Proxy Services: Good Practice Guidelines



Similar documents
, Calendar and Messaging Services Good Practice Guideline

Site to Site Virtual Private Networks (VPNs):

Network Address Translation (NAT) Good Practice Guideline

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Use of tablet devices in NHS environments: Good Practice Guideline

Security Technology: Firewalls and VPNs

BYOD Guidance: Architectural Approaches

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Internet Security Good Practice Guide. August 2009

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Introduction to Computer Security Benoit Donnet Academic Year

Proxy Server, Network Address Translator, Firewall. Proxy Server

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY

SPEAR PHISHING UNDERSTANDING THE THREAT

Web Server & Systems Usage Policy. The WGG Associates Limited Usage Policy has been developed with the following objectives:

Step-by-Step Configuration

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Maruleng Local Municipality

Fig : Packet Filtering

White Paper. Securing and Integrating File Transfers Over the Internet

Internet usage Policy

PCI DSS Requirements - Security Controls and Processes

1.4 To overcome this biasness, this Policy is in place to ensure all Maxis customers have a good experience.

LCC xdsl Usage Policy

Network Service, Systems and Data Communications Monitoring Policy

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Acceptable Use Policy - NBN Services

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

The Advantages of a Firewall Over an Interafer

Internet Security Firewalls

Acceptable Use and Publishing Policy

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Internet Use Policy and Code of Conduct

Internet Safety for Kids and Adults

Step-by-Step Configuration

INSTANT MESSAGING SECURITY

Using over FleetBroadband

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Proxies. Chapter 4. Network & Security Gildas Avoine

Acceptable Use Policy

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Using RADIUS Agent for Transparent User Identification

Protection profile of an industrial firewall

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Intrusion Detection and Prevention Systems (IDS/IPS) Good Practice Guide

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Acceptable Use Policy

Electronic Transmission of Prescriptions. FP10 Stationery Changes for ETP

Transparent Identification of Users

Inspection of Encrypted HTTPS Traffic

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Virgin Media Business Acceptable Use Policy (Internet)

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Protection profile of an industrial firewall

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

SonicWALL Global Management System ViewPoint Guide. Version 2.1

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Policy on Connection to the University Network

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

How To Manage Web Content Management System (Wcm)

Firewall Design Principles Firewall Characteristics Types of Firewalls

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Internet Security Firewalls

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Notice: Page 1 of 11. Internet Acceptable Use Policy. v1.3

SonicWALL PCI 1.1 Implementation Guide

(For purposes of this Agreement, "You", " users", and "account holders" are used interchangeably, and where applicable).

E Safety Policy. 6 th March Annually. 26 th February 2014

Achieving PCI-Compliance through Cyberoam

Linux MPS Firewall Supplement

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

How To Install Caarcserve Backup Patch Manager (Carcserver) On A Pc Or Mac Or Mac (Or Mac)

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Intro to Firewalls. Summary

FIREWALL POLICY November 2006 TNS POL - 008

Transforming business through technology. Acceptable Use Policy & Data Centre Policies

Did you know your security solution can help with PCI compliance too?

Top tips for improved network security

Guideline on Auditing and Log Management

Web Plus Security Features and Recommendations

AASTMT Acceptable Use Policy

Chapter 3 Restricting Access From Your Network

Centre for the Protection of National Infrastructure Effective Log Management

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, IDS and IPS

Guideline on Firewall

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Lecture 23: Firewalls

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Top 5 Essential Log Reports

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Transcription:

Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance Prog. Director Mark Ferrar Owner Tim Davis Version 1.0 Author James Wood Version Date 26/01/2006 Status APPROVED Proxy Services: Good Practice Guidelines Crown Copyright 2005 Page 1 of 10

Amendment History: Version Date Amendment History 0.1 First draft for comment 0.2 04/01/2006 Format update 0.3 26/01/2006 Format reverted. Content revised. 0.4 08/03/2006 Technical Author 1.0 31/03/2006 Approved Forecast Changes: Anticipated Change When Annual Review March 2007 Reviewers: This document must be reviewed by the following. Indicate any delegation for sign off. Name Signature Title / Responsibility Date Version Malcolm IG Security Team 1.0 McKeating Manager Tim Davis Head of Information Governance 1.0 Approvals: This document requires the following approvals: Name Signature Title / Responsibility Date Version Mark Ferrar Director of Technical 1.0 Infrastructure Tim Davis Head of Information Governance 1.0 Distribution: Information Governance website: http://nww.connectingforhealth.nhs.uk/ Crown Copyright 2005 Page 2 of 10

