Proxy Servers and Application-Level Firewalls

Transcription

1 Proxy Servers and Application-Level Firewalls ARINAITWE IRENE

2 Learning Objectives Understand proxy servers and how they work Understand the goals that you can set for a proxy server Make decisions regarding proxy server configurations continued

3 Learning Objectives Know the benefits of the most popular proxy-based firewall products Know the uses of the reverse proxy Understand when a proxy server isn t the correct choice

4 Overview of Proxy Servers Scan and act on the data portion of an IP packet Act primarily on behalf of internal hosts receiving, rebuilding, and forwarding outbound requests Go by many names Proxy services Application-level gateways Application proxies

5 Overview of Proxy Servers In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it 'caches' responses from the remote server, and returns subsequent requests for the same content directly.

6 Overview of Proxy Servers A proxy server has a large variety of potential purposes, including: To keep machines behind it anonymous (mainly for security). To speed up access to resources (using caching). Web proxies are commonly used to cache web pages from a web server. To apply access policy to network services or content, e.g. to block undesired sites. To log / audit usage, i.e. to provide company employee Internet usage reporting. To scan transmitted content for malware before delivery. To scan outbound content, e.g., for data leak protection. To allow a web site to make web requests to externally hosted resources (e.g. images, music files, etc.) when cross-domain restrictions prohibit the web site from linking directly to the outside domains.

7 Overview of Proxy Servers Schematic representation of a proxy server, where the computer in the middle acts as the proxy server between the other two.

8 Overview of Proxy Servers A proxy server that passes requests and responses unmodified is usually called a gateway or sometimes tunneling proxy. A proxy server can be placed in the user's local computer or at various points between the user and the destination servers on the Internet. A reverse proxy is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching.

9 Gateway In telecommunications, the term gateway has the following meaning: In a communications network, a network node equipped for interfacing with another network that uses different protocols. A gateway may contain devices such as protocol translators, rate converters, fault isolators, or signal translators as necessary to provide system interoperability. It also requires the establishment of mutually acceptable administrative procedures between both networks. A protocol translation/mapping gateway interconnects networks with different network protocol technologies by performing the required protocol conversions. Loosely, a computer or computer program configured to perform the tasks of a gateway. Gateways, also called protocol converters, can operate at any network layer. The activities of a gateway are more complex than that of the router or switch as it communicates using more than one protocol.

10 Gateway vs. default gateway computer networking, a gateway is a node (a router) on a TCP/IP network that serves as an access point to another network. A default gateway is the node on the computer network that the network software uses when an IP address does not match any other routes in the routing table. In home computing configurations, an ISP often provides a physical device which both connects local hardware to the Internet and serves as a gateway. Such devices include DSL modems and cable modems. In organizational systems a gateway is a node that routes the traffic from a workstation to another network segment. The default gateway commonly connects the internal networks and the outside network (Internet). In such a situation, the gateway node could also act as a proxy server and a firewall. The gateway is also associated with both a router, which uses headers and forwarding tables to determine where packets are sent, and a switch, which provides the actual path for the packet in and out of the gateway. In other words, a default gateway provides an entry point and an exit point in a network.

11 Forward proxy An ordinary forward proxy is an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target and the proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites. A typical usage of a forward proxy is to provide Internet access to internal clients that are otherwise restricted by a firewall. The forward proxy can also use caching to reduce network usage.

12 Forward proxy A forward proxy taking requests from an internal network and forwarding them to the Internet

13 Forward vs reverse proxies In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself. While a forward proxy is usually situated between the client application (such as a web browser) and the server(s) hosting the desired resources, a reverse proxy is usually situated closer to the server(s) and will only return a configured set of resources.

14 How Proxy Servers Work Function as a software go-between, forwarding data between internal and external hosts Focus on the port each service uses Screen all traffic into and out of each port Decide whether to block or allow traffic based on rules Add time to communications, but in return, they: Conceal clients Translate network addresses Filter content

15

16 Steps Involved in a Proxy Transaction 1. Internal host makes request to access a Web site 2. Request goes to proxy server, which examines header and data of the packet against rule base 3. Proxy server recreates packet in its entirety with a different source IP address continued

17 Steps Involved in a Proxy Transaction 4. Proxy server sends packet to destination; packet appears to come from proxy server 5. Returned packet is sent to proxy server, which inspects it again and compares it against its rule base 6. Proxy server rebuilds returned packet and sends it to originating computer; packet appears to come from external host

18 Steps Involved in a Proxy Transaction

19 Proxy Servers and Packet Filters Are used together in a firewall to provide multiple layers of security Both work at the Application layer, but they inspect different parts of IP packets and act on them in different ways

20 How Proxy Servers Differ from Packet Filters Scan entire data part of IP packets and create more detailed log file listings Rebuild packet with new source IP information (shields internal users from outside users) Server on the Internet and an internal host are never directly connected to one another More critical to network communications

21 Goals of Proxy Servers Conceal internal clients Block URLs Block and filter content (Censorship) Protect proxy Improve performance (Catching) Ensure security Provide user authentication Redirect URLs

22 Concealing Internal Clients Network appears as a single machine If external users cannot detect hosts on your internal network, they cannot initiate an attack against these hosts Proxy server receives requests as though it were the destination server, then completely regenerates a new request, which is sent to its destination

23 Concealing Internal Clients

24 Blocking URLs An attempt to keep employees from visiting unsuitable Web sites An unreliable practice; users can use the IP address that corresponds to the URL

25 Blocking URLs

26 Blocking and Filtering Content Can block and strip out Java applets or ActiveX controls Can delete executable files attached to messages Can filter out content based on rules that contain a variety of parameters (eg, time, IP address, port number)

