• No results found

Proxy firewalls.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Proxy firewalls."

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Proxy firewalls

[email protected]

(2)

Content

Proxy Firewalls

How Proxy Firewalls Work Forward / Reverse Proxies Application-Level Proxies

Gateways (Circuit-Level Proxies)

(3)

How proxy firewalls work

Proxy acts on behalf of both the inside client and the

outside server

(4)

How proxy firewalls work

Proxy interacts with its internal address on behalf of

the external server as listener

Proxy interacts with ist external address on behalf of

the internal client as initiator

Client and server never interact directly with each

other

Forwarding is disabled on the proxy server

Intransparent

(5)

Proxy firewall - example

1.

User requests an HTTP resource

3.

Client software forwards the request to proxy

5.

Proxy makes connection and acts as client by

requesting the HTTP resource from the server

7.

All ongoing traffic being routed between internal

(6)

Bastion hosts

Since the proxy server is visible from the outside

network it has to be hardened against attacks

Proxy servers are usually dual-homed (two network

interfaces)

No direct connection - IP forwarding is disabled

Internal structure of the network remains veiled for any

outside party

Passive fingerprinting impossible (OS detection by studying default settings of packets, such as TTL, window size, TCP options)

(7)

Forward / reverse proxy

Forward proxy:

Dominant form of proxies

Connection initiated by internal client

Reverse proxy:

Connection initiated by external client

(8)

Application-level proxy

Implemented for each service

Policies permit particular traffic, such as

 Particular users (impossible with transparent firewalls)  Particular addresses

(9)

Circuit-level proxy

Packet filtering inside the proxy is based on more

specific rules

Content will be examined

 Catchwords  Size  Viruses  Data type  Image detection  Passwords

(10)

Advantages

Internal structure / topology is shielded from the

external world

Traffic can be easily monitored

User-based security is possible / authentication can be

implemented

(11)

Disadvantages

Performance reduction

Single point of failure

Application specific proxies have to be developed

Software has to be adapted

(12)

Proxy firewalls and encrypted traffic

IPSec

End-to-end encryption impossible - packets are changed at the proxy Obviously impossible to examine payload

Authentication causes problems

SSL / TLS

Payload is encrypted

Proxy cannot change payload until it is decrypted

(13)

SOCKS

Socks is a proxy toolkit

Enables applications to be „proxied“ without specific client-software SOCKS server performs client authentication and authorization

Applications are „socksified“ - modifications are necessary to communicate with the SOCKS server

(14)

SOCKS protocol

Client

Sends request to proxy server containing its own identity and required destination address (outbound connections) or required port (inbound connections)

Server

Checks whether request should be granted

(15)

SOCKS protocol

SOCKS v.4

Defines message formats to support TCP connections

SOCKS proxy grants access based on TCP header information (see other slides)

ident authentication (RFC1413) also possible - identd returns owner of a connection (pair of TCP ports)

 6193, 23 : USERID : UNIX : stjohns  6195, 24 : ERROR : NO-USER

No strong authentication

(16)

SOCKS

connect

 Client wants to connect to an external service  Request

+----+----+----+----+----+----+----+----+----+----+....+----+ | VN | CD | DSTPORT | DSTIP | USERID |NULL| +----+----+----+----+----+----+----+----+----+----+....+----+ 1 1 2 4 variable 1 VN - version CD - command  Reply +----+----+----+----+----+----+----+----+ | VN | CD | DSTPORT | DSTIP | +----+----+----+----+----+----+----+----+ 1 1 2 4 90: request granted

91: request rejected or failed

92: request rejected becasue SOCKS server cannot connect to identd on the client

(17)

SOCKS

bind

 Client offers a socket for inbound connections

+----+----+----+----+----+----+----+----+----+----+....+----+ | VN | CD | DSTPORT | DSTIP | USERID |NULL| +----+----+----+----+----+----+----+----+----+----+....+----+ 1 1 2 4 variable 1 VN - version

(18)

SOCKS

SOCKS v.5

RFC1928

Strong authentication

Support for address resolution (DNS) proxy Provides additional support for UDP

(19)

SOCKS

The SOCKS v.5 request is formed as follows:

+----+---+---+---+---+---+ |VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT | +----+---+---+---+---+---+ | 1 | 1 | X'00' | 1 | Variable | 2 | +----+---+---+---+---+---+ o VER protocol version: X'05'

o CMD

o CONNECT X'01' o BIND X'02'

o UDP ASSOCIATE X'03' o RSV RESERVED

o ATYP address type of following address o IP V4 address: X'01'

o DOMAINNAME: X'03' o IP V6 address: X'04'

o DST.ADDR desired destination address

(20)

Portus

Proxy system with

Strong user authentication

Smartcard based authentication / smart tokens

Access can be allowed or denied on different criteria

Time

Addresses / ports User

(21)

Summary

Proxies hide the internal structure of the network from

the outside world

Proxies protect against protocol attacks

Reverse proxies are a means to control inbound

connections

References

Download now ( PDF - 21 Page - 280.58 KB )

Related documents

AnyConnect VPN Client FAQ

AnyConnect connects through a proxy server and DTLS is not used.. The AnyConnect SSL VPN Client can use a configured proxy server in your

Forward proxy server vs reverse proxy server

The purpose of that document is thus to provide the technical staff involved in the configuration of the TAD4D server and agents with guidelines on how

Disruption Management in Passenger Railways: Models for Timetable, Rolling Stock and Crew Rescheduling

Thus for these activities, constraint set 2.6 implies that a train can only depart on a track of an open track section if a train has departed on the same track in the same

Web Interface with Active Directory Federation Services Support Administrator s Guide

Internet Firewall Firewall DMZ Account Federated Server Proxy Resource Federated Server Proxy Resource Federated Server Server running Web Interface ` Client Resource Partner

McAfee Client Proxy 2.0

Each policy maintains a list of definitions for Client Proxy to bypass when network traffic is redirected to the proxy server. The bypass list can include domain names,

EBLEX BEEF BRP MANUAL 4. Beef production from the dairy herd

Page 6 Calving traits Page 7 Growth and carcase traits Page 8 From calf to market Page 9 Meeting market requirements Page 10 Selection for slaughter Page 11 Carcase

Quick Start - NetApp File Archiver

PROXY CLIENT A proxy client is any computer on which the File Archiver Agent is installed to archive and recover data residing on a NetApp File Server.. MIGRATION

Lecture 33. Streaming Media. Streaming Media. Real-Time. Streaming Stored Multimedia. Streaming Stored Multimedia

 When origin server is sending a stream through client, and stream passes through a proxy, proxy can use TCP to obtain the stream; but proxy still sends RTSP control messages to