DMZ Components: Proxy Servers

Table of Contents

Proxy Servers -1 .............................................................................................................................. 2

Proxy Servers -2 .............................................................................................................................. 6

NAT and PAT ................................................................................................................................... 8

Reverse Proxy ................................................................................................................................ 11

Notices .......................................................................................................................................... 13

Page 1 of 13

Proxy Servers -1

37

Proxy Servers -1

Establishes connection on behalf of a client

Shields a client from direct communication with a server

Isolate internal networks from external networks• Masks internal hosts from being viewed externally

Saves bandwidth by caching web content

Enforces security policy by restrictingsites a client can visit

**037 Let's switch gears here and talk about proxy servers. Now, I talked about proxy servers as doing something on behalf. When we look at the diagram here, what we have is a web server, a proxy server, and some hosts, some clients that are on the outside. Those clients that are on the outside of the web server, not necessarily DMZ or intranet or extranet, those hosts are trying to get to the resource web server. This proxy server establishes the connection to that web server on their behalf. It shields the client from the direct communication with the server. What kind of shielding do they need?

Page 2 of 13

Suppose they don't know that they're going to a bad place. If they're going to a bad place, and they don't know it, the proxy server says, "I won't let that bad stuff come back." Okay, we win at that point. A couple of other things that a proxy server does for us, it isolates our internal network from our external networks. If we say that this proxy server is at the edge of our network, and we define it to be there, then what we're doing is is we're saying anything out here, we're stopping the big bad Internet from coming in, depending on the proxy placement, again. Now, it's going to isolate our internal and external. And it's going to also mask our internal host in a couple of other ways. I don't know if you know. But when you go into your web browser, and you type into your web browser I want to go to this site, one of the things that' s passed in the data that's being sent to that particular site is your web browser type. Do you want the world to know your web browser type? If you're going to an evil place, then it's quite possible that you've now given the adversary some information, some reconnaissance information under which they can attack you with. So, we may abstract that information like your browser type in this proxy server and rip that all apart, and then pass it out to the web server and say, "I'm not going to tell you what kind of web browser it is. Just give me the data."

Page 3 of 13

This can also have a really nice effect on our organization in bandwidth conservation. How? Well, it's real simple. Today, let's think in our mind of the websites that we're going to go to. Now, think of the top three to five websites that you're going to go to. And let's pretend all of you out there are on our intranet. If I'm going, as your proxy server to go out and get things, I can tally up all the times. I'll bet if you think of three websites right now, you probably thought of Yahoo, Google, Bing, maybe something else that everybody goes to. You go to Twitter. You go to one of those locations. I'll bet more than one person goes there. So, if three to five people go to that website, that particular website, what I can do is I can combine all those requests together using caching. Oh, I know you wanted to go find out this news. I went out and got that news. I'll store a set of it here. The next person that comes along after you benefits from your going there first. And you say you want the news, here, don't have to go out there and do it anymore. So, we conserve bandwidth by caching content locally. Then, from a security standpoint, the proxy server also enforces our security policy by defining the sites that we can and cannot go to. We can load up inside of our server that these are the only places you're allowed to go. We can literally do a whitelist that says that department right there can go to, let's say that

Page 4 of 13

they're the postal department. They're in the post room. What sites should they be going to if they're in the postal room? Can you think? I think it would at least be DHL, FedEx, and USPS, right? Should you be able to go to something else? Well, no. We've restricted your content to what is appropriate for your work activity. And if you want something else, you're going to have to ask me. And I'm going to have to load it up into the proxy server for you. This department over here is a marketing department. And they have to look at what our competitors are doing, so we give them a list of all the competitors. And we program that into the proxy server and allow them to go. But if you want to surf the Internet sites to do your shopping or look at sports, sorry we're not going to allow you to do that. I actually work with a relatively large bank that you may have heard of. I won't say what their name is. But they're out there on the Internet. And when they came to classes of mine, they literally had to whitelist my site. I was like, "But this is a site that everybody knows." And they go, "We don't care. We don't have it in our list." And they had to get approval for their employees to go to an Internet site that many of you know. So, we can enforce a security policy, but then the security policy has to be very granular. And that's the big trick there.

Page 5 of 13

Proxy Servers -2

38

Proxy Servers -2

Web and Email Proxies are most common

Web Proxy Server• Can filter on URL, inspect content, and detect malware• Can cache pages for improved bandwidth utilization

SMTP / Email Proxy• Also known as a Mail Relay• Can filter SPAM, Viruses, etc.• Can control allowed recipients and senders

**038 A little bit more on proxy servers, web and email proxies are the most common. So, I talked about surfing the Internet here. And this proxy server would stop a lot of malware that's out there. That's the norm, looking for those URLs. But also, SMTP traffic or email traffic, sometimes know as a mail relay, will also filter for us. That mail relay at the edge of our network, what it does is it says that we're going to take this information for you. We're going to process it and look at it here before we send it on to you.

