Proxy Server 2.0 is a firewall, a Web
cache server, and more
For many corporations, the Internet is becoming an important business tool, but with that tool comes the concern of security. To meet that concern, a networking industry sector has grown up around firewalls, proxy gateways, and related security products.
Microsoft is active in this market. In November 1996, Microsoft introduced
Proxy Server 1.0 as a cost-effective Internet gateway. Proxy Server lets you
control traffic between your corporate network and the Internet by acting as an
intermediary between them. Through application and circuit layer gateways that
are tightly integrated with ordinary Windows NT Server access control, the
product lets users on a local network access Internet resources efficiently and
transparently while keeping out traffic from the Internet. In addition, Proxy
Server includes caching capabilities, improving performance for frequently
accessed Web sites.
When Proxy Server 1.0 (then called the Internet Access Server, or Catapult)
was in beta, Mark Joseph Edwards wrote a two-part overview of the product. Check
out "Microsoft's Internet Access Server," September 1996, and "Configuring
Microsoft's Internet Access Server," October 1996, for an excellent
overview of Proxy Server 1.0.
Proxy Server 1.0 had two major shortcomings. First, although it provided
application and circuit layer security, it lacked the packet filtering functions
that would put it in the same class as firewall products. Second, Proxy Server
1.0 lacked the scalability to let multiple proxy servers work together to
provide intelligent caching and access services to the end user.
In designing Proxy Server 2.0, Microsoft has addressed these problems and is
positioning Proxy Server 2.0 as a combination firewall and cache server: one
product that gives you secure and fast Internet access from your corporate
network. I'll examine the new features that make Proxy Server 2.0 a more
compelling product than its predecessor.
More Administration Choices
Proxy Server 2.0 gives the net manager a flexible set of administrative
tools. As in the previous version, you can use the Internet Service Manager
(ISM) to manage proxy services. ISM is the most complete method available; it
gives you access to all administrative functions. The ISM main screen lists each
of the installed Proxy services (Web Proxy, WinSock Proxy, and SOCKS Proxy) and
any Internet Information Server (IIS) services you have installed.
Each proxy service has its own set of property sheets. Microsoft has
reformatted the Web Proxy Service sheet, shown in Screen 1, to list functions
that all three services share (with some exceptions for the SOCKS Proxy). Other
property sheets are more specific to each service. New in the administrative
toolbox is a command-line interface for querying and configuring Proxy Server.
One great application of this tool is to use scripts to simultaneously configure
multiple proxy servers. The two command-line utilities for configuring multiple
servers are RemotMsp and WspProto. Table 1 lists the capabilities of each
utility. The initial release doesn't support an HTML administrative tool, but
Microsoft has promised that you'll be able to download the tool from the
Microsoft Web site.
Configuration Backup and Restore
The new configuration backup function creates a text file (similar to an
.ini file) that contains a complete list of all parameters defined for all
installed proxy services. Click Server Backup on the Service property sheet of
any of the proxy services, choose a directory, and away you go. This function is
an easy way to get a manual dump of the configuration on the local machine, but
you can't use it for remote machines. You can use the command-line utility
RemotMsp for either local or remote backup.
Similarly, restoring a Proxy Server configuration is also a manual process,
and just as simple. A neat feature is the ability to choose Partial Restore; you
reach this option by clicking Server Restore on the Web Proxy Service Properties
sheet, then choosing Restore Configuration. With Partial Restore, you can
restore only noncomputer-specific parameters, such as user permissions. This
capability is useful for setting up multiple proxy servers without having to
code scripts. Just configure user permissions on one proxy server the way you
want it, back up the configuration, and do a partial restore for each of the
other servers.
Packet Filtering
Microsoft refers to Proxy Server 2.0 as a firewall primarily because of its
new packet-filtering capability. This feature lets an administrator reject
specific packet types at the IP level before they reach any of the higher-layer
services (Web, WinSock or SOCKS). Enabling packet filtering causes Proxy Server
to drop all packets sent to the external interface, except for those that match
a default list of predefined packet filters. Note that you create a filter for
the packet types you want the proxy server to accept. Screen 2 shows the
Packet Filters tab.
By default, selecting packet filtering also enables dynamic packet
filtering. This feature is an intelligent component that enables and disables
filters based on the current state of a protocol sequence. For example, a Telnet
client can request the proxy server to open a connection to a server on the
Internet. The proxy chooses a source port, say 1500, creates a filter allowing
Telnet traffic to and from port 1500, and then establishes a TCP connection to
the server. When the Telnet session is complete, the proxy disables the filter
and denies further access to port 1500 from the external interface.
You can disable dynamic filtering and rely on your ability to define the
correct static filters for your needs. However, static filters can be difficult
to code correctly. Thinking that you have adequate protection when you really
don't is not a good security practice. If you must use static filtering, make
sure that you check your configuration by scanning the ports on your external
interface. Use a TCP port scanning tool (e.g., AGNet Tools from the AG Group) to
check that only the ports you intended to expose are visible.
When you enable packet filtering, you also select IP fragment filtering,
which you can use to prevent a FRAG denial-of-service attack.
Fragmentation is a function of the IP protocol that routers perform to
accommodate networks of varying maximum frame sizes. For instance, a router
fragments a 1400 byte datagram received from an Ethernet segment if it is bound
for an X.25 network, which has a maximum frame size of 576 bytes. Receiving
hosts must reassemble these fragments. Sending multiple bogus fragments to a
host will keep it busy tracking lots of fragments that never get reassembled
back into a datagram, eventually causing a severe depletion of resources.
Previous
Register
