'. NxClient is a self contained software. It doesn't
rely on any outside file or registry values. So simply replacing the old files with the
new files updating can be done. The only exception is cfg.properties file in /conf directory.
There're server-ip and login-token values in it.
I attached a zip file which contains everything in it. In fact you can install NxClient with
this. Copy all the files from the zip file to some directory and then run '/bin/instsvc.bat'
If you want to uninstall it. run '/bin/unstsvc.bat' and then delete whole directory.
------------------------------------------------------------------------------------------
Download link.
------------------------------------------------------------------------------------------
http://www.nxfilter.org/download/nxfilter-2.2.0-beta-1.exe
http://www.nxfilter.org/download/nxfilter-2.2.0-beta-1.zip
http://www.nxfilter.org/download/nxclient-2.0-beta-1.exe
http://www.nxfilter.org/download/nxclient-2.0-beta-1.zip
Jinhee
mark page
Jun 6, 2014, 5:39:33 AM6/6/14
to nxfil...@googlegroups.com
Jinhee,
Maybe I'm missing something, but are you blocking all SSL traffic at the local machine? If so, that's going to break a lot of sites that only use SSL.
Mark
Jinhee
Jun 6, 2014, 6:39:01 AM6/6/14
to nxfil...@googlegroups.com
These are the options for proxy policy.
- enable_proxy
- block_https
- safe_search
- blocked url-kw
You can block https by checking block_https but you don't need to do that for safe-search.
With safe-search option we block https for Bing, Yahoo(search.yahoo.*), Youtube because users
can get away from filtering by using https. And you know how the dns redirection works for Google.
So Google is fine.
Blocking entire https is came form my old experience. At the time we had such option on the web-filter
product I developed so I just added it. Maybe it's useful if you don't want to allow any encrypted web
access for data leaking.
One thing missing is that I could add block option for IP based URL or host in the URL. So that we
don't see the people talking like I can bypass dns-filter by acccessing a website using IP address.
Jinhee
- enable_proxy
- block_https
- safe_search
- blocked url-kw
You can block https by checking block_https but you don't need to do that for safe-search.
With safe-search option we block https for Bing, Yahoo(search.yahoo.*), Youtube because users
can get away from filtering by using https. And you know how the dns redirection works for Google.
So Google is fine.
Blocking entire https is came form my old experience. At the time we had such option on the web-filter
product I developed so I just added it. Maybe it's useful if you don't want to allow any encrypted web
access for data leaking.
One thing missing is that I could add block option for IP based URL or host in the URL. So that we
don't see the people talking like I can bypass dns-filter by acccessing a website using IP address.
Jinhee
Jinhee
Jun 10, 2014, 10:39:48 PM6/10/14
to nxfil...@googlegroups.com
I added several more features onto NxFilter and NxClient. These are the new changes
of NxFilter v2.2.1-beta-1 and NxClient v2.0-beta-2.
- Log only applied to proxy policy.
You can just record blocking logs from proxy filtering not actually blocking it. This
is a policy specific option.
- Whitelist domain, keyword for bypass filtering applied to proxy policy.
Global whitelist with 'bypass filtering' option will be applied to proxy filtering.
- Block IP host added to proxy policy.
Now you can block IP host in URL. This couldn't be done with a dns-filter but now it's
possible with NxFilter's local proxy agent.
- Using DynUpdate for AD domain resolving.
You don't need to use zone-transfer to resolve AD domain. NxFilter will try to attempt
resolve AD domain against DC automatically.
- Block other browser option added for proxy policy.
NxFilter's local proxy filtering only supports IE and Chrome so you had to block other
browsers in some way. But with this option you don't need to do it manually. Once you enable
'Block other browser' option on 'Policy > proxy' NxClient will try to block any program
making direct HTTP connection to the Internet. One good thing is that as long as you use
system proxy you can use the browsers other than IE, Chrome. So if you want to use Firefox
with NxFilter's proxy filtering feature set it up using system proxy on its network setup.
------------------------------------------------------------------------------------------
Download link.
------------------------------------------------------------------------------------------
http://www.nxfilter.org/download/nxfilter-2.2.1-beta-1.exe
http://www.nxfilter.org/download/nxfilter-2.2.1-beta-1.zip
http://www.nxfilter.org/download/nxclient-2.0-beta-2.exe
http://www.nxfilter.org/download/nxclient-2.0-beta-2.zip
Jinhee
of NxFilter v2.2.1-beta-1 and NxClient v2.0-beta-2.
- Log only applied to proxy policy.
You can just record blocking logs from proxy filtering not actually blocking it. This
is a policy specific option.
- Whitelist domain, keyword for bypass filtering applied to proxy policy.
Global whitelist with 'bypass filtering' option will be applied to proxy filtering.
- Block IP host added to proxy policy.
Now you can block IP host in URL. This couldn't be done with a dns-filter but now it's
possible with NxFilter's local proxy agent.
- Using DynUpdate for AD domain resolving.
You don't need to use zone-transfer to resolve AD domain. NxFilter will try to attempt
resolve AD domain against DC automatically.
- Block other browser option added for proxy policy.
NxFilter's local proxy filtering only supports IE and Chrome so you had to block other
browsers in some way. But with this option you don't need to do it manually. Once you enable
'Block other browser' option on 'Policy > proxy' NxClient will try to block any program
making direct HTTP connection to the Internet. One good thing is that as long as you use
system proxy you can use the browsers other than IE, Chrome. So if you want to use Firefox
with NxFilter's proxy filtering feature set it up using system proxy on its network setup.
------------------------------------------------------------------------------------------
Download link.
------------------------------------------------------------------------------------------
http://www.nxfilter.org/download/nxfilter-2.2.1-beta-1.exe
http://www.nxfilter.org/download/nxfilter-2.2.1-beta-1.zip
http://www.nxfilter.org/download/nxclient-2.0-beta-2.exe
http://www.nxfilter.org/download/nxclient-2.0-beta-2.zip
Jinhee
Matthew Marlowe
Jun 13, 2014, 10:09:02 AM6/13/14
to nxfil...@googlegroups.com
So, in this release is nxclient replacing nxlogon?
Jinhee
Jun 13, 2014, 8:02:32 PM6/13/14
to nxfil...@googlegroups.com
No. I will not replace NxLogon with NxClient. NxClient is fine as it is. I will decide what I do after I finish my current working.
Reply all
Reply to author
Forward
0 new messages