Proxy Services: Good Practice Guidelines

Transcription

1 Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance Prog. Director Mark Ferrar Owner Tim Davis Version 1.0 Author James Wood Version Date 26/01/2006 Status APPROVED Proxy Services: Good Practice Guidelines Crown Copyright 2005 Page 1 of 10

2 Amendment History: Version Date Amendment History 0.1 First draft for comment /01/2006 Format update /01/2006 Format reverted. Content revised /03/2006 Technical Author /03/2006 Approved Forecast Changes: Anticipated Change When Annual Review March 2007 Reviewers: This document must be reviewed by the following. Indicate any delegation for sign off. Name Signature Title / Responsibility Date Version Malcolm IG Security Team 1.0 McKeating Manager Tim Davis Head of Information Governance 1.0 Approvals: This document requires the following approvals: Name Signature Title / Responsibility Date Version Mark Ferrar Director of Technical 1.0 Infrastructure Tim Davis Head of Information Governance 1.0 Distribution: Information Governance website: Crown Copyright 2005 Page 2 of 10

3 Document Status: This is a controlled document. This document version is only valid at the time it is retrieved from controlled filestore, after which a new approved version will replace it. On receipt of a new issue, please destroy all previous issues (unless a specified earlier issue is baselined for use throughout the programme). Related Documents: Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc 12 Crown Copyright 2005 Page 3 of 10

4 Contents 1 Introduction...5 Abstract Aims and Objectives Assumed Reader Knowledge Background Disclaimer Web and Application Proxy Overview Proxy Considerations Web Cache Proxies Application Proxies Content Rewriting Proxy Deployment Deployment and Maintenance Glossary...10 Crown Copyright 2005 Page 4 of 10

5 1 Introduction Abstract This guide addresses the major security issues associated with the use of proxy services and the deployment and maintenance of proxy servers. Detailed technical knowledge is not required. You will find guidance on: Using proxy and content re-writing services appropriately. 1.1 Aims and Objectives The following information provides a knowledge-based framework that will help maintain best practice values in your own organisation. In using this guide you will be conforming to best practice and therefore avoid some of the consequences of non-compliance. After completing this guide you should understand: The benefits and disadvantages associated with various types of proxy service. 1.2 Assumed Reader Knowledge A general familiarity with networking fundamentals Familiarity with any applications which may be impacted through the use of proxy services Further information on network security and related matters is available from the NHS Connecting for Health Information Governance website: Background Proxy servers often have one of the following purposes: concealing information from connection end points, providing aggregation services (which merge multiple requests through a single point), or enforcing a business policy such as a website block list or other content filtering. Concealing information in this way is potentially problematic as it can cause difficulties when communicating with national services such as SPINE Crown Copyright 2005 Page 5 of 10

6 because of the requirement to provide complete audit trails of activity. The proxy may render the audit trails, captured by end services, incomplete or incorrect. Content rewriting services may also affect the transmission and reporting of information by transparently altering data contained with the activity. This may involve the rewriting of header or meta information (used in different ways by servers and applications). If content rewriting services alter this information (to hide or replace it with false information) the processing of the information at the client or server end may be disrupted. This may include re-formatting of content returned to the user or even parsing of outgoing information. Careful consideration should be taken to ensure that any applications which may use proxies are not affected by these sorts of activities. 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. NHS Connecting for Health shall also accept no responsibility for any errors or omissions contained within this document. In particular, NHS Connecting for Health shall not be liable for any loss or damage whatsoever, arising from the usage of information contained in this document. Crown Copyright 2005 Page 6 of 10

