3.8 Configuring the browser


3.8    Configuring the browser

First of all, it is important to note that most parts of a firewall configuration are transparent and ˜ ˜invisible to the Web user and his or her browser. For example, packet filters and screening routers operate on the IP packets originated or received by particular hosts without having the corresponding users be able to influence the packet filtering behavior. Similarly, the use of a transparent firewall doesn t have to be configured on the browser side (this is the idea of transparency). Also, a user doesn t have to care whether a firewall is configured as dual- homed or screened subnet. (i.e., the browser configuration is the same in either case).

If, however, a firewall is not transparent and uses application gateways (i.e., a circuit-level gateway or application-level gateways), a Web user locating behind that firewall must configure his or her browser to properly interact with the application gateways that are running on the bastion host(s). This is true for any traffic destined to external IP addresses. The browser must know how to reach these addresses. For internal IP addresses, there is usually no need to use application gateways and configure browsers accordingly .

Using Microsoft s Internet Explorer, for example, the user can configure the browser using the local-area network (LAN) Settings panel as illustrated in Figure 3.7. [22] According to the screenshot of this figure, there are basically three possibilities to configure the browser:

  1. Have the browser automatically detect the settings.

  2. Use an automatic configuration script.

  3. Manually configure the use of one (or several) proxy server(s).

    click to expand
    Figure 3.7: Configuring Microsoft s Internet Explorer using the Local Area Network (LAN) Settings panel. ( 2002 Microsoft Corporation.)

In practice, the second and third possibilities are most often used. In fact, it is always possible to manually configure the use of one (or several) proxy server(s). If only one proxy server is used (e.g., an HTTP proxy server), its use can be directly configured in the lower section of the ˜ ˜Local Area Network (LAN) Settings panel.

If, however, a proxy server must be specified for more than one application protocol, the ˜ ˜Advanced button may be pressed to open the Proxy Settings panel, as illustrated in Figure 3.8. In this panel, the use of proxy servers can be configured for HTTP, HTTPS (named ˜ ˜Secure in Microsoft s Internet Explorer), FTP, Gopher, and SOCKS. Obviously, it is possible to specify only one proxy server and to activate the checkbox entitled ˜ ˜Use the same proxy server for all protocols. It is also possible to specify Internet addresses that may be contacted directly (i.e., without having to go through a proxy server). These addresses are named ˜ ˜Exception in Microsoft s Internet Explorer.

click to expand
Figure 3.8: Configuring the use of proxy servers in Microsoft s Internet Explorer. ( 2002 Microsoft Corporation.)

The manual configuration of proxy servers does not scale in intranet environments. In this situation, it is usually more convenient to use an automatic configuration script. Automatic configuration scripts were originally introduced by Netscape Communications under the term proxy auto-config (PAC) files. Consequently, a PAC file is typically named proxy.pac. In short, a PAC file is written in a scripting language (e.g., JavaScript) and provides the following function:

 function FindProxyForURL(url, host) { } 

There are two arguments for a FindProxyForURL function call: url specifies the full URL being accessed, and host specifies the hostname extracted from the URL (this is only for convenience, since it is the same string as between :// and the first : or / after that). The FindProxyForURL function returns a string describing the configuration. If the return string is null, no proxies should be used. The string can contain any number of the following building blocks, separated by a semicolon:

  • DIRECT ”In this case, connections should be made directly, without using any proxies;

  • PROXY host:port ”In this case, the specified proxy server should be used;

  • SOCKS host:port ”In this case, the specified SOCKS server should be used.

The use of a PAC file is very convenient to have all browsers in an intranet environment use the same proxy settings.

As illustrated in Figure 3.9, the Opera browser can also be configured to make use of proxy servers or PAC files using the Proxy servers panel. Similar to Microsoft s Internet Explorer, proxy servers can be specified for HTTP, HTTPS, FTP, and Gopher. Unlike Microsoft s Internet Explorer, however, Opera supports WAIS but does not support SOCKS. This may change in the future, because WAIS is seldom used.

click to expand
Figure 3.9: Configuring the use of proxy servers in the Proxy servers panel of Opera. ( 2002 Opera Software.)

[22] The Local Area Network (LAN) Settings panel can be found in the Connections tab of the Tools > Internet Options . . . menu.




Security Technologies for the World Wide Web
Security Technologies for the World Wide Web, Second Edition
ISBN: 1580533485
EAN: 2147483647
Year: 2003
Pages: 142
Authors: Rolf Oppliger

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net