Proxy Servers

Proxy servers, also known as application gateways, provide protection for your network at the Application layer. Although packet filters make decisions based on the header information in a packet, they do not understand the application protocols, such as FTP or HTTP. Thus, it's easy for a hacker to exploit known problems with application protocols, and problems can ensue if the packet filter allows the packet to enter the network.

A proxy server can perform this function by managing connections to and from the outside world. A proxy server acts as a "man in the middle" by accepting requests for an application for your users and making that request for them. A proxy server never allows a packet to pass through the firewall; instead, a proxy server follows these steps:

1. Receives an outgoing request from one of your users. It creates a new packet and substitutes the proxy server's own address as the source address, replacing the user 's actual source address.

2. The proxy server sends this new packet out onto the Internet on behalf of the user.

3. When a response is received from the Internet server, the proxy server examines the packet to determine whether the data contained in the packet is appropriate for the particular application. If so, it creates a new packet, inserts the data, and places the Internet server's address in the source address field. The packet then is sent back to the original user.

4. The user receives the packet and assumes that it's actually communicating directly with the Internet serverafter all, it has the correct addressing information in the header.

Figure 49.1 shows an example of how a typical proxy server functions.

Proxy servers also can be used to provide authentication, logging, content filtering, and other security measures. There are two kinds of proxy servers: classical proxy servers and transparent proxy servers.

A classical proxy server can be used with any application. The user needs to take a few extra steps to use the proxy server because the application itself was not written to understand the proxy process. A classical proxy server works in the following manner:

1. A client executes a command, such as the Telnet command, to connect to the proxy server.

2. The proxy server receives this request and sends a packet back to the user prompting for authentication information, such as a username and password.

3. The user interacts with this man-in-the-middle by entering the required information.

4. If the proxy server has been configured to allow this user to make use of the service, it prompts the user to enter the target system for the service. For example, after being authenticated by the proxy server, a user could enter username@internetserver.com . In this example, username is the username that will be used to authenticate the user on the Internet server, and internetserver.com is the name of the Internet server to which the user wants to make a connection.

5. The proxy server proceeds to create a packet containing the Telnet request, and sends it out onto the Internet. The Internet server sends back a packet requesting a password (if required) for the service.

6. The proxy server prompts the user to enter the password and passes it back to the Internet server. If the authentication succeeds, the proxy server begins operating as described earlier, by intercepting packets to and from the Internet server, substituting its own address for the user's address when sending packets to the Internet server, and substituting the Internet server's address for packets returned to the client.

After the initial authentication and connection to the service, each side of the communication process thinks it's actually talking to the other. However, because the user must initially authenticate himself to the proxy server, this type of proxy might be undesirable in some environments because some users find these extra steps a burden .

A transparent proxy server works a little differently. In this case, the application is modified so that it understands that a proxy server is being used. For this to work, you must tell the application the address of the proxy server for each service you want to use. For example, to configure proxy server information in Internet Explorer, you would take these steps:

1. Select Start, Programs, Internet Explorer (or Start, Internet Explorer if this appears in the top portion of the Start menu).

2. Select Tools, Internet Options. When the Internet Options properties page appears, click the Connections tab.

3. At the bottom of the page, click the LAN Settings button to open the Local Area Network (LAN) Settings dialog box (see Figure 49.2).

   Figure 49.2. The Local Area Network (LAN) Settings dialog box allows you to select automatic configuration of a proxy server or enter the information yourself.

   

4. In Figure 49.2, the Automatically Detect Settings check box has been selected. If your network is configured to distribute this information automatically, all you need to do is select this check box and click the OK button. Internet Explorer queries the network to determine the proxy server settings and sets them up for you automatically. The Use Automatic Configuration Script check box can be used in a similar manner, but you'll have to get the address for the server that contains the file from your network administrator.

5. To manually configure a proxy server, select the Use a Proxy Server check box, and enter the address or hostname of the proxy server and the port that will be used (typically port 8080). This sets up Internet Explorer to use the same proxy server for all the network services you use.

6. If you want to configure each service separately, click the Advanced button shown in Figure 49.2, and the Proxy Settings dialog box appears (see Figure 49.3).

   Figure 49.3. Use the Proxy Settings dialog box when you need to use more than one proxy server for different network services.

   

7. In Figure 49.3, you can see that Internet Explorer allows you to enter a different proxy server and port for several common network applications. You can use the Exceptions pane to enter hostnames or addresses that should not go through the proxy server. For example, hosts that reside inside your network can be contacted directly, and you don't need to use a proxy server to reach them. If you use this feature, you can enter more than one name or address, separating each entry by a semicolon, and you can use the asterisk ( * ) character as a wildcard. When finished, click OK.

