Understanding Microsoft Proxy Server 2.0 By NeonSurge Rhino9 Publications Preface- This documented was not made for people who have been working with Microsoft Proxy Server since its beta (catapult) days. It is made for individuals who are curious about the product and security professionals that are curious as to what Microsoft Proxy Server has to offer. This document is also being written for individuals have a general idea of what a Proxy Server does, but wants to know more. This paper goes into discussion of Proxy Server Features and Architecture, Access Control, Encryption, and Firewall Strategies (which I have been getting a lot of requests for). The second part of the documentation goes into Firewall types and strategies, so if that's the reason you downloaded the documentation, go straight to page 8 I believe. What is Microsoft Proxy Server? Microsoft Proxy Server is a "firewall" and cache server. It provides additional Internet security and can improve network response issues depending on its configuration. The reason I put the word firewall in quotes is because Proxy Server should not be considered as a stand-alone solution to a firewall need. When you are done reading this document, you will have an advanced understanding of the Proxy Server product and also understand firewall techniques and topologies. Proxy Server can be used as an inexpensive means to connect an entire business through only one valid IP address. It can also be used to allow more secure inbound connections to your internal network from the Internet. By using Proxy Server, you are able to better secure your network against intrusion. It can be configured to allow your entire internal private network to access resources on the Internet, at the same time blocking any inbound access. Proxy Server can also be used to enhance the performance of your network by using advanced caching techniques. The can be configured to save local copies of requested items from the Internet. The next time that item is requested, it can be retrieved from the cache without having to connect to the original source. This can save an enormous amount of time and network bandwidth. Unlike Proxy Server 1.0, Proxy Server 2.0 includes packet filtering and many other features that we will be discussing. Proxy Server provides it functionality by using three services: * Web Proxy: The web proxy service supports HTTP, FTP, and Gopher for TCP/IP Clients. * WinSock Proxy: The Winsock proxy supports Windows Sockets client applications. It provides support for clients running either TCP/IP or IPX/SPX. This allows for networks that may be running more of a Novell environment to still take advantage of Proxy Server. * SOCKS Proxy: The SOCKS Proxy is a cross-platform service that allows for secure communication in a client/server capacity. This service supports SOCKS version 4.3a and allows users access to the Internet by means of Proxy Server. SOCKS extends the functionality provided by the WinSock service to non-Windows platforms such as Unix or Macintosh. Proxy Servers Security Features In conjunction with other products, Proxy Server can provide firewall level security to prevent access to your internal network. * Single Contact Point: A Proxy Server will have two network interfaces. One of these network interfaces will be connected to the external (or "untrusted") network, the other interface will be connected to your internal (or "trusted") network. This will better secure your LAN from potential intruders. * Protection of internal IP infrastructure: When IP forwarding is disabled on the Proxy Server, the only IP address that will be visible to the external environment will be the IP address of the Proxy Server. This helps in preventing intruders from finding other potential targets on your network. * Packet Layer Filtering: Proxy Server adds dynamic packet filtering to its list of features. With this feature, you can block or enable reception of certain packet types. This enables you to have a tremendous amount of control over your network security. Beneficial Features of Proxy * IIS and NT Integration: Proxy Server integrates with Windows NT and Internet Information Server tighter than any other package available on the market. Proxy Server actually uses the same administrative interface used by Internet Information Server. * Bandwidth Utilization: Proxy Server allows all clients in your network to share the same link to the external network. In conjunction with Internet Information Server, you can set aside a certain portion of your bandwidth for use by your webserver services. * Caching Mechanisms: Proxy Server supports both active and passive caching. These concepts will be explained in better detail further into the document. * Support for Web Publishing: Proxy Server uses a process known as reverse proxy to provide security while simultaneously allowing your company to publish on the Internet. Using another method known as reverse hosting, you can also support virtual servers through Proxy. Hardware and Software Requirements Microsoft suggests the following minimum hardware requirements. * Intel 486 or higher. RISC support is also available. * 24 MB Ram for Intel chips 32 MB Ram for RISC. * 10 MB Diskspace needed for installation. 