Internet by proxy
By
Michael Curry
A thesis submitted in partial fulfillment of the requirements for the degree of
Master of Science
In
Management Information Systems
Bowie State University
1998
A thesis presented on the use of Proxy Servers to provide access to the Internet, beginning with the history of the Internet. Topics covered will include security, cost, benefits, efficient use of IP addresses, caching, packet filtering, and planning.
I believe that the use of Proxy Servers will grow at a rapid pace in the European Theater because they will have a direct impact on operational readiness in United States Army Europe.
This paper will examine Microsoft’s® Proxy Server 2.0 (Proxy Server) to determine if it can be used to provide increased Internet performance to users at Headquarters, United States Army Europe (HQ USAREUR). Although it is being touted as a "poor mans" firewall, my primary interest is not in the security that it provides, but in it’s ability to cache data and to provide Internet Protocol (IP), site, and domain filtering. These are the areas my evaluation will focus on.
This paper will present deployment recommendations based on the current network topology that is in use by HQ USAREUR, which is located at Campbell Barracks in Heidelberg Germany.
As we move into the 21st century and further into the Information Age, technology is having an impact on our society unparalleled since the Industrial Revolution. As more and more businesses redesign their business processes, nine times out of ten the solution will revolve around the Internet. Many businesses are finding that they can’t compete if they don’t have a presence on the Internet because all of their competitors are there.
USAREUR is also re-engineering many of its business processes in an effort to do more with less. Many of the solutions revolve around the use of Information Technology (IT) and the Internet. For example; in the past few months, all of the civilian pay operations have been moved to Charleston, South Carolina. All transactions are now done on-line via the Internet. However, the new system is experiencing problems because no one adequately predicted the amount of bandwidth that would be needed to support the new system.
The lack of adequate bandwidth in USAREUR will continue to be a major problem as more and more organizations deploy systems that use the Internet. These days, if you have any "surfing" to do, you had better get into work at around 7:00 am, because anytime after that the Web slows down to a crawl. This has had a disastrous effect on users who require time sensitive data and information in order to perform their duties. In an effort to provide better service, I have been tasked to investigate possible solutions that could help alleviate some of the performance problems. The solution with the most promise is the use of proxy servers. Although there are several companies that are marketing proxy servers, this study will focus on the use of Proxy Server because we have already invested heavily into the Microsoft® NT Server Network Operating System. Proxy Server is also a lot cheaper ($1100) than traditional firewall systems that can cost anywhere from $10,000 - $120,000.
This paper will provide organizations with enough information on how to deploy proxy server and the benefits that they stand to gain.
Active caching - A mechanism used to automatically initiate new requests to update cached file objects without user intervention.
Array - A group of Proxy Server computers used to provide distributed caching, load balancing, and fault tolerance. Arrays allow client requests to be distributed among several Proxy Server computers, which increases response time for clients.
Browser - A tool for navigating and accessing information on the Internet or an Intranet.
Cache - A store of frequently retrieved objects and URLs located on the cache drive of a Microsoft Proxy Server computer. Instead of retrieving an object directly from an Internet Web server, the object is stored and retrieved from the cache instead.
Client - A computer that accesses shared network resources provided by a server computer.
Domain Name System (DNS) - A protocol and computer-naming hierarchy used throughout the Internet to map computer IP addresses to their domain name.
Dynamic filters - Dynamic filters are automatically started by the WinSock Proxy, Web Proxy, or Socks Proxy service. This feature allows the Proxy Server services to automatically open and close communication ports on the external interface when transmission of packets is needed.
Dynamic Host Configuration Protocol (DHCP) - A protocol that offers dynamic assignment of IP addresses and related information for temporarily connected network users.
File Transfer Protocol (FTP) - The Internet standard protocol for transferring files between computers. FTP uses the Telnet and TCP protocols.
Filter - A feature of ISAPI that allows preprocessing of requests and post processing of responses, permitting site-specific handling of Hypertext Transfer Protocol (HTTP) requests and responses.
