Proxy Servers

Proxy servers, also known as application gateways, provide protection for your network at the Application layer. Although packet filters make decisions based on the header information in a packet, they do not understand the application protocols, such as FTP or HTTP. Thus, it's easy for a hacker to exploit known problems with application protocols, and problems can ensue if the packet filter allows the packet to enter the network.

A proxy server can perform this function by managing connections to and from the outside world. A proxy server acts as a "man in the middle" by accepting requests for an application for your users and making that request for them. A proxy server never allows a packet to pass through the firewall; instead, a proxy server follows these steps:

1.	Receives an outgoing request from one of your users. It creates a new packet and substitutes the proxy server's own address as the source address, replacing the user's actual source address.
2.	The proxy server sends this new packet out onto the Internet on behalf of the user.
3.	When a response is received from the Internet server, the proxy server examines the packet to determine whether the data contained in the packet is appropriate for the particular application. If so, it creates a new packet, inserts the data, and places the Internet server's address in the source address field. The packet then is sent back to the original user.
4.	The user receives the packet and assumes that it's actually communicating directly with the Internet serverafter all, it has the correct addressing information in the header.

Figure 45.2 shows an example of how a typical proxy server functions.

Figure 45.2. A proxy server communicates with the computer inside your network and the Internetserver, but it does not allow network traffic to pass directly through the firewall.

Proxy servers also can be used to provide authentication, logging, content filtering, and other security measures. There are two kinds of proxy servers: classical proxy servers and transparent proxy servers.

A classical proxy server can be used with any application. The user needs to take a few extra steps to use the proxy server because the application itself was not written to understand the proxy process. A classical proxy server works in the following manner:


1.	A client executes a command, such as the Telnet command, to connect to the proxy server.
2.	The proxy server receives this request and sends a packet back to the user prompting for authentication information, such as a username and password.
3.	The user interacts with this man-in-the-middle by entering the required information.
4.	If the proxy server has been configured to allow this user to make use of the service, it prompts the user to enter the target system for the service. For example, after being authenticated by the proxy server, a user could enter `username@internetserver.com`. In this example, `username` is the username that will be used to authenticate the user on the Internet server, and `internetserver.com` is the name of the Internet server to which the user wants to make a connection.
5.	The proxy server proceeds to create a packet containing the Telnet request, and sends it out onto the Internet. The Internet server sends back a packet requesting a password (if required) for the service.
6.	The proxy server prompts the user to enter the password and passes it back to the Internet server. If the authentication succeeds, the proxy server begins operating as described earlier, by intercepting packets to and from the Internet server, substituting its own address for the user's address when sending packets to the Internet server, and substituting the Internet server's address for packets returned to the client.

After the initial authentication and connection to the service, each side of the communication process thinks it's actually talking to the other. However, because the user must initially authenticate himself to the proxy server, this type of proxy might be undesirable in some environments because some users find these extra steps a burden.

Note

A popular proxy server product called the TIS Internet Firewall Toolkit (FWTK) can be downloaded from the Internet. This kit contains proxy applications for most of the usual Internet services, such as Telnet, email, and FTP, and allows you to create your own specific proxy server applications. You can read more about this package and download it free from www.fwtk.org.

A transparent proxy server works a little differently. In this case, the application is modified so that it understands that a proxy server is being used. For this to work, you must tell the application the address of the proxy server for each service you want to use. For example, to configure proxy server information in Internet Explorer, you would take these steps:

1.	Select Start, Programs, Internet Explorer (or Start, Internet Explorer if this appears in the top portion of the Start menu).
2.	Select Tools, Internet Options. When the Internet Options properties page appears, click the Connections tab.

3.	At the bottom of the page, click the LAN Settings button to open the Local Area Network (LAN) Settings dialog box (see Figure 45.3). Figure 45.3. The Local Area Network (LAN) Settings dialog box allows you to select automatic configuration of a proxy server or enter the information yourself.
4.	In Figure 45.3, the Automatically Detect Settings check box has been selected. If your network is configured to distribute this information automatically, all you need to do is select this check box and click the OK button. Internet Explorer queries the network to determine the proxy server settings and sets them up for you automatically. The Use Automatic Configuration Script check box can be used in a similar manner, but you'll have to get the address for the server that contains the file from your network administrator.