7 2 Web and Application Proxy Overview 2.1 Proxy Considerations It is important to understand, that the use of proxies may have as many (or more) disadvantages than benefits. The central management of access control is often the driving force behind a business implementing web proxies on their systems; often in order to protect employees from malicious, illegal, or otherwise prohibited content available on the Internet. It is also possible to use a proxy to make efficiency savings in resource management; by utilising it as a tool for monitoring the proper business use of corporate assets. The main drawback of using a proxy is that, in networking terms, it effectively breaks the connection between the end user and the requested service. This break in the connection may provide additional user protection, but can also remove the critical tracking and usage information necessary for auditing purposes. Unfortunately, when complete audit trails of usage are required, a proxy can remove vital information by presenting a single end point used by multiple end users. Without access to the proxy logs, it can be very difficult to identify individual user connections. In addition, transaction logging at the service end may not contain sufficient information to identify individual user transactions. It is possible to configure proxy servers to disguise all connections behind a single IP address and/or use a pool of assigned addresses to further hide the end user information, by distributing connection requests over the pool of IP addresses. Log information, identifying the actions of individual users, is not necessarily reliable, as long as proxy servers are in use by end clients. Also, proxies configured for user anonymity can completely hide any information that might be utilised in distinguishing different clients and their transactions. 2.2 Web Cache Proxies Web caching proxies are the most common form of proxy device. A central proxy server receives all requests for web pages from the end client. The proxy server then requests the information from the relevant source or retrieves previously cached information from its own local cache (if certain expiry conditions have not been met). This model allows the control and monitoring of all internet traffic from a central point thereby allowing user policies to be enforced. The use of a local cache can also reduce the amount of bandwidth used for internet traffic by storing copies of content on the proxy server. This means that the server can deliver content, which may not be refreshed frequently, without having to rerequest it from the original source. Crown Copyright 2005 Page 7 of 10

8 This can be particularly useful when viewing web pages (or other resources) that use a lot of infrequently changed images. For example, a website uses a graphics rich navigation system and layout requiring multiple images to be loaded each time a user accesses a page on the site. The proxy stores these images locally and they therefore load far more quickly for all clients that connect through the proxy to the same website. 2.3 Application Proxies Although web proxies are the most common form of proxy, there are alternative types aimed at other applications and/or traffic. It is not uncommon to see proxies for the following types of application: Network News Transfer Protocol (NNTP). File Transfer Protocol (FTP). Simple Mail Transfer Protocol (SMTP). Custom application proxies. Although not definitive, the list above should give some indication of the type of common task which utilises proxy services (that allow multiple users to connect through a central server or that conceal information from end services). It is also common for custom applications, utilised by large numbers of users, to have proxy services written specifically for them. In these cases, the requirements for audit and logging need consideration in the early stages of development. 2.4 Content Rewriting Content rewriting typically involves changing the content of a connection. This change hides or manipulates the data transmitted in an external service request. In terms of the Hypertext Transfer Protocol (HTTP) protocol used for Internet browsing, a proxy may alter (or even add) headers or content to the request therefore altering the information received. Some proxies can be configured to dynamically remove (or add) data; this might be used to remove advertisements from web pages, or block restricted third party content, embedded within legitimate content. Crown Copyright 2005 Page 8 of 10

9 3 Proxy Deployment 3.1 Deployment and Maintenance A proxy server can be the central, trusted connection to external networks, so it is important to secure it against abuse in a number of ways. This should include configuring the server to accept only those connections known to be from appropriate hosts on the network. Open Proxies allow connections from any device and are often used in the transmission of malicious traffic to other hosts, or utilised to disguise the actions of malicious users. Care should be taken to ensure proxies are secured against unauthorised use especially if they are accessible from the Internet or other untrusted networks. Configuring commercial proxy servers such as Microsoft s Internet Security and Acceleration Server to provide proxy services, only upon authentication of the end user (through username and password or network logon), ensures that only authenticated users can access the Internet. Furthermore, control of this access is centralised alongside traditional user management. When utilised for policy enforcement, configure the proxy server to log all access requests, including the source and destination addresses. In addition to logging, the server should block any sites which may contravene policy and display a warning page instructing the user to read the policy and be aware of its implications. Log monitoring should be conducted on a regular basis to identify any continuous attempts to access restricted sites; this may be indicative of automated programs, such as spyware, attempting to contact suspect sites. To ensure that bypassing the proxy is not possible, configure the end internet connection firewall (or router) to accept internet traffic from the proxy server only and not directly from clients. Client machines will require configuring to prevent changes to proxy settings thus avoiding users altering settings in attempts to bypass the corporate proxy. Crown Copyright 2005 Page 9 of 10

10 4 Glossary FTP: File Transfer Protocol. A standard protocol for transferring files between remote computer systems using uses the internet's TCP/IP protocols. HTTP: Hypertext Transfer Protocol. A set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. NNTP: The dominant protocol for the distribution, inquiry, retrieval, and posting of news articles. Used by computer clients and servers for managing the notes posted on Usenet newsgroups. SMTP: Simple Mail Transfer Protocol. Used in sending and receiving . Crown Copyright 2005 Page 10 of 10