Hypertext Markup Language (HTML) - A simple markup language used to create hypertext documents that are portable from one platform to another. It is the formatting language used for documents on the World Wide Web.
Hypertext Transfer Protocol (HTTP) - The Internet standard protocol by which WWW clients and servers communicate.
Internet - The global network of computers that communicates through a common set of protocols known as TCP/IP.
Internet Information Server (IIS) - The Microsoft Internet server product designed for implementing and managing Web sites.
Internet Network Information Center (InterNIC) - The agency that centrally coordinates assignment and registration of DNS names and IP addresses for use on the Internet.
Internet Protocol (IP) - The Internet standard routing protocol that defines the IP datagram as the unit of data transfer and provides the IP address scheme to route packets from one network location to another.
Internet Service Provider (ISP) - A company or educational institution that enables remote users to access the Internet by providing dial-up connections or installing leased lines.
IP Address - A unique address that identifies a computer on a network by using a 32-bit address that is unique across a TCP/IP network.
Local Area Network (LAN) - A group of computers connected by a communications link, which enables any computer to interact with any other on the network.
Local Address Table (LAT) - A table of all internal IP address pairs on the internal network where Microsoft Proxy Server is installed. This list is used to control access between clients on the internal network and remote IP addresses on external IP networks (or the Internet).
Network Adapter - A device, usually a hardware card, used to connect a computer to a local area network (LAN).
Packet - A fixed number of bytes that represents the basic unit of information sent across a physical network. Packets consist of binary information representing both data and a header containing an ID number, source and destination addresses, and error-control data.
Packet Filtering - Filtering that either allows or blocks packets destined to specific services on or behind the Proxy Server computer.
Passive Caching - In this type of service, data is cached and discarded entirely on the basis of object size, popularity, or time since the requested object was last updated in the cache. Frequently referred to as on-demand caching because all caching updates are user-initiated.
Proxy Client - A client computer that must use a proxy server to gain access to network services not directly supported for client usage.
Proxy Server - A computer that acts as a relay between remote servers and clients to intercept requests and process communications on behalf of proxy clients.
Router - Hardware or software that manages data traffic between networks and sub networks having similar transport protocols. Routers match packet headers to a location on a LAN and choose the best path for the packet, thereby optimizing network performance.
Transmission Control Protocol (TCP) - The Internet standard transport protocol that provides the reliable, two-way connected service that allows an application to send a stream of data end-to-end between two computers across a network.
Transmission Control Protocol/Internet Protocol (TCP/IP) - A family of networking protocols that allows computers with diverse hardware architectures and various operating systems to communicate across interconnected networks and the Internet.
Uniform Resource Locator (URL) - A naming convention that uniquely identifies the location of a computer, directory, or file on the Internet. The URL also specifies the appropriate Internet protocol, such as HTTP, FTP, IRC, or Gopher.
Web Browser - A software program, such as Internet Explorer, that retrieves a document from a Web server, interprets the HTML codes, and displays the document to the user
Web Proxy service - The service that provides a means for Microsoft Proxy Server to act as a proxy server.
Wide Area Network (WAN) - A network that extends across distance and is not confined to a single site. This type of network typically involves interconnecting multiple LANs that use multiple physical topologies.
Windows Internet Name Service (WINS) - A name resolution service that runs on Windows NT Server. WINS maps friendly names to IP addresses. A WINS server handles name registrations, queries, and releases.
WinSock Proxy Service - An API service used by Microsoft Proxy Server that provides redirection and remote execution of Windows Sockets applications over connections involving a computer on an internal network (intranet) computer and remote computers on the Internet.
World Wide Web (WWW) - The World Wide Web is the software, protocols, conventions, and information that enable hypertext and multimedia publishing on computers connected to the Internet.
The Internet is referred to by many different names. In the simplest terms, the Internet is a collection of interconnected networks that span the globe.