27 Proxy Protection External users never interact directly with internal hosts

28 Proxy Protection

29 Improving Performance Speed up access to documents that have been requested repeatedly

30 Ensuring Security with Log Files Log file Text file set up to store information about access to networked resources Can ensure effectiveness of firewall Detect intrusions Uncover weaknesses Provide documentation

31 Ensuring Security with Log Files

32 Providing User Authentication Enhances security Most proxy servers can prompt users for username and password

33 Redirecting URLs Proxy can be configured to recognize two types of content and perform URL redirection to send them to other locations Files or directories requested by the client Host name with which the client wants to communicate (most popular)

34 Proxy Server Configuration Considerations Scalability issues Need to configure each piece of client software that will use the proxy server Need to have a separate proxy service available for each network protocol Need to create packet filter rules Security vulnerabilities Single point of failure Buffer overflow

35 Providing for Scalability Add multiple proxy servers to the same network connection

36 Working with Client Configurations

37 Working with Client Configurations

38 Working with Service Configurations

39 Creating Filter Rules Allow certain hosts to bypass the proxy Filter out URLs Enable internal users to send outbound requests only at certain times Govern length of time a session can last

40 Security Vulnerabilities: Single Point of Failure Be sure to have other means of enabling traffic to flow with some amount of protection (eg, packet filtering) Create multiple proxies that are in use simultaneously

41 Security Vulnerabilities: Buffer Overflow Occur when proxy server attempts to store more data in a buffer than the buffer can hold Render the program nonfunctional Check Web site of manufacturer for security patches

42 Choosing a Proxy Server Some are commercial products for home and smallbusiness users Some are designed to protect one type of service and to serve Web pages stored in cache Most are part of a hybrid firewall (combining several different security technologies) Some are true standalone proxy servers

43 Types of Proxy Servers Transparent Nontransparent SOCKS based

44 Transparent Proxies Can be configured to be totally invisible to end user Sit between two networks like a router Individual host does not know its traffic is being intercepted Client software does not have to be configured

45 Nontransparent Proxies Require client software to be configured to use the proxy server All target traffic is forwarded to the proxy at a single target port (typically use SOCKS protocol) More complicated to configure, but provide greater security Also called explicit proxies

46 Nontransparent Proxies

47 SOCKS-Based Proxies SOCKS is a network protocol designed to allow clients to communicate with Internet servers through firewalls. SOCKS is typically implemented on proxy servers. It is supported as a proxy configuration option in popular Web browsers and instant messaging programs SOCKS is client/server. A users workstation must have a SOCKS client installed, either in the application (such as putty, Firefox), or deep in the TCP/IP stack where the client software will redirect packets into a SOCKS tunnel.

48 SOCKS-Based Proxies SOCKS protocol Enables establishment of generic proxy applications Flexible Typically used to direct all traffic from client to the proxy using a target port of TCP/1080

49 SOCKS Features Security-related advantages Functions as a circuit-level gateway Encrypts data passing between client and proxy Uses a single protocol both to transfer data via TCP and UDP and to authenticate users Disadvantage Does not examine data part of a packet

50 SocksCap

51 Proxy Server-Based Firewalls Compared Firewalls based on proxy servers: T.REX Squid WinGate Symantec Enterprise Firewall Microsoft Internet Security & Acceleration Server Choice depends on your platform and the number of hosts and services you need to protect

52 T.REX Open-Source Firewall Free UNIX-based solution Handles URL blocking, encryption, and authentication Complex configuration; requires proficiency with proxy server configuration

53 Squid High-performance, free open-source application Acts as a proxy server and caches files for Web and FTP servers Not full-featured Performs access control and filtering Quickly serves files that are held in cache Runs on UNIX-based systems Popular; plug-ins available Economical

54 WinGate Most popular proxy server for home and small business environments Well-documented Windows-based program Offers customer support and frequent upgrades

55 Symantec Enterprise Firewall Combines proxy services with encryption, authentication, load balancing, and packet filtering Configured through a snap in to the MMC Commercial firewall with built-in proxy servers More full-featured than WinGate

56 Microsoft Internet Security & Acceleration Server (ISA) Complex, full-featured Includes stateful packet filtering, proxy services, NAT, and intrusion detection Competes with high-performance firewall products

57 Two Editions of ISA Standard Edition Standalone Supports up to four processors Enterprise Edition Multiserver product with centralized management No limit on number of processors supported

58 Reverse Proxies (Overview) Monitor inbound traffic Prevent direct, unmonitored access to server s data from outside the company Advantages Performance Privacy

59 Reverse Proxy In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself. While a forward proxy is usually situated between the client application (such as a web browser) and the server(s) hosting the desired resources, a reverse proxy is usually situated closer to the server(s) and will only return a configured set of resources.

60 Reverse Proxy A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall

61 Why install reverse proxy servers Encryption / SSL acceleration: when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware can. Furthermore, a host can provide a single "SSL proxy" to provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates. Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations). Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.

62 Why install reverse proxy servers Compression: the proxy server can optimize and compress the content to speed up the load time. Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeding" it to the client. This especially benefits dynamically generated pages. Security: the proxy server is an additional layer of defense and can protect against some OS and Web Server specific attacks. However, it does not provide any protection to attacks against the web application or service itself, which is generally considered the larger threat. Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.

63 When a Proxy Service Isn t the Correct Choice Can slow down traffic excessively The need to authenticate via the proxy server can make connection impossible If you don t want to use your own proxy server: External users can connect to firewall directly using Secure Sockets Layer (SSL) encryption Use proxy server of an ISP

64 Lecture Summary Overview of proxy servers and how they work Goals of proxy servers Vulnerabilities and other drawbacks that proxy servers bring to a security setup Kinds of proxy servers Comparison of proxy-based firewalls