Technical Details

How cADC Managed Forward Proxy works

The Managed Forward Proxy is list-driven. This means that only the destinations listed on the allow list can be reached via the proxy, provided the destination is not on a deny list.

• A common deny list is maintained at platform level, this applies to all forward proxy instances.
• Furthermore, allow-list and deny-list for forward proxy instances are maintained.

Allow and deny lists

An allow or deny list actually consists of 2 lists:

one for hosts and domains

• Format Host: host.domain.tld
• Format domain: .domain.tld (= *.domain.tld), .subdomain.domain.tld (= *.subdomain.domain.tld)

one for IP addresses

• IPv4: 1.2.3.4
• IPv6: 0:0:0:0:0:ffff:0102:0304 (or compressed ::ffff:102:304)

Ports are not included in the lists.

All ports on a destination are always blocked or allowed.

Common Deny List

The common deny list only exists once on the platform (F5 node or F5 guest) in the common partition.

It is filled by the platform operator on the basis of official orders (security, GL, legislators?), but is initially empty.

Deny list

There is a deny list for domains/hosts or IP addresses for each forward proxy instance.

• They can be empty, in which case the respective forward proxy instance is controlled purely by the allow list.

• The deny lists are provisioned by the user/integrator via the UI/API.

Deny list rules

• The entries * or *.* are not supported; if everything is to be blocked, then the allow list must be emptied Everything else can be put on the deny list, including:
  -> TLD (Top Level Domains) may be blocked (e.g. *.su, *.ru, *.cn) -> ccSLD (Country Code Second Level Domains) may also be blocked (e.g. *.co.uk or *.com.tw)

Allow List

• There is an allow list for domains/hosts or IP addresses for each forward proxy instance.

• They can be empty, in which case the respective forward proxy instance is completely closed and no destinations can be reached.

• The allow lists are provisioned by the user/integrator via the UI/API.

Allow list rules

• The entries * or *.* are not supported; a fully open proxy is not supported A maximum of one entire domain may be added to the allow list (e.g. *.swisscom.ch)
  -> TLD (top level domains) are generally not allowed on the allow list (e.g. *.ch)
  -> ccSLD (Country Code Second Level Domains) must be observed (e.g. *.bbc.co.uk), *.co.uk or *.com.tw must also not be on the allow list

Application examples for the interaction of deny and allow lists

• The user/integrator wants to allow all destinations in the domain *.swisscom.com, except www.swisscom.com:
  -> first "www.swisscom.com" is defined in the deny list
  -> then ".swisscom.com" is defined in the allow list
• The user/integrator wants to block all destinations in the *.swisscom.com domain, except sftp.swisscom.com:
  -> "sftp.swisscom.com" must be defined in the allow list
  -> make sure that ".swisscom.com" is neither on the deny nor on the allow list
• A destination sftp.swisscom.com can be addressed under the IP addresses 1.2.3.4, 1.2.3.5 and 0:0:0:0:0:ffff:0102:0306:
  -> in the allow list for hosts/domains the following entries are defined:
  sftp.swisscom.com -> in the allow list for IP addresses:
  1.2.3.4
  1.2.3.5
  0:0:0:0:0:ffff:0102:0306

Service-Ports

• The HTTP/Web proxy runs on port 8080 of the forward proxy, which accepts requests that comply with RFC7230 or RFC7231.

• A SOCKS proxy runs optionally (must be switched on, is switched off by default) on port 1080 of the forward proxy. This accepts requests that comply with the SOCKS5 protocol RFC1928.

• All lists apply to both service ports (8080 = web/HTTP proxy, 1080 = SOCKS proxy).

Grey-List

• The main purpose of the grey list is to reduce the risk of domain fronting (link?). It is a requirement that arose from RISKINI-22 (DomainFronting Prevention).
• Domains are listed in which no wildcards are allowed. The destinations must therefore be defined using FQDN (Fully Qualified Domain Name = exact host name).
• The grey list is not maintained on the platform (F5 node or F5 guest) itself, but in Git. Current location: https://git.swisscom.com/projects/CADCAUTOMA/repos/cadcfpgreylist/browse/greylist.txt

Special grey-list domain rules
The following rules are checked during provisioning.

- The domains listed in the grey list must not be on the allow list (e.g. *.amazonws.com)
- For the domains listed in the grey list, no sub-domains may be on the allow list (e.g. *.eu-west-1.amazonaws.com)
- For the domains listed in the grey list, only host names on the allow list (e.g. swisscom-ingest.s3.amazonaws.com) are allowed.
- The grey list does not apply to entries on the deny list.

Syntax examples for allow and deny lists

The Manage Forward Proxy supports the following syntax for the allow and deny inputs in the multiline textboxes:

General

• everithing after a ! on the same line is ignored
• empty lines are ignored,
• spaces on a line are deleted
• only one entry per line is supported
• comma separated entries are not supported

List allow destination IP

1.1.1.1
!this is a description of a section
10.10.10.0
10.10.11.0/25
10.10.12.0/25 !this is a discription of the entry
255.255.255.0/28
2001:db8:0:0:0:0:0:0/64

2001:db8:0:0:0:0:2:1

List allow destination Domains

.co.uk !partner company
*.com.tw

!Update locazions
www.sagex.ch
updatehost.microsoft.com
.web.mydomain.com

List deny destination IP

1.1.1.1
!this is a description of a section
10.10.10.0
10.10.11.0/25

10.10.12.0/25 !this is a discription of the entry
255.255.255.0/28
2001:db8:0:0:0:0:0:0/64

2001:db8:0:0:0:0:2:1``

List deny destination Domains

.co.uk
*.com.tw

!main webserver
www.sagex.ch


updatehost.microsoft.com
.web.mydomain.com

List allow Source IP

1.1.1.1
!this is a description of a section
10.10.10.0
10.10.11.0/25
10.10.12.0/25 !this is a discription of the entry
255.255.255.0/28
2001:db8:0:0:0:0:0:0/64

2001:db8:0:0:0:0:2:1

List deny Source IP

1.1.1.1
10.10.10.0
10.10.11.0/25
10.10.12.0/25
255.255.255.0/28
2001:db8:0:0:0:0:0:0/64
2001:db8:0:0:0:0:2:1