The Internet originates back to the time of the cold war in the 60s. The Internet was originally created to serve as a communications backbone in times of national (and later international) crisis and to support academic research on defense related topics. The Internet has no central point of control, as its creators believed such control would pose unacceptable risk of system failure in the event of hostile attack, natural disaster, or human error. As a result, the system grew as a truly distributed network, and network protocols were developed to create an "open system" environment, enabling the routing of messages and information across widely disparate network platforms. The Internet was born in 1969 when the Department of Defense (DOD) initiated the project, which was administered and implemented by the Advanced Research Projects Agency (ARPA). The resulting network was named ARPANET. The idea was (and still is) to split up a stream of data (messages) into rather small packets, to give them a source and destination address and then transmit them from computer to computer until the desired destination is reached. If one or more packets are lost during transmission, only the lost packets (not the entire message) need to be retransmitted. This mechanism is known as Packet Switching. Table 1 summarizes major events and dates in the evolution of the Internet.
| 1969 | The Defense Department commissions ARPANET to research computer networking. Later in the year, the first nodes of the system go on-line at UCLA Stanford Research Institute (SRI) and the University of Utah. |
| 1971 | Fifteen individual nodes of the ARPANET go on-line, joining 23 host computers. |
| 1972 | Operators create the first e-mail program to send and receive messages across the network. Norway and England become the first international connections to ARPANET |
| 1975 | Usenet newsgroups are established between Duke University and the University of North Carolina. |
| 1982 | The Transmission Control Protocol and Internet Protocol TCP/IP is approved as the communications standard for ARPANET. This lead to the first definition of an Internet as a connected set of networks using TCP/IP. |
| 1983 | Desktop workstations come into being. |
| 1984 | The number of computers on ARPANET breaks 1,000 |
| 1986 | The National Science Foundation (NSF) creates the NSFNet backbone on ARPANET (56kb), and establishes five supercomputing centers to provide high-speed computing power for all users. Cleveland FreeNet comes on-line and offers free public Internet access |
| 1987 | The number of computers on ARPANET breaks 10,000. |
| 1988 | The first businesses begin to connect to the system for research purposes. |
| 1989 | The number of computers on ARPANET breaks 100,000. The first e-mail relay begins between a commercial on-line service (CompuServe) and the ARPANET through Ohio State University. |
| 1990 | ARPANET ceases to exist. The network is now officially known as the Internet. |
| 1991 | WAIS and Gopher, Internet search and navigation tools, are released by Thinking Machines Corporation and the University of Minnesota, respectively. |
| 1992 | World Wide Web (WWW), a hyperlinked interface to the Internet, is released by a Swiss research network. The number of computers on the Internet breaks one million. NSFNet relaxes its restriction on commercial Internet traffic. By the end of the year, half of all Internet traffic is commercial in nature. First audio multicast (March) and video multicast (November) – real-time broadcasts of video and audio via computers connected to the Internet – take place. |
| 1993 | The White House goes on-line after the National Information Infrastructure (NII) Act is passed in September. Stephen King becomes the first author to publish a short story on the Internet. First books about using the Internet for business appear. Business and media take an interest in the Internet as the number of users climbs above 14 million. Mosaic, graphical WWW browsing software, is released. The use of the Web proliferates by more than 30,000 percent. |
| 1994 | The U.S. Congress brings its Internet server on-line. Shopping malls, advertising, and mass marketing surface on-line. |
Today, the Internet is a dramatically different network than when it was first established in the early 1980s. Today the Internet has entered the public consciousness as the world’s largest public data network, doubling in size every 7 months. This is reflected in the tremendous popularity of the WWW, the opportunities that businesses see in reaching customers from virtual storefronts, and the emergence of new types and methods of doing business. It is clear that expanding business and social awareness will continue to increase public demand for access to resources on the Internet.
There is a direct relationship between the value of the Internet and the number of sites connected to the Internet. As the Internet grows, the value of each site’s connection to the Internet increases because it provides the business organization access to an ever-increasing user and customer population.