5.	To manually configure a proxy server, select the Use a Proxy Server check box, and enter the address or hostname of the proxy server and the port that will be used (typically port 8080). This sets up Internet Explorer to use the same proxy server for all the network services you use.
6.	If you want to configure each service separately, click the Advanced button shown in Figure 45.3, and the Proxy Settings dialog box appears (see Figure 45.4). Figure 45.4. Use the Proxy Settings dialog box when you need to use more than one proxy server for different network services.
7.	In Figure 45.4, you can see that Internet Explorer allows you to enter a different proxy server and port for several common network applications. You can use the Exceptions pane to enter hostnames or addresses that should not go through the proxy server. For example, hosts that reside inside your network can be contacted directly, and you don't need to use a proxy server to reach them. If you use this feature, you can enter more than one name or address, separating each entry by a semicolon, and you can use the asterisk (`*`) character as a wildcard. When finished, click OK.

Standard Proxy Applications

Most off-the-shelf firewall products come with proxy applications for commonly used network applications, such as these:

Telnet
FTP
X Windows
HTTP
HTTPS
Mail (POP and SMTP)
Socks
News (NNTP)

Because proxy servers operate at the application level, they are sometimes referred to as application gateways. You can set up the gateway using several different topologies. An example of an application gateway is a dual-homed host that runs the proxy software. In this setup, a computer has two network cards, each attached to a different network. Proxy software runs on the host and mediates between the two, deciding what traffic it will allow to flow between the two networks. You can set up a Unix or Windows NT/2000/2003 Server computer to perform this kind of function. In Figure 45.5, you see a small network that uses a router to connect to the Internet.

Figure 45.5. A dual-homed host is used to connect the local network to the Internet.

However, the network is not directly connected to the router. Instead, a computer has been designated for this purpose. The dual-homed host has two network cardsone talks to the router and the other participates in the local network. The router can be configured to perform filtering functions while the dual-homed host can supply the proxy functions for any services you want to allow between your network and the Internet. When this host is configured with maximum security measures to provide a defense from external sources, it is sometimes referred to as a bastion host or a screened host architecture.

As an added advantage, another computer is used to host the company's Web pages so that Internet users can access them without penetrating the interior company network.

You can carry this concept further by using multiple routers to connect to the Internet. Figure 45.6 shows a setup similar to the one just described, but there are two routers between the innermost network clients and the Internet.

Figure 45.6. Use multiple firewalls to segment users into restrictive and less restrictive networks.

The dual-homed host connects the most secure clients to the first router. Between the dual-homed host and the first router are other computers that do not need the same level of restrictions imposed by the proxy server. Again, the Web server sits on the network at a point closest to the Internet, and thus is subject to fewer restrictions than the other computers on this network. The Web server that sits between Router 1 and Router 2 should be treated very cautiously when it comes to security because it's the least-protected computer on the network. As stated earlier in the chapter, the space between these two routers is referred to as the demilitarized zone, or DMZ. Another method of creating a DMZ is to use a router with multiple interfaces and select one interface to use for a network segment that will be the DMZ (see Figure 45.7).

Figure 45.7. A simple DMZ can be created by using a separate LAN segment connected to the router.

In this example, the firewall/router has three adapters: one for the DMZ, one for your private LAN, and one to connect to the Internet. Traffic from the Internet destined to your FTP or WWW servers is never passed by the firewall to the private LAN segment, but only to those servers residing in the DMZ. Thus, if one of your Web servers is compromised, the computers on your LAN are still safe.

Creating a DMZ with a SOHO or Small-Business Router

On a SOHO or small business network that uses a router with Network Address Translation (NAT), a DMZ can also be created by specifying the private IP address of a particular computer or device that needs unrestricted access from the Internet in the router's DMZ configuration dialog. This dialog is usually located in the router's advanced configuration section.

A DMZ configuration is sometimes used as an alternative to configuring lists of allowable TDP and UDP ports and applications for use by a firewall device, a firewall program, or the port forwarding feature built into most routers. It permits unrestricted access to and from the IP address specified in the DMZ.

However, while setting up the DMZ for a particular computer is easy, it is not recommended unless it is not possible for particular programs or tasks to be performed in any other way. The reason is that the computer or device in the DMZ has absolutely no protection against remote attacks. By placing the computer or device in the DMZ, address translation and port filtering are no longer present.

Caution

If you decide that you must use the DMZ feature to permit a particular application or task to operate, make sure you specify the correct IP address for the computer. Use the ipconfig command or the list of DHCP clients in the router's DHCP configuration to determine this information. If your network uses DHCP addressing and many computers or other devices connect and disconnect from the network, consider assigning the computer that will be placed in the DMZ a static IP address. Otherwise, it's possible that at some point the wrong computer or device will wind up in the DMZ.

To protect sensitive data on the computer in the DMZ, don't use shared folders on that computer. Store data on another computer.

Contact the vendor of the application, device, or service that will not work unless the computer using it is in the DMZ for a list of allowable TDP or UDP ports that can be configured to permit traffic or for an update to the application or device drivers that will permit the computer to no longer use the DMZ and still function as desired.