Document Status: This is a controlled document. This document version is only valid at the time it is retrieved from controlled filestore, after which a new approved version will replace it. On receipt of a new issue, please destroy all previous issues (unless a specified earlier issue is baselined for use throughout the programme). Related Documents: Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc 12 Crown Copyright 2005 Page 3 of 10

Contents 1 Introduction...5 Abstract...5 1.1 Aims and Objectives...5 1.2 Assumed Reader Knowledge...5 1.3 Background...5 1.4 Disclaimer...6 2 Web and Application Proxy Overview...7 2.1 Proxy Considerations...7 2.2 Web Cache Proxies...7 2.3 Application Proxies...8 2.4 Content Rewriting...8 3 Proxy Deployment...9 3.1 Deployment and Maintenance...9 4 Glossary...10 Crown Copyright 2005 Page 4 of 10

1 Introduction Abstract This guide addresses the major security issues associated with the use of proxy services and the deployment and maintenance of proxy servers. Detailed technical knowledge is not required. You will find guidance on: Using proxy and content re-writing services appropriately. 1.1 Aims and Objectives The following information provides a knowledge-based framework that will help maintain best practice values in your own organisation. In using this guide you will be conforming to best practice and therefore avoid some of the consequences of non-compliance. After completing this guide you should understand: The benefits and disadvantages associated with various types of proxy service. 1.2 Assumed Reader Knowledge A general familiarity with networking fundamentals Familiarity with any applications which may be impacted through the use of proxy services Further information on network security and related matters is available from the NHS Connecting for Health Information Governance website: http://nww.connectingforhealth.nhs.uk/igsecurity/ 1.3 Background Proxy servers often have one of the following purposes: concealing information from connection end points, providing aggregation services (which merge multiple requests through a single point), or enforcing a business policy such as a website block list or other content filtering. Concealing information in this way is potentially problematic as it can cause difficulties when communicating with national services such as SPINE Crown Copyright 2005 Page 5 of 10

because of the requirement to provide complete audit trails of activity. The proxy may render the audit trails, captured by end services, incomplete or incorrect. Content rewriting services may also affect the transmission and reporting of information by transparently altering data contained with the activity. This may involve the rewriting of header or meta information (used in different ways by servers and applications). If content rewriting services alter this information (to hide or replace it with false information) the processing of the information at the client or server end may be disrupted. This may include re-formatting of content returned to the user or even parsing of outgoing information. Careful consideration should be taken to ensure that any applications which may use proxies are not affected by these sorts of activities. 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. NHS Connecting for Health shall also accept no responsibility for any errors or omissions contained within this document. In particular, NHS Connecting for Health shall not be liable for any loss or damage whatsoever, arising from the usage of information contained in this document. Crown Copyright 2005 Page 6 of 10

2 Web and Application Proxy Overview 2.1 Proxy Considerations It is important to understand, that the use of proxies may have as many (or more) disadvantages than benefits. The central management of access control is often the driving force behind a business implementing web proxies on their systems; often in order to protect employees from malicious, illegal, or otherwise prohibited content available on the Internet. It is also possible to use a proxy to make efficiency savings in resource management; by utilising it as a tool for monitoring the proper business use of corporate assets. The main drawback of using a proxy is that, in networking terms, it effectively breaks the connection between the end user and the requested service. This break in the connection may provide additional user protection, but can also remove the critical tracking and usage information necessary for auditing purposes. Unfortunately, when complete audit trails of usage are required, a proxy can remove vital information by presenting a single end point used by multiple end users. Without access to the proxy logs, it can be very difficult to identify individual user connections. In addition, transaction logging at the service end may not contain sufficient information to identify individual user transactions. It is possible to configure proxy servers to disguise all connections behind a single IP address and/or use a pool of assigned addresses to further hide the end user information, by distributing connection requests over the pool of IP addresses. Log information, identifying the actions of individual users, is not necessarily reliable, as long as proxy servers are in use by end clients. Also, proxies configured for user anonymity can completely hide any information that might be utilised in distinguishing different clients and their transactions. 2.2 Web Cache Proxies Web caching proxies are the most common form of proxy device. A central proxy server receives all requests for web pages from the end client. The proxy server then requests the information from the relevant source or retrieves previously cached information from its own local cache (if certain expiry conditions have not been met). This model allows the control and monitoring of all internet traffic from a central point thereby allowing user policies to be enforced. The use of a local cache can also reduce the amount of bandwidth used for internet traffic by storing copies of content on the proxy server. This means that the server can deliver content, which may not be refreshed frequently, without having to rerequest it from the original source. Crown Copyright 2005 Page 7 of 10

