View
245
Download
0
Category
Tags:
Preview:
Citation preview
Fundamentals of Proxying
Proxy Server Fundamentals
Proxy simply means acting on someone other’s behalf
A Proxy acts on behalf of the client or user to provide access to a network
service, and it shields each side from a direct peer-to-peer connection.
The Proxy server is both a server and a client. It is a server to the client
and a client to the destination server.
Fundamental issue with Proxy is its mode i.e. Transparent and Non
Transparent.
Transparent and Non Transparent Mode
Non Transparent Mode and its Problem
Non Transparent Proxy means all proxy servers required clients to be
aware of them. This meant that a client's software would need to include
specific code to properly use a proxy.
Client would need to be configured to send its requests to the proxy.
Client software that was not proxy aware could not communicate through
the proxy.
Two approaches were used to overcome this software burden.
1. SOCKS
2. Transparent Proxy
SOCKS & Transparent Mode
Fundamentals of SOCKS & Transparent Mode
SOCKS and Transparent Proxy intercept connection requests by
masquerading on the fly as the destination server being requested by the
client.
The transparent proxy then goes on to make the request to the
destination server for the client.
Using this method, the client is fooled into thinking that it is
communicating directly with the server, while the proxy is actually
handling the communications.
Working of Transparent Proxy
1. The client requests an Internet service, such as HTTP, FTP, or Telnet.
2. The client computer starts by attempting to set up a session between
the client and the server. Assuming the Internet service being requested
is TCP based, this begins with the client sending out a SYN packet
sourced from the client's IP address and destined to the server's IP
address.
Working of Transparent Proxy
3. The proxy firewall intercepts the connection request and, if allowed by policy,
replies with a SYN-ACK packet sourced from the destination server's IP address.
It is important to mention that this does require the proxy to be on the network
path between the client and the server.
4. Upon receipt of the proxy's SYN-ACK packet, the client finishes the three-way
handshake by sending out the final ACK packet, again destined to the server's IP
address. At this point, the client thinks it has a valid TCP connection to the
external server. In reality, it only has a connection to the proxy.
Working of Transparent Proxy
5. The proxy is now responsible for establishing a connection to the external
server. It accomplishes this by sending out a SYN packet sourced from its own
IP address and destined to the external server. Upon receipt of the server's
SYN-ACK packet, it replies with an ACK packet to establish the connection to
the external server. At this point, the proxy has two valid TCP connections for
the session: one between itself and the client, and the other between itself
and the server.
Working of Transparent Proxy
6. Requests received over the client-proxy connection will be analyzed for
correctness and policy compliance. If they are acceptable, the proxy will make
a corresponding request using its proxy-server connection. Replies received
over the proxy-server connection will also be analyzed for correctness and
policy compliance and then, if acceptable, forwarded to the client over the
proxy-client connection. This will continue until either side of the
conversation terminates the connection.
Proxy Firewall & Concept of Agent
Proxy firewalls are often implemented as dual-homed bastion hosts running a set of
proxy agents.
Each agent supports one or more Internet protocols. The degree to which each
agent understands the protocols it proxies determines how effective the agent can
be in managing the connection.
A generic agent that supports standard TCP protocols will likely only be able to
restrict connections based on the TCP and IP headers (for example, IP address, port,
TCP state)
This functionality is similar to packet filter firewalls. However, if the protocol to be
proxied is not standard, or if additional security functionality is desired, more
sophisticated agents are required
Role of Agent in Case of FTP
File Transfer Protocol (FTP) does not act like a standard TCP protocol.
Instead, FTP uses two different TCP connections to enable file transfer.
One (the command channel) is used to send instructions to the FTP server,
the other (the data channel) is used to transfer files .
This Process makes it impossible to support FTP with a generic proxy.
Unless the proxy agent was aware that this second TCP connection was
needed, it would not be able to accept the second connection, blocking
the FTP protocol from transferring files.
