Systems administrators who have additional duties, such as implementing the company network security policy, have a tough road these days. Smaller companies that are directly connected to the Internet face the problem of providing the same level of security that larger companies have had for years, but without large company resources. Small companies probably can't fork over thousands of dollars for a firewall and tens of thousands more dollars for an intrusion-detection system.
Larger companies have a slightly different problem: They need to provide secure information to the Web community. More and more job functions and departments want to post content to or provide services directly on the Internet. Network administrators are constantly at risk for developing new ulcers after carving several holes in their firewalls for new Web servers. Each additional hole could represent a path to future trouble for the overall network.
The combination of Microsoft Internet Information Server (IIS) 4.0 and Microsoft Proxy Server 2.0 addresses both of these problems inexpensively. (For more information about Proxy Server vs. firewalls, see the sidebar "Proxy Servers vs. Firewalls," page 2.) Proxy Server is one of the premier IIS add-ons, and Microsoft offers the add-on not only as a standalone product but also bundled with Microsoft BackOffice and Microsoft Small Business Server (SBS). Some of Proxy Server's features are
- Increased network security
- Increased Web-browsing efficiency
- The ability to limit user access to certain Web sites
- The ability to securely publish Web sites to the Internet
For the next several months, I'll closely examine some of the inner workings of these features, how they apply to IIS, and how you can put them to work in your company. In this installment, I describe the basic services Proxy Server provides and how those services relate to IIS.
A proxy server is a firewall component that manages the flow of Internet traffic to and from a LAN. Proxy Server offers three basic services to help manage this flow: Web Proxy, Winsock Proxy, and SOCKS Proxy.
Web Proxy. Web Proxy is the most commonly used feature of proxy server installations. Internal users can point their Web browsers to the proxy and let the proxy act on their behalf, shielding them from many of today's common Internet dangers. However, security isn't the only benefit of Web Proxy. If many users tend to visit some of the same Web sites, the proxy server can cache certain types of content locally, letting users download content from the proxy server rather than taking up precious bandwidth. As with any of the three proxy services, you can limit Web Proxy's use by individual users or groups. Web Proxy doesn't require special software installed on the client, other than the browser you use to communicate with the proxy server. The Web Proxy service includes HTTP, FTP, and Gopher requests, even though IIS 4.0 dropped support for Gopher. Web Proxy also lets you use a feature called Reverse Proxy to publish Web sites. I'll explain Reverse Proxy in a future issue.
Winsock Proxy. Winsock (Windows Sockets) is an application interface standard for software providing Windows-TCP/IP interfacing. Winsock Proxy is unique to Microsoft's proxy service. Winsock Proxy lets users who are still using legacy OSs or who don't run TCP/IP as their networking protocol to enjoy some of the benefits of the Internet. Although you can configure nearly every modern Web browser to use a proxy server, not all Winsock-based applications have the built-in ability to communicate with that proxy server. In TCP/IP environments, the Winsock Proxy client supports client programs that might not be proxy-aware. To use Winsock Proxy, you must install a Winsock Proxy service client on the user's computer. The proxy client software works by intercepting requests for Internet services and forwarding them to the proxy server. Winsock Proxy checks whether the user has sufficient permissions to use the Winsock Proxy service and whether the proxy administrator has allowed access to the particular service or port. If the user passes both these checks, Winsock Proxy allows the connection and attempts to connect on behalf of the user on the external interface. Winsock Proxy also provides support for the Server Proxy method of publishing Web sites.
SOCKS Proxy. SOCKS Proxy is the third major service Proxy Server offers. Proxy servers use the SOCKS protocol to accept internal network client requests and forward them across the Internet. SOCKS Proxy supports only applications written using the SOCKS 4.3a protocol. Unfortunately, the 4.x protocol only supports connections using TCP. The 4.x specification doesn't include UDP. You might need to rewrite UDP-based applications for use with the SOCKS Proxy. I used to believe that the SOCKS protocol was declining; however, I recently discovered that the Internet Engineering Task Force (IETF) Request for Comments (RFC) 1928, RFC 1929, and RFC 1961 describe the new SOCKS 5.0, which includes support for UDP and authentication. Macintosh and UNIX clients are the most frequent SOCKS clients users. You can find out more about the 5.x specification by reviewing those RFCs and by visiting http://www.socks.nec.com.
Internal Network Boundaries
One of the most important parts of planning a proxy server is correctly defining your internal and external networks. Place any computer that needs protection from the external network and those computers you trust completely on the internal network segment, and define them in Proxy Server. This boundary doesn't guarantee that your internal network is safe, however. You must also decide which services and content you want to restrict.
Servers that run Proxy Server don't have to be big, departmental-class servers. They must have IIS 4.0 and, if you're going to connect the proxy server to the Internet, the server must be a multihomed machine (i.e., a machine with two NICs) or have a RAS dial-up connection to the Internet. You have to connect one NIC to the internal network and another card to the untrusted external network, unless you use a modem to connect to the external network.
The Local Address Table (LAT) is the mechanism that determines the line between the internal and external networks. The table, which you see in Screen 1, defines which addresses, or subnets, are part of the internal network. The LAT considers everything else the external, untrusted network. Only traffic originating from an address within the LAT can pass from the internal network interface to the external network interface. (Be sure not to place addresses in the LAT that aren't a part of your internal LAN.)