This can be particularly useful when viewing web pages (or other resources) that use a lot of infrequently changed images. For example, a website uses a graphics rich navigation system and layout requiring multiple images to be loaded each time a user accesses a page on the site. The proxy stores these images locally and they therefore load far more quickly for all clients that connect through the proxy to the same website. 2.3 Application Proxies Although web proxies are the most common form of proxy, there are alternative types aimed at other applications and/or traffic. It is not uncommon to see proxies for the following types of application: Network News Transfer Protocol (NNTP). File Transfer Protocol (FTP). Simple Mail Transfer Protocol (SMTP). Custom application proxies. Although not definitive, the list above should give some indication of the type of common task which utilises proxy services (that allow multiple users to connect through a central server or that conceal information from end services). It is also common for custom applications, utilised by large numbers of users, to have proxy services written specifically for them. In these cases, the requirements for audit and logging need consideration in the early stages of development. 2.4 Content Rewriting Content rewriting typically involves changing the content of a connection. This change hides or manipulates the data transmitted in an external service request. In terms of the Hypertext Transfer Protocol (HTTP) protocol used for Internet browsing, a proxy may alter (or even add) headers or content to the request therefore altering the information received. Some proxies can be configured to dynamically remove (or add) data; this might be used to remove advertisements from web pages, or block restricted third party content, embedded within legitimate content. Crown Copyright 2005 Page 8 of 10

3 Proxy Deployment 3.1 Deployment and Maintenance A proxy server can be the central, trusted connection to external networks, so it is important to secure it against abuse in a number of ways. This should include configuring the server to accept only those connections known to be from appropriate hosts on the network. Open Proxies allow connections from any device and are often used in the transmission of malicious traffic to other hosts, or utilised to disguise the actions of malicious users. Care should be taken to ensure proxies are secured against unauthorised use especially if they are accessible from the Internet or other untrusted networks. Configuring commercial proxy servers such as Microsoft s Internet Security and Acceleration Server to provide proxy services, only upon authentication of the end user (through username and password or network logon), ensures that only authenticated users can access the Internet. Furthermore, control of this access is centralised alongside traditional user management. When utilised for policy enforcement, configure the proxy server to log all access requests, including the source and destination addresses. In addition to logging, the server should block any sites which may contravene policy and display a warning page instructing the user to read the policy and be aware of its implications. Log monitoring should be conducted on a regular basis to identify any continuous attempts to access restricted sites; this may be indicative of automated programs, such as spyware, attempting to contact suspect sites. To ensure that bypassing the proxy is not possible, configure the end internet connection firewall (or router) to accept internet traffic from the proxy server only and not directly from clients. Client machines will require configuring to prevent changes to proxy settings thus avoiding users altering settings in attempts to bypass the corporate proxy. Crown Copyright 2005 Page 9 of 10

4 Glossary FTP: File Transfer Protocol. A standard protocol for transferring files between remote computer systems using uses the internet's TCP/IP protocols. HTTP: Hypertext Transfer Protocol. A set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. NNTP: The dominant protocol for the distribution, inquiry, retrieval, and posting of news articles. Used by computer clients and servers for managing the notes posted on Usenet newsgroups. SMTP: Simple Mail Transfer Protocol. Used in sending and receiving email. Crown Copyright 2005 Page 10 of 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information