Sunday, 8 January 2012



  • Sunday, 8 January 2012
  • Share

  • Proxy Servers
            Part of an overall Firewall strategy
            Sits between the local network and the external network
            Originally used primarily as a caching strategy to minimize outgoing URL requests and increase perceived browser performance
            Primary mission is now to insure anonymity of internal users
            Still used for caching of frequently requested files
            Proxy Servers
            Dick Steflik
            Also used for content filtering
            Acts as a go-between, submitting your requests to the external network 
            Requests are translated from your IP address to the Proxy’s IP address
            E-mail addresses of internal users are removed from request headers
            Cause an actual break in the flow of communications
            Security Advantages
            Terminates the TCP connection before relaying to target host (in and out)
            Hide internal clients from external network
            Blocking of dangerous URLs
            Filter dangerous content
            Check consistency of retrieved content
            Eliminate need for transport layer routing between networks
            Single point of access, control and logging
            TCP Connection Termination
            Both the outgoing and incoming TCP connections are terminated
            prevents a hacker from hijacking a stale connection on a service that is being proxied
            ex . HTTP page request
            TCP Connection Termination
            Transport layer packets don’t need to be routed because the entire request must be regenerated
            Prevents transport layer exploits
            source routing
            several DoS attacks
            Since some protocols don’t have proxies available many admins will enable routing              , this alleviates any benefit gained
            Most good proxy servers will allow you to create generic proxies using SOCKS or the redir utility                                                 
            Performance Aspects
            By keeping local copies of frequently accessed file the proxy can serve those files back to a requesting browser without going to the external site each time, this dramatically improves the performance seen by the end user
            Only makes sense to implement this at the ISP rather than the small business level because of the number of pages available
            Because of dynamic content many pages are invalidated in the cache right away
            Load balancing
            A proxy can be used in a reverse direction to balance the load amongst a set of identical servers (servers inside the firewall and users outside)
            Used especially with web dynamic content (.asp, .php,.cfm,.jsp)
            Proxy Liabilities
            Single point of failure
            if the proxy dies , no one can get to the external network
            Client software must usually be designed to use a proxy
            Proxies must exist for each service
            Doesn’t protect the OS
            proxies run at the application level
            Usually optimized for performance rather than security
            WINGATE was installed to be easy to configure; opened a winsock proxy to the external interface, which let hackers essentially hijack the machine
            Create a service bottleneck
            solved via parallelism (more proxies, and load balance)
             Transparent / Opaque
            Transparent – both parties (local/remote) are unaware that the connection is being proxied
            Zorp  - application layer proxy is transparent
            Opaque – the local party must configure client software to use the proxy
            client software must be proxy-aware software
            Netscape proxy server is opaque
            With all of the things modern firewalls can do in the area of redirection you could configure the firewall to redirect all http requests to a proxy
            no user configuration required (transparent)
            Circuit Level Proxies
            Since some protocols require a real connection between the client and server, a regular proxy can’t be used
            Windows Media Player, Internet Relay Chat (IRC), or Telnet
            Circuit-level proxy servers were devised to simplify matters.
            Instead of operating at the Application layer, they work as a "shim" between the Application layer and the Transport layer, monitoring TCP handshaking between packets from trusted clients or servers to untrusted hosts, and vice versa. The proxy server is still an intermediary between the two parties, but this time it establishes a virtual circuit between them.
            By using SOCKS (RFC 1928) this can be done
            SOCKS defines a cross-platform standard for accessing circuit-level proxies
            SOCKS  Version 5 also supports both username/password (RFC 1929) and API-based (RFC 1961) authentication. It also supports both public and private key encryption.
            SOCKS 5 is capable of solving this problem by establishing TCP connections and then using these to relay UDP data.
            SOCKS based Proxying
            RFC 1928
            Not a true application layer proxy
            SOCKS protocol provides a framework for developing secure communications by easily integrating other security technologies
            SOCKS includes two components
            SOCKS server
            implemented at the application layer
            SOCKS client
            implemented between the application and transport layers
            The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server, without requiring direct IP-reachability.
            Copies packet payloads through the proxy
            Socks Architecture
            Socks Functionality
            GNU ZORP Proxy Firewall Suite
            Protocol Analyzing Firewall
            core framework allows:
             the administrator to fine tune proxy decisions (Python based)
             fully analyze complex protocols with an application-level gateway:
            SSH with several forwarded TCP connections
            SSL with an embedded POP3 protocol).
            FTP, TTP, finger, whois, SSL .
            Usually integrated into the network topology as routers, this means that they have an IP address in all their subnets, and hosts on different subnets use the firewall as their gateway to the outside world.
            Proxy based but uses a packet filter to preprocess the packet stream  and  provide transparency.
            How Zorp Works
            A TCP session is established in the following way:
            client initiates a connection by sending a SYN packet destined to the server
            the firewall behaves as a router between the client and the server, receives the SYN packet on one of its interfaces and consults the packet filter
            the packet filter rulebase is checked whether the given packet is permitted
            if the given connection is to be processed by a proxy, then the packet filter rulebase contains a REDIRECT (ipchains) or TPROXY (iptables) target. Both REDIRECT and TPROXY requires a port parameter which tells the local port of the firewall host where the proxy is listening.
            Zorp accepts the connection, checks its own access control rules and starts the appropriate proxy
            the proxy connects to the server on its own as needed (the server side connection is not necessarily established immediately)
            the proxy mediates protocol requests and responses between the communicating hosts while analyzing the ongoing stream
            Best Practices
            Use a Real Firewall
            Disable Routing
            Secure the Base Operating System
            harden the OS
            Disable External Access
            Disable unneeded Services

    Subscribe us via E-mail and Add us on Facebook for daily updates and Plz also do click once on the ads displaying below or above the post for us.. :)

    0 Responses to “ WHAT IS PROXY SERVER ”

    Post a Comment