Proxy servers, also known as application gateways, provide protection for your network at the Application layer. Although packet filters make decisions based on the header information in a packet, they do not understand the application protocols, such as FTP or HTTP. Thus, it's easy for a hacker to exploit known problems with application protocols, and problems can ensue if the packet filter allows the packet to enter the network. A proxy server can perform this function by managing connections to and from the outside world. A proxy server acts as a "man in the middle" by accepting requests for an application for your users and making that request for them. A proxy server never allows a packet to pass through the firewall; instead, a proxy server follows these steps:
Figure 49.1 shows an example of how a typical proxy server functions. Figure 49.1. A proxy server communicates with the computer inside your network and the Internet server, but it does not allow network traffic to pass directly through the firewall.
Proxy servers also can be used to provide authentication, logging, content filtering, and other security measures. There are two kinds of proxy servers: classical proxy servers and transparent proxy servers. A classical proxy server can be used with any application. The user needs to take a few extra steps to use the proxy server because the application itself was not written to understand the proxy process. A classical proxy server works in the following manner:
After the initial authentication and connection to the service, each side of the communication process thinks it's actually talking to the other. However, because the user must initially authenticate himself to the proxy server, this type of proxy might be undesirable in some environments because some users find these extra steps a burden .
A transparent proxy server works a little differently. In this case, the application is modified so that it understands that a proxy server is being used. For this to work, you must tell the application the address of the proxy server for each service you want to use. For example, to configure proxy server information in Internet Explorer, you would take these steps:
Standard Proxy ApplicationsMost off-the-shelf firewall products come with proxy applications for commonly used network applications, such as these:
Because proxy servers operate at the application level, they are sometimes referred to as application gateways . You can set up the gateway using several different topologies. An example of an application gateway is a dual- homed host that runs the proxy software. In this setup, a computer has two network cards, each attached to a different network. Proxy software runs on the host and mediates between the two, deciding what traffic it will allow to flow between the two networks. You can set up a Unix or Windows NT Server computer to perform this kind of function. In Figure 49.4, you see a small network that uses a router to connect to the Internet. Figure 49.4. A dual-homed host is used to connect the local network to the Internet.
However, the network is not directly connected to the router. Instead, a computer has been designated for this purpose. The dual-homed host has two network cardsone talks to the router and the other participates in the local network. The router can be configured to perform filtering functions while the dual-homed host can supply the proxy functions for any services you want to allow between your network and the Internet. When this host is configured with maximum security measures to provide a defense from external sources, it is sometimes referred to as a bastion host or a screened host architecture . As an added advantage, another computer is used to host the company's Web pages so that Internet users can access them without penetrating the interior company network. You can carry this concept further by using multiple routers to connect to the Internet. Figure 49.5 shows a setup similar to the one just described, but there are two routers between the innermost network clients and the Internet. Figure 49.5. Use multiple firewalls to segment users into restrictive and less restrictive networks.
The dual-homed host connects the most secure clients to the first router. Between the dual-homed host and the first router are other computers that do not need the same level of restrictions imposed by the proxy server. Again, the Web server sits on the network at a point closest to the Internet, and thus is subject to fewer restrictions than the other computers on this network. The Web server that sits between Router 1 and Router 2 should be treated very cautiously when it comes to security because it's the least-protected computer on the network. As stated earlier in the chapter, the space between these two routers is referred to as the demilitarized zone, or DMZ. Another method of creating a DMZ is to use a router with multiple interfaces and select one interface to use for a network segment that will be the DMZ (see Figure 49.6). Figure 49.6. A simple DMZ can be created by using a separate LAN segment connected to the router.
In this example, the firewall/router has three adapters: one for the DMZ, one for your private LAN, and one to connect to the Internet. Traffic from the Internet destined to your FTP or WWW servers is never passed by the firewall to the private LAN segment, but only to those servers residing in the DMZ. Thus, if one of your Web servers is compromised, the computers on your LAN are still safe. Impersonating the End User: Network Address Translation (NAT)One of the main driving forces behind a new Internet protocol (IPv6) was the assumption that the 32-bit address used by IPv4 was not large enough to keep up with the quickly growing Internet. It was assumed that eventually the entire address space would be used up. Of course, other features of IPv6, such as the security enhancements, also are making it seem as though the Internet eventually will migrate to the newer protocol. However, when you think about how a proxy server works to use its own address instead of the address of the internal network client, it seems that the address space limitation imposed by the 32-bit address is not such a big issue anymore.
Because only addresses used by the proxy servers need to be valid and registered on the Internet, what prevents you from using any address range on the internal network? This concept, known as network address translation (NAT) is widely used today for just this purpose. The proxy server uses these addresses with valid IP addresses to conduct business for its clients. You can use practically any address range for the workstations on the LAN. However, RFC 1597, "Address Allocation for Private Internets ," specifies a range of addresses that are set aside for private networks. When computers on the inside network need to communicate with each other, they use their actual addresses. The proxy server also has an address that falls within this range so that it can talk to both the private LAN and the Internet. These ranges of IP addresses are exclusively set aside by the RFC for private networks, and cannot be used on the Internet. These are the address ranges:
You can accomplish several things by using these addresses for computers inside your network:
Advantages and Disadvantages of a Proxy ServerAs with every type of firewall, you can say good and bad things about proxy servers. Their capability to hide the identity of workstations on your network is a definite plus. Packet filters don't do that. Proxy servers are usually highly customizable, and most come with a graphical interface to make the management chores a little more understandable than those that use a command-line set of cryptic instructions. One thing packet filters usually excel at when compared to proxy servers is speed. Filtering a packet is not much more complicated than any other task a router does. It already must look at the information contained in the header so that it can make routing decisions. Checking a table of addresses to determine which ones are allowed and which are not isn't much different from checking the routing table to decide where to forward a packet.
|