A Proxy server is a server that performs an action for another computer that cannot perform the action for itself. A real-world analogy for a proxy can be seen at high priced art auctions. Many bidders at art auctions will not attend the auction themselves. Some of the actual bidders at the auction are the proxies for the real buyers. The proxy acts for the buyer and relays the status of the proceedings to the buyer over the telephone. If you watch CNN coverage of important art auctions, you’ll see proxies all over the auction house talking to their buyers by cellular phones. The proxy acts only when told to do so, and anything that the buyer could do in person; the buyer can do through his proxy.
In the world of computers and the Internet, workstations behind the proxy do not have valid Internet connections and therefore cannot talk to the Internet on their own. The proxy sits at the juncture of the Internet connection and the Local Area Network (LAN) and routes local LAN requests to the Internet as though the proxy server itself were requesting the information.
Proxy Server is a secure, high performance cost-effective gateway to the Internet. Proxy Server consists of two services: Web Proxy and WinSock Proxy.
Web Proxy is fully compliant with the CERN proxy standard, and offers proxy service for FTP Read, Gopher, and WWW for computers on your private network running TCP/IP. Web Proxy supports Microsoft Internet Explorer 3.0 and Netscape Navigator 3.0 Internet Browsers. Web Proxy also supports multiple platforms including Windows NT Server, Windows NT WorkstationÒ , Windows 95Ò , Windows for WorkgroupsÒ , Windows 3.1Ò , UNIX, and Macintosh. The Web Proxy service also supports Secure Socket Layer (SSL) Tunneling, which provides an encrypted connection between the client and Web Server through the proxy.
WinSock Proxy proxies virtually all Windows Sockets 1.1 compatible applications and protocols by intercepting Windows Sockets Application Programming Interface (API) network calls, with support for TCP/IP and IPX/SPX net protocols. This service is transparent to the application; therefore virtually all applications will work with Proxy Sever. Examples of supported applications are TELNET, FTP, RealAudio, SMTP, and VDOLive.
In order to run Proxy Server you will need the following equipment:
 |
Computer capable of running Windows NT® Server 4.0 |
|
Microsoft Windows NT Server 4.0 |
|
Microsoft Internet Information Server 2.0 or later |
|
Two network adapter cards, or one network adapter card and a modem |
|
TCP/IP protocol |
Table 2 highlights some of the features and capabilities of Proxy Server
| Feature | Description |
Single IP Address |
Microsoft Proxy Server presents one IP address to computers on the Internet. This enables one point of connection between many internal computers and external computers. The internal network addresses are not presented to the external computers. |
| Supports Dual-Homed Adapters | Microsoft Proxy Server supports two network adapter cards with different addresses that do not use IP-Forwarding. |
| Local Address Table | Microsoft Proxy Server enables the specification of the IP Address range(s) of all internal computers when IP is used as one of the internal protocols. This enables local clients to determine whether they must connect through the Proxy Server to access an external IP address. This feature also blocks processing of external client requests to internal Servers. |
| Internet/Intranet Applicable | The features of single IP address, support for two network adapter cards and the Local Address Table, make Microsoft Proxy Server suitable for securing internal networks from the Internet or from other internal networks. |
| Site Filtering | Microsoft Proxy Server enables certain Internet sites to be filtered from internal clients. |
| Access Control | Microsoft Proxy Server enables user and group permission lists to be established for each protocol. |
| Proxy Request Logging | Microsoft Proxy Server enables logging of system usage and access. Logs can be saved to text files or to a database (such as SQL Server) using ODBC. |
| Remote Administration | Microsoft Proxy Server can be administered from remote Intranet (within corporate network) locations using the Internet Service Manager tool. |
| Tight Integration With Windows NT Server Version 4.0 | Microsoft Proxy Server tightly integrates with Microsoft Internet Information Server and the Windows NT Server Version 4.0 network operating system, therefore allowing central administration through the Windows NT administrative environment, and single logon for Proxy Server users. |
Demand Dial |
Microsoft Proxy Server contains an AutoDial feature that automatically connects the Proxy Server to the Internet Service Provider (ISP) whenever data is required and not stored in the cache. The AutoDial disconnects from the service provider when the data is retrieved, or when a time out occurs. |
Protocol Support |
Microsoft Proxy Server supports all Internet protocols, including streaming audio and video, Internet Relay Chat, TELNET, HTTP, FTP, SMTP, NTP, and more. |
Caching |
Microsoft Proxy Server offers active, intelligent caching of frequently visited sites to reduce network costs and bandwidth consumption. Caching is scaleable through Windows NT and hardware. |
Integration With SNMP |
Microsoft Proxy Server integrates with SNMP services, which enables the status of a Proxy Server to be viewed from across the network. |
Extensibility |
Microsoft Proxy Server supports the multi-vendor ISAPI Filter specification enabling third parties to write value-enhancing add-ons to the Proxy Server. Examples of current extensions include Virus Scanning and Site Filtering. |
Multiple Network Compatible |
Microsoft Proxy Server supports both TCP/IP and IPX/SPX protocols and it can be used with existing networks, therefore allowing migration to a pure TCP/IP based network at a self defined pace. |
Figure 2 shows the author’s home network and how it is configured to use Proxy Server to provide Internet access.
