Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

Enabling Secure Internet Access with ISA Server

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

IUT– Network Security Course 1 Network Security Firewalls.

FIREWALLS Chapter 11.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

By Vikas Debnath KV IT-Solutions Pvt. Ltd.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

Working with Proxy Servers and Application-Level Firewalls Chapter 5.

Security Firewall Firewall design principle. Firewall Characteristics.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Chapter 7: Working with Proxy Servers & Application-Level Firewalls

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

A Brief Taxonomy of Firewalls

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Network Address Translation (NAT) CS-480b Dick Steflik.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

Intranet, Extranet, Firewall. Intranet and Extranet.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Chapter 6: Packet Filtering

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Defining Network Infrastructure and Network Security Lesson 8.

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

CompTIA Security+ Study Guide (SY0-401)

Introduction to Networking

CompTIA Security+ Study Guide (SY0-401)

* Essential Network Security Book Slides.

Firewalls By conventional definition, a firewall is a partition made

Firewalls Jiang Long Spring 2002.

Firewalls Chapter 8.

Introduction to Network Security

Presentation transcript:

Proxy Servers CS-480b Dick Steflik

Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally used primarily as a caching strategy to minimize outgoing URL requests and increase perceived browser performance Primary mission is now to insure anonymity of internal users Still used for caching of frequently requested files Also used for content filtering Acts as a go-between, submitting your requests to the external network Requests are translated from your IP address to the Proxy’s IP address addresses of internal users are removed from request headers Cause an actual break in the flow of communications

Security Advantages Terminates the TCP connection before relaying to target host (in and out) Hide internal clients from external network Blocking of dangerous URLs Filter dangerous content Check consistency of retrieved content Eliminate need for transport layer routing between networks Single point of access, control and logging

TCP Connection Termination Both the outgoing and incoming TCP connections are terminated prevents a hacker from hijacking a stale connection on a service that is being proxied ex. HTTP page request User ProxyServer request packet request packet’ response packet’ response packet Connection left open until the proxy closes it after receiving response packet and sending it back to user Connection only left open until server closes the connection after sending the response packet

TCP Connection Termination Transport layer packets don’t need to be routed because the entire request must be regenerated Prevents transport layer exploits source routing fragmentation several DoS attacks Since some protocols don’t have proxies available many admins will enable routing, this alleviates any benefit gained Most good proxy servers will allow you to create generic proxies using SOCKS or the redir utility

Performance Aspects Caching By keeping local copies of frequently accessed file the proxy can serve those files back to a requesting browser without going to the external site each time, this dramatically improves the performance seen by the end user Only makes sense to implement this at the ISP rather than the small business level because of the number of pages available Because of dynamic content many pages are invalidated in the cache right away Load balancing A proxy can be used in a reverse direction to balance the load amongst a set of identical servers (servers inside the firewall and users outside) Used especially with web dynamic content (.asp,.php,.cfm,.jsp)

Proxy Liabilities Single point of failure if the proxy dies, no one can get to the external network Client software must usually be designed to use a proxy Proxies must exist for each service Doesn’t protect the OS proxies run at the application level Usually optimized for performance rather than security WINGATE was installed to be easy to configure; opened a winsock proxy to the external interface, which let hackers essentially hijack the machine Create a service bottleneck solved via parallelism (more proxies, and load balance)

Transparent / Opaque Transparent – both parties (local/remote) are unaware that the connection is being proxied Zorp - application layer proxy is transparent Opaque – the local party must configure client software to use the proxy client software must be proxy-aware software Netscape proxy server is opaque With all of the things modern firewalls can do in the area of redirection you could configure the firewall to redirect all http requests to a proxy no user configuration required (transparent)

Circuit Level Proxies Since some protocols require a real connection between the client and server, a regular proxy can’t be used Windows Media Player, Internet Relay Chat (IRC), or Telnet Circuit-level proxy servers were devised to simplify matters. Instead of operating at the Application layer, they work as a "shim" between the Application layer and the Transport layer, monitoring TCP handshaking between packets from trusted clients or servers to untrusted hosts, and vice versa. The proxy server is still an intermediary between the two parties, but this time it establishes a virtual circuit between them. By using SOCKS (RFC 1928) this can be done SOCKS defines a cross-platform standard for accessing circuit-level proxies SOCKS Version 5 also supports both username/password (RFC 1929) and API- based (RFC 1961) authentication. It also supports both public and private key encryption. SOCKS 5 is capable of solving this problem by establishing TCP connections and then using these to relay UDP data.

SOCKS based Proxying RFC 1928 Not a true application layer proxy SOCKS protocol provides a framework for developing secure communications by easily integrating other security technologies SOCKS includes two components SOCKS server implemented at the application layer SOCKS client implemented between the application and transport layers The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server, without requiring direct IP-reachability. Copies packet payloads through the proxy

Socks Architecture

Socks Functionality

GNU ZORP Proxy Firewall Suite Protocol Analyzing Firewall core framework allows: the administrator to fine tune proxy decisions (Python based) fully analyze complex protocols with an application-level gateway: SSH with several forwarded TCP connections SSL with an embedded POP3 protocol). FTP, TTP, finger, whois, SSL. Usually integrated into the network topology as routers, this means that they have an IP address in all their subnets, and hosts on different subnets use the firewall as their gateway to the outside world. Proxy based but uses a packet filter to preprocess the packet stream and provide transparency.

How Zorp Works A TCP session is established in the following way: client initiates a connection by sending a SYN packet destined to the server the firewall behaves as a router between the client and the server, receives the SYN packet on one of its interfaces and consults the packet filter the packet filter rulebase is checked whether the given packet is permitted if the given connection is to be processed by a proxy, then the packet filter rulebase contains a REDIRECT (ipchains) or TPROXY (iptables) target. Both REDIRECT and TPROXY requires a port parameter which tells the local port of the firewall host where the proxy is listening. Zorp accepts the connection, checks its own access control rules and starts the appropriate proxy the proxy connects to the server on its own as needed (the server side connection is not necessarily established immediately) the proxy mediates protocol requests and responses between the communicating hosts while analyzing the ongoing stream

Best Practices Use a Real Firewall Disable Routing Secure the Base Operating System harden the OS Disable External Access Disable unneeded Services