Under the Hood of Proxy Server
Proxy Server provides security by filtering at the application layer (restrictions based on domain name or service requested) and at the packet layer (restrictions based on IP addresses and ports). To filter or otherwise restrict the flow of network traffic, the proxy server must be able to field each request as it arrives on the untrusted, external network interface. The pivotal component of Proxy Server is an Internet Server API (ISAPI) filter called w3proxy.dll, which Proxy Server installs on IIS during setup. When a packet comes in from the external network, the filter uses packet-layer filtering to decide whether to let the packet pass to its destination. The filter also fields packets from clients on the internal network before letting them pass through to the external network.
Because Proxy Server hinges on one ISAPI filter and consequently depends on IIS to operate, it makes sense to include IIS in your hardware consideration. Because IIS already requires a great deal of memory to operate, ensure that your proxy server has enough additional memory to handle the user load. If you're hosting a Web site on your proxy server and using Active Server Pages (ASP), increase the memory beyond Proxy Server's memory requirements. Adjust your requirements accordingly.
Proxy Server Installation
Installing Proxy Server isn't difficult. However, the choices you make during product installation have consequences that could compromise your network security or result in poor performance. As you step through each installation dialog box, understand what you're choosing--accepting the defaults can lead to trouble.
Before you install Proxy Server, consider the hardware you need for the job. Proxy Server requires large, fast hard disks. Before Web Proxy clients see their HTTP responses from the Web Proxy service, the proxy server must first write the HTTP result to a disk cache that Proxy Server creates during installation. RAID 5 controllers boost performance when reading from the disk cache. Users will see a performance improvement if the proxy server can use the local cache to fulfill their HTTP requests instead of waiting on retrieval from the Internet. Maximize the cache memory on your RAID controller, if possible.
Let's put together an example proxy server. If you had 400-500 moderate-to-heavy Web users wanting to use Web Proxy, for example, I would use the following server specifications:
- 450MHz or faster dual-Pentium II processor
- 512MB of memory
- Two 4.3GB hard disks
- Four 9.1GB hard disks
- RAID 5 controller with at least 32MB of memory (Software fault tolerance isn't recommended when you're using Proxy Server.)
- Two high-quality NICs (One NIC is acceptable only if you want to provide a caching proxy server. Many security features, such as dynamic packet filtering, aren't available with one NIC.)
I would also add redundant power supplies and other fault-tolerant components to improve the uptime of the server. Arrange the disks as you see in Figure 1, page 4. The RAID 5 cache on the D drive contains only the proxy server's cache. Store the OS and log files on the C drive. You can increase performance by adding a separate controller and a 4.3GB or 9.1GB disk just for the proxy logs. Proxy Server writes log files sequentially; therefore, you'll see an increase in performance by storing a heavily used log on a separate disk. Proxy Server can't serve the content to the user until it completes writing this log entry to the disk. Adding another drive can minimize this delay by preventing the disk from having to perform a lot of seeks.
Install the following items in order:
- Windows NT 4.0 (don't install IIS 2.0 here), followed by Service Pack 3 (SP3) or later
- Microsoft Internet Explorer (IE) 4.0
- NT 4.0 Option Pack, including IIS 4.0
- Proxy Server 2.0
- Proxy Server SP1 and any recent IIS or Proxy hotfixes
When you've installed items 15, reapply the latest NT Service Pack.
(Warning! As you install the OS, don't provide a default gateway for the NIC on the internal network. Also, be sure that you disable IP Forwarding.)
New service packs and hotfixes are available for all these products (see http://www.microsoft.com/ntserver/nts/downloads and http://www.micro
soft.com/proxy); apply them to the installation. Apply the most recent service pack last. Proxy Server's SP1 contains more than 20 fixes and includes a new version of the Microsoft Management Console (MMC).
During the NT installation process, NT asks you to verify the appropriate bindings for both NICs. These bindings attach the services you selected to each card. Disable the Server service binding from the external interface, which you see in Screen 2, to prevent someone from attaching to your shares from the external interface. I wouldn't necessarily enable the administrative shares (e.g., C$, D$, WINNT$) on a proxy server. However, you'll most likely already have the mspclnt share set up on your proxy server. This share, which Proxy Server creates during installation, delivers updated client-configuration files for the proxy client and provides a common installation point for the Microsoft proxy client software that Winsock Proxy uses. This share must be available at all times.
When you've finished the installation, you have one last step to accomplish. Users on multihomed proxy servers can't access the proxy server until you add a route for your internal network to your routing table. Remember that you left the default gateway off the network settings for the internal NIC. The proxy server needs a manual route in order to deliver traffic for your internal network. To create this gateway, use the Route command from the command line. Manually add a persistent route that defines the gateway appropriate for your local subnet, for example
where 10.0.0.0 is the internal network consisting of the private 10.x.x.x address range and a subnet mask of 255.255.255.0 exists that is accessible through a gateway identified as 10.1.1.254. You might need to specify other options, such as cost and interface number, based on your configuration. The p option makes the route persistent, which means that the entry will be permanent until you use the Route command with the Delete option to remove it manually. Otherwise, the route would disappear each time you rebooted the server.
When you've completed these steps and given the appropriate groups permission to use the individual proxy services, your users can access the external interface (typically, the Internet).
The Next Steps
In my next installment, I'll discuss
- Securing Proxy Server, including how to secure IIS and Proxy Server before exposing the server to the outside world
- Identifying the ports that are exposed on the external interface and what you can do to minimize your exposure
- Blocking content that you want to restrict from your users using packet filters
- Preventing your Web Proxy users from accessing undesirable Web sites
- Taking this new installation further and restricting access to the Web Proxy and Winsock Proxy services