Figure - 2 Author's Home Network
Just like every other major undertaking in life, things generally go better when you have a plan. Deploying Proxy Server is no different. You have to perform some type of analysis of your organizations’ network, users, and needs of those users. This section will present some basic guidelines on hardware requirements and possible deployment architectures based on the organizational structure of the staff directorates that make up HQ USAREUR.
A small directorate network can be characterized as follows:
|
A single LAN segment |
|
Use of the IP network protocol |
|
Demand-dial connectivity to ISP or direct connection to Internet |
|
Fewer than 50 clients |
For this situation, a single Proxy Server-based computer can be used to provide Internet connectivity and network security for the entire office, as shown in the following illustration.
Although figure 3 depicts that you can use either dial-up or direct connectivity, this section will discuss using Proxy Server to connect directly to the Internet. The T1 line could also be provided by an ISP. The Proxy Server computer is set up with two network interfaces: a network adapter card to connect to the internal network, and an additional network adapter card to connect to the external network (Internet). The Local Address Table (LAT) is constructed to list the internal network IP address space.
In this scenario, caching is enabled and configured in order to minimize the occurrence of having to go to the Internet to retrieve the requested information. This saves telecommunications costs and improves performance. You can use caching to store a local copy of the most frequented Internet URLs in dedicated disk drive volumes. You can use active caching to automatically retrieve the most popular URLs without client initiation.
For a network of this size you can use a single security policy that applies to all clients. Password authentication, user permissions, protocol definitions, domain filtering, cache filtering, and packet filtering are used to provide maximum network security. Table 3 shows the recommended hardware specifications for this type of deployment.
Table - 3 Hardware Recommendations (Small Directorate)
Processor Speed |
Disk Space |
RAM |
Pentium Pro 200 |
250MB – 2 GB |
64 MB |
This architecture most closely resembles the current topology of (without the Proxy Servers) Campbell Barracks. Each directorate is connected to a campus Fiber Distributed Data Interface (FDDI) Ring via a router, which connects to the central office gateway in Building 7. Internet access is provided by the central office gateway. This would be the best deployment option to use if we could gain approval to implement the use of Proxy Servers. The Internal Review Office, which is located off-post, could be connected via ISDN to the central gateway. A medium-size directorate network can be characterized as follows and is shown graphically in figure 4:
|
Individual directorates with one or more LAN segments |
|
Use of the IP network protocol |
|
Dedicated-link connectivity from the central office to the Internet |
|
Fewer than 350 clients |
Figure - 4 Architecture for a Small Directorate
In this situation, a single Proxy Server-based computer is used at each directorate to provide a directorate level security policy and connectivity to the central office communications gateway. The Proxy Server-based computer is set up with two internal network interfaces: one network adapter card to connect to the local network in the directorate, and a second network adapter card to connect to the remote network at the central office gateway. The LAT is constructed to list the entire network IP address space—both the directorate and central office networks. Any external (Internet) IP addresses must be excluded. Name servers, such as Windows Internet Naming Service (WINS), Dynamic Name Servers (DNS), and Dynamic Host Configuration Protocol (DHCP), should be installed in each directorate to enable local name resolution. The directorate DNS servers would then replicate with the DNS server located at the central gateway.