Standard Proxy Applications

Most off-the-shelf firewall products come with proxy applications for commonly used network applications, such as these:

• Telnet

• FTP

• X Windows

• HTTP

• HTTPS

• Mail (POP and SMTP)

• Socks

• News (NNTP)

Because proxy servers operate at the application level, they are sometimes referred to as application gateways . You can set up the gateway using several different topologies. An example of an application gateway is a dual- homed host that runs the proxy software. In this setup, a computer has two network cards, each attached to a different network. Proxy software runs on the host and mediates between the two, deciding what traffic it will allow to flow between the two networks. You can set up a Unix or Windows NT Server computer to perform this kind of function. In Figure 49.4, you see a small network that uses a router to connect to the Internet.

However, the network is not directly connected to the router. Instead, a computer has been designated for this purpose. The dual-homed host has two network cardsone talks to the router and the other participates in the local network. The router can be configured to perform filtering functions while the dual-homed host can supply the proxy functions for any services you want to allow between your network and the Internet. When this host is configured with maximum security measures to provide a defense from external sources, it is sometimes referred to as a bastion host or a screened host architecture .

As an added advantage, another computer is used to host the company's Web pages so that Internet users can access them without penetrating the interior company network.

You can carry this concept further by using multiple routers to connect to the Internet. Figure 49.5 shows a setup similar to the one just described, but there are two routers between the innermost network clients and the Internet.

The dual-homed host connects the most secure clients to the first router. Between the dual-homed host and the first router are other computers that do not need the same level of restrictions imposed by the proxy server. Again, the Web server sits on the network at a point closest to the Internet, and thus is subject to fewer restrictions than the other computers on this network. The Web server that sits between Router 1 and Router 2 should be treated very cautiously when it comes to security because it's the least-protected computer on the network. As stated earlier in the chapter, the space between these two routers is referred to as the demilitarized zone, or DMZ. Another method of creating a DMZ is to use a router with multiple interfaces and select one interface to use for a network segment that will be the DMZ (see Figure 49.6).

In this example, the firewall/router has three adapters: one for the DMZ, one for your private LAN, and one to connect to the Internet. Traffic from the Internet destined to your FTP or WWW servers is never passed by the firewall to the private LAN segment, but only to those servers residing in the DMZ. Thus, if one of your Web servers is compromised, the computers on your LAN are still safe.

Impersonating the End User: Network Address Translation (NAT)

One of the main driving forces behind a new Internet protocol (IPv6) was the assumption that the 32-bit address used by IPv4 was not large enough to keep up with the quickly growing Internet. It was assumed that eventually the entire address space would be used up. Of course, other features of IPv6, such as the security enhancements, also are making it seem as though the Internet eventually will migrate to the newer protocol. However, when you think about how a proxy server works to use its own address instead of the address of the internal network client, it seems that the address space limitation imposed by the 32-bit address is not such a big issue anymore.

Because only addresses used by the proxy servers need to be valid and registered on the Internet, what prevents you from using any address range on the internal network? This concept, known as network address translation (NAT) is widely used today for just this purpose. The proxy server uses these addresses with valid IP addresses to conduct business for its clients.

You can use practically any address range for the workstations on the LAN. However, RFC 1597, "Address Allocation for Private Internets ," specifies a range of addresses that are set aside for private networks. When computers on the inside network need to communicate with each other, they use their actual addresses. The proxy server also has an address that falls within this range so that it can talk to both the private LAN and the Internet.

These ranges of IP addresses are exclusively set aside by the RFC for private networks, and cannot be used on the Internet. These are the address ranges:

• 10.0.0.010.255.255.255

• 169.254.0.1169.254.255.254

• 172.16.0.0172.31.255.255

• 192.168.0.0192.168.255.255

You can accomplish several things by using these addresses for computers inside your network:

• Your business needs to buy only a small address range from your ISP to use on the firewall or routers that connect your network to the Internet.

• You can now use a huge address space inside your network without having to apply for a large range of addresses from your ISP.

• You can use NAT for address vectoring ; that is, you can let the router represent your Web service on the Internet using a single address, yet load balance the incoming requests across several servers inside the network.

Advantages and Disadvantages of a Proxy Server

As with every type of firewall, you can say good and bad things about proxy servers. Their capability to hide the identity of workstations on your network is a definite plus. Packet filters don't do that. Proxy servers are usually highly customizable, and most come with a graphical interface to make the management chores a little more understandable than those that use a command-line set of cryptic instructions.

One thing packet filters usually excel at when compared to proxy servers is speed. Filtering a packet is not much more complicated than any other task a router does. It already must look at the information contained in the header so that it can make routing decisions. Checking a table of addresses to determine which ones are allowed and which are not isn't much different from checking the routing table to decide where to forward a packet.