Page 6 of 13

Now, I do that with a service that I've hired out. And you can purchase that service on the Internet that does that for you, that filters all your mail before it gets to you. Mine happens to be relatively effective. But it causes some problems for some people because it's a whitelist service, which means that when you send me an email, you're sending it through my mail proxy server. And my mail proxy server sends a message back to you. And it says you might not be a real person. If you're a real person, click this link to whitelist yourself. Some security professionals and some business people do not like that. They're like, "Well, I'm not going to whitelist myself." Okay, well then you're not going to get your mail through. And I have to go digging through my denied mail and say, "I'll let these people through." Usually, by the way, those people pick up the phone and call me. So, SMTP, or email proxies, will filter spam, viruses, and a lot of other activity by keeping your mail there for a moment, looking at the attachments, looking at the content, inspecting it, and then forwarding it on. Sometimes mail relays are bad. And we'll talk about that in a bit.

Page 7 of 13

NAT and PAT

39

NAT and PAT

Network Address Translation (NAT) 1 to 1• Translates private IP space to public IP space and reverse• Permits entire networks built with private IP addresses to operate as

if they were fully connected to the Internet• Offers security benefit of “hiding” private IP space from external view

Port Address Translation (PAT) 1 to MANY• Translates between publicly visible ports and internal ports• Offers security benefit of “hiding” internal ports from external view

192.168.1.1 Port 8080

Any Public IPPort 80

NAT: Translate Public IP to 192.168.1.1PAT: Translate Port 80 to Port 8080

**039 Okay, let's talk about network address translation and port address translation. They go hand in hand. And if you go to look for NAT and PAT today, you really want to look up RFC 1918. And what that RFC says is we are running out of IPv4 address space. So, that not everybody on the planet can have their own externally routable IP address. So, what we will do is we will create an abstraction. That abstraction says that, in this case here, we have a whole number of hosts inside. All of these people want to get to the Internet. And we've got ten thousand people, or two hundred people, or ten people. And we can only get one routable IP address on the inside.

Page 8 of 13

So, what we'll do is we'll say okay one person surfing at a time. You're ready to surf? Okay. A one to one correspondence from an internal IP address to an external IP address. You're finished surfing? Okay the next person in the line, the next person. That's not very efficient. So, enter port address translation. What we say is internally we will have many different people surfing many different sites. What we will do is we will make this proxy server sitting right here-- usually it's the proxy server. Sometimes it's the router. Sometimes it's the firewall that does this. We will have this device sitting right here. And what it will do is it will look like it's surfing millions of sites all the time. Those sites don't know about it. They don't care about it. But we're adding all these conversations. And we're having all these conversations. Then I will translate them inside. Now, let's think about this. If it was a one to one correspondence, one person with an IP address, one person with an IP address, then I could map the port and IP address mapping directly from the host to the client. If you look in the diagram here, notice that this client right here is going to a host on the outside. The public IP address is going to be mapped back to the 192.168.1.1 network address. They would send it out, and then it would be mapped on that same IP address.

Page 9 of 13

So, internally when host actually surf, what happens is I say I want to go to port 80. The connection in TCP/IP along with the port is going to be destination IP address port 80. My source IP address, some upper level port, let's go ahead and call it sixty thousand for argument's sake. So, sixty thousand, my IP address gets mapped to the proxy server that's sitting out here. And it says sixty thousand-- okay sixty thousand from my IP address going to 80 on you IP address coming back. And I'll map it one to one. That only allows one internal host to communicate to one external host. With port address translation, what we say is there may be two or three clients that are going to, let's say, Google.com for argument's sake. So, they're going to that particular host, same IP address, same port 80. But how are we going to map the conversations back to the individuals on the inside? Well, it's real simple. What we do is we set your IP address, high level port sixty thousand, is mapped to my IP address, high level port sixty thousand. But the next person that's coming through for sixty thousand, I'll say sixty thousand. We'll, I've already got a connection for that. So, I'll map this one to sixty thousand and one. So, when the conversation comes back from Google, it's sixty thousand one. Oh, that translates to sixty thousand for that host. Sixty thousand translate to sixty thousand on that host. And then two, three, four, five, six.

Page 10 of 13

So, in that-- in PAT what we do is we abstract IP addressing internally. And we also can abstract port address.

Reverse Proxy

40

Reverse Proxy

Accepts requests from clients on the external network on behalf of the servers in the DMZ

Traditional proxies mask the clients while a reverse proxy masks the servers.

Makes it more difficult for attackers to acquire data on server behind the proxy

**040 Now, we've been talking about proxies here a little lightly here and there. And now we want to talk about how a reverse proxy helps us in the DMZ. So, a reverse proxy sits in front of our web server and filters inappropriate traffic. Traditional proxies, they help end user hosts. They say I will filter your data for you as host. I will filter it through me and let it go out there. And I'll protect you from the malware out there.

Page 11 of 13

Let's flip this around. This web server right here, those are attackers. Those are evildoers out there. And they're trying to get to that web server right there. When I see this is evil, I look at it and go this is from somebody who's trying to perpetrate evil. I'm not going to pass it back to my server and let it get attacked. This is good traffic? Okay, I'll pass it through to the server. So, now what we've done is we've aggregated all of those outside communications, the evil and the good. And now we can filter all the bad and throw it away if we've got the correct signature, if we know what the malware looks like, and then allow the appropriate traffic through. A reverse proxy is protecting a server. A forward proxy, which we just call proxy, is protecting hosts, or end users' workstations.

Page 12 of 13

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 13 of 13