Caching is enabled and configured in order to increase response time to client requests. If the URL can be found in the local cache, this reduces network traffic because you don’t have to go the central office cache or the Internet to retrieve the requested information. You use caching to store a local copy of the most frequented Internet URLs in dedicated disk drive volumes. You should not be using active caching; it occurs at the central office gateway Proxy Server array. This provides load balancing by offloading some of the work performed at the central office Proxy Server-based computers. The important thing to remember here is that the directorate Proxy Sever computer does not have a direct connection to the Internet. All client requests are routed upstream to the Proxy Server array at the central office gateway.
At the central office gateway, a Proxy Server array is used to provide distributed caching, load balancing, and fault tolerance. Each server in the array is configured with two network interfaces: one network adapter card to connect to the internal network, and one network adapter card to connect to the Internet. In this scenario, direct connectivity to the Internet is through a router and a T-1 line. Each LAT is identically configured to list the entire network IP address space—both for the directorates and central office networks. The IP address of the external interface must be excluded for each computer.
At this point, all client Internet requests, regardless if they originated locally or at the directorate are handled by the Proxy Server array. For Web Proxy clients, the requests are routed internally within the array and serviced by the appropriate array member that holds a cached copy of the URL on its own cache drive. If the request cannot be serviced by the array, the request is forwarded to the Internet. In this way, arrays form a large distributed cache, which can significantly improve client performance. You can use active caching to automatically retrieve the most popular URLs without client initiation. In addition, critical bandwidth is preserved on the WAN connection.
A global security policy is set at the central office for the entire organization, and a local security policy can be set for the directorate users. This configuration provides maximum flexibility for the particular Internet access needs of each directorate, yet retains maximum overall network security by providing an overriding policy at the central office gateway. Table 4 shows the recommended hardware specifications for this type of deployment.
Table - 4 Hardware Recommendations (Medium Sized Directorate)
Processor Speed |
Disk Space |
RAM |
Pentium Pro 200 |
2GB – 4 GB |
128 MB |
Over the past few years, the Internet has experienced a major scaling issue as it struggled to provide continued and uninhibited growth. This issue is centered on the eventual exhaustion of the Internet Protocol Version 4 (IPv4) address space. IPv4 defines a 32-bit address space which means that there are only 232 (4,294,967,296) IPv4 addresses available. Although this may seem like a large number of addresses, as more businesses and private individuals establish a presence on the Internet, we will eventually run out. In anticipation, some companies have bought large blocks of IP addresses and are now selling them for premium prices.
Proxy server can help alleviate this problem because you only need one valid IP address in order to allow all of your workstations to access the Internet. The InterNic has set aside several address ranges that can be used by private networks for their own TCP/IP configuration. These address ranges will never be found on the Internet and therefore will never conflict with any other site on the Internet that is using the same private addresses. The private address ranges are as follows:
|
Class A subnet: 10.0.0.0 |
|
Class B subnet: 172.16.0.0 to 172.31.255.255 |
|
Class C subnet: 192.168.0.0 to 192.168.255.255 |
When each workstation on a network has a valid IP address, they have a virtually free reign over Internet access. Most operating systems are not designed to monitor or restrict TCP/IP access in valid network topologies. Proxy Server 2.0, on the other hand, is designed to monitor and restrict the activities of clients to the Internet. If an organization needs to connect 300 workstations to the Internet via a dedicated connection, they can purchase a single valid IP address for the Proxy Server, and use one of the reserved address ranges for the 300 workstations.
In order for this magic to work, all of the workstations must be loaded with the Proxy Server client software and all of the IP addresses used on the private network must be entered into the LAT. The Winsock Proxy Service is responsible for removing the local IP address used by the client and replacing it with the Winsock Proxy Server’s IP address. This means the contacted server on the Internet will open a backward connection to the Winsock Proxy Server instead of trying to open a connection with the workstation that made the original request. Keep in mind that the local IP addresses used on the private network are not valid, and the Winsock Proxy server must have a valid IP address in order for this to perform properly.
