DMZ Components: Proxy Servers Table of Contents Proxy Servers -1 .............................................................................................................................. 2 Proxy Servers -2 .............................................................................................................................. 6 NAT and PAT ................................................................................................................................... 8 Reverse Proxy ................................................................................................................................ 11 Notices .......................................................................................................................................... 13 Page 1 of 13 Proxy Servers -1 Proxy Servers -1 Establishes connection on behalf of a client Shields a client from direct communication with a server Isolate internal networks from external networks • Masks internal hosts from being viewed externally Saves bandwidth by caching web content Enforces security policy by restricting sites a client can visit 37 **037 Let's switch gears here and talk about proxy servers. Now, I talked about proxy servers as doing something on behalf. When we look at the diagram here, what we have is a web server, a proxy server, and some hosts, some clients that are on the outside. Those clients that are on the outside of the web server, not necessarily DMZ or intranet or extranet, those hosts are trying to get to the resource web server. This proxy server establishes the connection to that web server on their behalf. It shields the client from the direct communication with the server. What kind of shielding do they need? Page 2 of 13 Suppose they don't know that they're going to a bad place. If they're going to a bad place, and they don't know it, the proxy server says, "I won't let that bad stuff come back." Okay, we win at that point. A couple of other things that a proxy server does for us, it isolates our internal network from our external networks. If we say that this proxy server is at the edge of our network, and we define it to be there, then what we're doing is is we're saying anything out here, we're stopping the big bad Internet from coming in, depending on the proxy placement, again. Now, it's going to isolate our internal and external. And it's going to also mask our internal host in a couple of other ways. I don't know if you know. But when you go into your web browser, and you type into your web browser I want to go to this site, one of the things that' s passed in the data that's being sent to that particular site is your web browser type. Do you want the world to know your web browser type? If you're going to an evil place, then it's quite possible that you've now given the adversary some information, some reconnaissance information under which they can attack you with. So, we may abstract that information like your browser type in this proxy server and rip that all apart, and then pass it out to the web server and say, "I'm not going to tell you what kind of web browser it is. Just give me the data." Page 3 of 13 This can also have a really nice effect on our organization in bandwidth conservation. How? Well, it's real simple. Today, let's think in our mind of the websites that we're going to go to. Now, think of the top three to five websites that you're going to go to. And let's pretend all of you out there are on our intranet. If I'm going, as your proxy server to go out and get things, I can tally up all the times. I'll bet if you think of three websites right now, you probably thought of Yahoo, Google, Bing, maybe something else that everybody goes to. You go to Twitter. You go to one of those locations. I'll bet more than one person goes there. So, if three to five people go to that website, that particular website, what I can do is I can combine all those requests together using caching. Oh, I know you wanted to go find out this news. I went out and got that news. I'll store a set of it here. The next person that comes along after you benefits from your going there first. And you say you want the news, here, don't have to go out there and do it anymore. So, we conserve bandwidth by caching content locally. Then, from a security standpoint, the proxy server also enforces our security policy by defining the sites that we can and cannot go to. We can load up inside of our server that these are the only places you're allowed to go. We can literally do a whitelist that says that department right there can go to, let's say that Page 4 of 13 they're the postal department. They're in the post room. What sites should they be going to if they're in the postal room? Can you think? I think it would at least be DHL, FedEx, and USPS, right? Should you be able to go to something else? Well, no. We've restricted your content to what is appropriate for your work activity. And if you want something else, you're going to have to ask me. And I'm going to have to load it up into the proxy server for you. This department over here is a marketing department. And they have to look at what our competitors are doing, so we give them a list of all the competitors. And we program that into the proxy server and allow them to go. But if you want to surf the Internet sites to do your shopping or look at sports, sorry we're not going to allow you to do that. I actually work with a relatively large bank that you may have heard of. I won't say what their name is. But they're out there on the Internet. And when they came to classes of mine, they literally had to whitelist my site. I was like, "But this is a site that everybody knows." And they go, "We don't care. We don't have it in our list." And they had to get approval for their employees to go to an Internet site that many of you know. So, we can enforce a security policy, but then the security policy has to be very granular. And that's the big trick there. Page 5 of 13 Proxy Servers -2 Proxy Servers -2 Web and Email Proxies are most common Web Proxy Server • Can filter on URL, inspect content, and detect malware • Can cache pages for improved bandwidth utilization SMTP / Email Proxy • Also known as a Mail Relay • Can filter SPAM, Viruses, etc. • Can control allowed recipients and senders 38 **038 A little bit more on proxy servers, web and email proxies are the most common. So, I talked about surfing the Internet here. And this proxy server would stop a lot of malware that's out there. That's the norm, looking for those URLs. But also, SMTP traffic or email traffic, sometimes know as a mail relay, will also filter for us. That mail relay at the edge of our network, what it does is it says that we're going to take this information for you. We're going to process it and look at it here before we send it on to you. Page 6 of 13 Now, I do that with a service that I've hired out. And you can purchase that service on the Internet that does that for you, that filters all your mail before it gets to you. Mine happens to be relatively effective. But it causes some problems for some people because it's a whitelist service, which means that when you send me an email, you're sending it through my mail proxy server. And my mail proxy server sends a message back to you. And it says you might not be a real person. If you're a real person, click this link to whitelist yourself. Some security professionals and some business people do not like that. They're like, "Well, I'm not going to whitelist myself." Okay, well then you're not going to get your mail through. And I have to go digging through my denied mail and say, "I'll let these people through." Usually, by the way, those people pick up the phone and call me. So, SMTP, or email proxies, will filter spam, viruses, and a lot of other activity by keeping your mail there for a moment, looking at the attachments, looking at the content, inspecting it, and then forwarding it on. Sometimes mail relays are bad. And we'll talk about that in a bit. Page 7 of 13 NAT and PAT NAT and PAT Network Address Translation (NAT) 1 to 1 • Translates private IP space to public IP space and reverse • Permits entire networks built with private IP addresses to operate as if they were fully connected to the Internet • Offers security benefit of “hiding” private IP space from external view Port Address Translation (PAT) 1 to MANY • Translates between publicly visible ports and internal ports • Offers security benefit of “hiding” internal ports from external view Any Public IP Port 80 NAT: Translate Public IP to 192.168.1.1 192.168.1.1 PAT: Translate Port 80 to Port 8080 Port 8080 39 **039 Okay, let's talk about network address translation and port address translation. They go hand in hand. And if you go to look for NAT and PAT today, you really want to look up RFC 1918. And what that RFC says is we are running out of IPv4 address space.