Impersonating the End User: Network Address Translation (NAT)

One of the main driving forces behind a new Internet protocol (IPv6) was the assumption that the 32-bit address used by IPv4 was not large enough to keep up with the quickly growing Internet. It was assumed that eventually the entire address space would be used up. Of course, other features of IPv6, such as the security enhancements, also are making it seem as though the Internet eventually will migrate to the newer protocol. However, when you think about how a proxy server works to use its own address instead of the address of the internal network client, it seems that the address space limitation imposed by the 32-bit address is not such a big issue anymore.

Note

IPv6 wasn't designed just to increase the available IP address space. Other features, such as authentication and encryption, among others, are also part of this protocol. IPv4 is the most widely used version of IP today, especially at the LAN level. And some applications have been created to use some of the features that are present in IPv6 on an IPv4 network. However, in a few years you can expect to see IPv6 work its way outward from the core of the Internet to your LAN. Many large corporate LANs already make use of IPv6, if only for parts of their network.

Because only addresses used by the proxy servers need to be valid and registered on the Internet, what prevents you from using any address range on the internal network? This concept, known as network address translation (NAT) is widely used today for just this purpose. The proxy server uses these addresses with valid IP addresses to conduct business for its clients.

You can use practically any address range for the workstations on the LAN. However, RFC 1597, "Address Allocation for Private Internets," specifies a range of addresses that are set aside for private networks. When computers on the inside network need to communicate with each other, they use their actual addresses. The proxy server also has an address that falls within this range so that it can talk to both the private LAN and the Internet.

These ranges of IP addresses are exclusively set aside by the RFC for private networks, and cannot be used on the Internet. These are the address ranges:

10.0.0.010.255.255.255
169.254.0.1169.254.255.254
172.16.0.0172.31.255.255
192.168.0.0192.168.255.255

Tip

If the preceding address ranges look familiar, you are probably connecting to the Internet via a NAT server. Many ISPs use NAT to conserve the range of valid IP addresses allocated to them. If you buy a cable/DSL router or switch, you'll find that one of the address spaces is used to create a private network for your LAN. Additionally, the range 169.254.0.1169.254.255.254 is used for Automatic Private IP Addressing (APIPA), which is found in Windows 98/Me/2000/XP, for example.

Most SOHO and small-office routers are designed to use the 192.168.x.x address range only, but some can also use the 172.16.x.x address range. Consider using a different address range than 192.168.x.x if your router permits. Using a different address range could make it a bit more difficult for a casual hacker to get into your network.

You can accomplish several things by using these addresses for computers inside your network:

Your business needs to buy only a small address range from your ISP to use on the firewall or routers that connect your network to the Internet.
You can now use a huge address space inside your network without having to apply for a large range of addresses from your ISP.
You can use NAT for address vectoring; that is, you can let the router represent your Web service on the Internet using a single address, yet load balance the incoming requests across several servers inside the network.

Advantages and Disadvantages of a Proxy Server

As with every type of firewall, you can say good and bad things about proxy servers. Their capability to hide the identity of workstations on your network is a definite plus. Packet filters don't do that. Proxy servers are usually highly customizable, and most come with a graphical interface to make the management chores a little more understandable than those that use a command-line set of cryptic instructions.

One thing packet filters usually excel at when compared to proxy servers is speed. Filtering a packet is not much more complicated than any other task a router does. It already must look at the information contained in the header so that it can make routing decisions. Checking a table of addresses to determine which ones are allowed and which are not isn't much different from checking the routing table to decide where to forward a packet.

Note

Some advanced firewalls that provide proxy functions can be configured to support authentication and time-of-day controls. If you have a secure environment in which you need to control who gains access and limit the time of access, look for these features in the documentation before you acquire a firewall.

Figure 45.2. A proxy server communicates with the computer inside your network and the Internetserver, but it does not allow network traffic to pass directly through the firewall.

Figure 45.3. The Local Area Network (LAN) Settings dialog box allows you to select automatic configuration of a proxy server or enter the information yourself.

Figure 45.4. Use the Proxy Settings dialog box when you need to use more than one proxy server for different network services.

Standard Proxy Applications

Figure 45.5. A dual-homed host is used to connect the local network to the Internet.

Figure 45.6. Use multiple firewalls to segment users into restrictive and less restrictive networks.

Figure 45.7. A simple DMZ can be created by using a separate LAN segment connected to the router.

Creating a DMZ with a SOHO or Small-Business Router

Impersonating the End User: Network Address Translation (NAT)

Advantages and Disadvantages of a Proxy Server