100 MB + .5 MB per client for Cache space. * 2 Network interfaces (Adapters, Dial-Up, etc) Following is the suggested minimum software requirements. * Windows NT server 4.0 * Internet Information Server 2.0 * Service Pack 3 * TCP/IP It is highly recommended that it be installed on an NTFS partition. If an NTFS partition is not used, not only are you losing NTFS's advanced security features, but also the caching mechanisms of Proxy Server will not work. It is also recommended that your two network interfaces be configured prior to installation. On interface configured to the external network, and one configured for the internal network. (Note: When configuring your TCP/IP settings, DO NOT configure a default gateway entry for your internal network interface.) * Be sure that "Enable IP Forwarding" is not checked in your TCP/IP settings. This could seriously compromise your internal security. What is the LAT? This is probably one of the most common questions I am asked as a security professional. The LAT, or Local Address Table, is a series of IP address pairs that define your internal network. Each pair defines a range of IP addresses or a single pair. That LAT is generated upon installation of Proxy Server. It defines the internal IP addresses. Proxy Server uses the Windows NT Routing Table to auto-generate the LAT. It is possible that the when the LAT is auto-generated, that errors in the LATs construction will be found. You should always manually comb through the LAT and check for errors. It is not uncommon to find external IP addresses in the LAT, or entire subnets of your internal IP addresses will not appear on the LAT. It is generally a good idea to have all of your internal IP addresses in the LAT. * NO EXTERNAL IP ADDRESSES SHOULD APPEAR IN YOUR LAT. Upon installing the Proxy Server client software, it adds a file named msplat.txt into the \Mspclnt directory. The msplat.txt file contains the LAT. This file is regularly updated from the server to ensure that the LAT the client is using is current. What is the LAT used for? Every time a client attempts to use a Winsock application to establish a connection, the LAT is referenced to determine if the IP address the client is attempting to reach is internal or external. If the IP address is internal, Proxy Server is bypassed and the connection is made directly. If the IP address the client is attempting to connect to DOES NOT appear in the LAT, it is determined that the IP address is remote and the connection is made through Proxy Server. By knowing this information, someone on your internal network could easily edit his or her LAT table to bypass Proxy Server. Some Administrators may not see this as a problem because the LAT is regularly updated from the server, so any changes the user made to his or her LAT will be overwritten. However, if the user saves their LAT with the filename Locallat.txt, the client machine will reference both the msplat.txt and the locallat.txt to determine if an IP address is local or remote. So, by using the locallat.txt method, a user can, in theory, permanently bypass Proxy Server. The locallat.txt file is never overwritten unless the user does so manually. What changes are made when Proxy Server is installed? Server side changes: * The Web Proxy, Winsock Proxy, and SOCKS Proxy services are installed and management items are added into the Internet Service Manager. * An HTML version of the documentation is added into the %systemroot%\help\proxy\ directory. * A cache area is created on an NTFS volume. * The LAT table is constructed. * Proxy Server Performance Monitor counters are added. * Client installation and config files are added to the Msp\Clients folder. This folder is shared as Mspclnt and by default has the permissions set to Read for Everyone. Client side changes: * The LAT (msplat.txt) file is copied to the clients local hard drive. * A WSP Client icon is added to control panel on Win3.X, Win95 and WinNT clients. * A Microsoft Proxy Client Program Group is added * The winsock.dll file is replace with Remote WinSock for Proxy. The old winsock file is renamed winsock.dlx. * Mspclnt.ini file is copied to the client machine. Proxy Server Architecture To understand the architecture of Microsoft Proxy Server, you must first have a basic grasp of how Proxy works for outbound client requests. Here is a simple example: Joe opens his browser to visit his favorite news site on the net. He types in the sites IP address which he has memorized because...
Iskraa