Role of Agent in Case of FTP
Role of Agent in Case of FTP An agent specifically programmed to support FTP would be able to
monitor the individual FTP commands being issued over the command
channel. It would be able to watch for the command used to transfer a file
and then begin listening for the TCP connection used to transfer the file. In
addition, by being protocol aware, the agent has the ability to watch the
FTP commands to detect suspicious activity.
FTP was created during the early days of the Internet, when security was
not something the designers emphasized. The FTP protocol contains
several, well-known security flaws that have been repeatedly exploited.
One classic flaw is related to how the data channel is set up between a
client and a server.
Role of Agent in Case of FTP
When the client wants to request a file from the server, one option it has
is to send a PORT command. PORT is used to configure the server to
establish a TCP connection initiated from the server to the client. The
format for the PORT command is as follows:
PORT h1, h2, h3, h4, p1, p2
The values h1 through h4 form an IP address (h1.h2.h3.h4). p1 and p2 are
used to specify the destination port using the following formula:
256 * p1 + p2
Role of Agent in Case of FTP
For example, if the client is at IP address 192.168.5.12, it might issue the
command
PORT 192, 168, 5, 12, 4, 1
which would tell the server to transfer requested files to IP address
192.168.5.12 using TCP port 1025. To actually cause the connection to be
established
The Client uses the RETR command to request a file. At this point, the
server will initiate the TCP session to the client on TCP port 1025 and
transfer the file across the resulting connection.
Problem with PORT Command
Consider the network scenario mentioned in next figure.
Network is composed of a screened subnet that contains a web server and
an FTP server.
To allow customers to upload files to the company, the FTP server is set up
to allow anonymous connections. The web server is running a Telnet
service to allow administrators to access the system from the internal
network.
Unfortunately, the Telnet service is susceptible to an invalid input attack
that would allow anyone who connects to the service access to the
computer without authentication.
Problem with PORT Command
The Stateful inspection firewall is blocking all inbound network
connections from the Internet except packets destined to TCP port 80 on
the web server and TCP port 21 on the FTP server.
This would prevent attackers from establishing a connection to the Telnet
service running at TCP port 23 on the web server.
On the surface it seems that even with the vulnerable Telnet service, the
firewall has effectively kept the network secure. This is just an illusion,
though, as the FTP server can be leveraged to reach the web server.
Problem with PORT Command
The following steps would allow the attacker to bypass the firewall and
attack the vulnerable web server:
1. Use a normal FTP connection to upload a file to the anonymous FTP
server. This file needs to contain the exploit commands necessary to
attack the web server.
2. Using the established FTP command channel, send the command PORT
192,168,5,7,0,23. This will tell the FTP server that the next file request
should be sent to the web server using port 23 (for example, Telnet).
Problem with PORT Command
3. Again using the FTP command channel, send the RETR command specifying
the name of the file transferred during step 1. This will cause the FTP server
to initiate a TCP connection to the web server on port 23, then transfer the
contents of file over connection.
Assuming the file contains the commands or data necessary to exploit the
web server's Telnet service, the attacker will have successfully bypassed the
firewall, gaining control of the web server.
FTP Proxy Agent as Solution
A Sufficiently sophisticated FTP proxy agent would have had little difficulty
blocking this attack at step 2.
When the agent receives the PORT command from the client, it could
compare the parameters of the command to see if the IP address matches
the IP address of the client. If it does not, the connection could be
terminated and an alert generated.
This is one example of how protocol-aware proxy agents can prevent
vulnerabilities that would be difficult or impossible to eliminate using
packet-filtering techniques.
Proxy Agent for Different Protocols
Modern proxy firewalls provide proxy agents for a large set of Internet
protocols. such as HTTP, FTP, SMTP, DNS, and ICMP.
When selecting a proxy firewall, though, you should look carefully at the
set of protocols your network will need to pass through the proxy. If a
critical protocol is missing from the product you are considering, you may
be able fall back to a generic proxy and live with the reduction in security
enforcement. If the protocol you are trying to support is nonstandard
(such as FTP), you may need to choose between the protocol and the
firewall.
Recommended