The Internet can be a tremendous productivity resource… or it can be a real waste of time. One of the biggest management headaches we face today is how to prevent employees from spending too much time on the Internet. I’ve seen situations where I’ve observed workers surf the Internet all day long. This is largely a management problem as opposed to an Internet problem. Microsoft Proxy Server 2.0 now gives managers a way to effectively deal with this problem. With Microsoft Proxy Server, a network manager can exert as much or as little control over Internet and Intranet resources as he/she feels appropriate. This access control can be applied not only to the enterprise as a whole, but also down to user groups, departments, and even to each individual user. For example, a network manager may want to allow FTP, Gopher, and browser-based World Wide Web access for all employees but permit only certain members of management to use the Internet for conferencing or selected other multimedia services.
The user access controls work with each of the Web Proxy, Winsock Proxy, and SOCKS Proxy services included with the product. Because Microsoft Proxy Server 2.0 is tightly integrated with the Windows NT Server directory, the user names and domain information serves as the basis for user access control permissions. Network managers do not have to maintain a separate database or directory of Internet users. This makes managing user access simple.
As more and more organizations go online, security continues to be the number one concern of all organizations. Lost data or information can be worth millions of dollars and in the military it could mean life or death for service members who are engaged in hostile operations. Microsoft Proxy Server, and Windows NT Server Version 4.0, have features designed to prevent and/or severely reduce most of the common security issues which are introduced by connecting to the Internet. The section focuses on those features and the issues and risks eliminated, severely reduced, or generally mitigated by each of those features.
Issue
Network Penetration - The most widely discussed set of risks relating to a corporate network is outside users accessing internal resources. This includes external users accessing data on the internal network as well as potentially doing damage to the network itself. As more companies connect to external networks, a variety of tools, including Proxy Servers have been developed whose purpose is to mask the internal network from the Internet or other external networks in order to prevent snooping on or hacking of the internal network.
Feature
LAT and Proxy Server - In the network configuration (LAT) dialog box, each address pair in the internal IP addresses list identifies a range of addresses that belong to the private network. This information is used to create the (LAT). When a client computer runs the client Setup program, this table is downloaded from the Server to the client. When a WinSock Proxy or Web Proxy client attempts to access a network IP address, the LAT is used to determine whether the address is inside the private network (and can be connected to directly) or is outside on the Internet (and must be connected to through Microsoft Proxy Server).
Issue
IP Spoofing - IP spoofing or masquerading is a technique used in a network or system attack in which the attacking computer assumes the identity of a computer already in the internal network. The attacking computer spoofs or imitates the IP address of the internal computer to either send data as if they were on the internal network or to receive data intended for the machine being spoofed.
Feature
LAT and Web Proxy - The Microsoft Proxy Server is designed to prevent any IP packets with destination addresses not found in the LAT from entering the internal network. This plays a major role in preventing spoofing (IP address masquerading) attacks from the Internet.
Issue
Access to Unauthorized or Undesirable Internet Sites - Internet browser software will allow access to any site on the Internet. Many corporate entities find that certain sites are unacceptable in their content or will want to limit access to only business-related sites. These organizations prefer to restrict access not only by written policy, but also by enforcing an actual restriction to those sites that they deem to be unacceptable. Lack of site access restrictions and a policy regarding site access may be interpreted that access to all sites is acceptable. Appropriate use and legal liability are risks associated with internal users accessing outside resources. This risk can be mitigated through controls such as filtering for certain sites identified as inappropriate, issuance of a policy regarding site access, and monitoring site access.
Feature
Site / Domain Filtering - Microsoft Proxy Server includes the capability for an administrator to limit which Internet sites can be accessed by the internal client user population. This feature can be configured to grant or deny access to all sites except those listed in the proxy filtering database. Filtering can be assigned by providing specific, individual network addresses, network address ranges and subnet masks, or Internet domain names. This feature is disabled by default and must be enabled to use. Access may be controlled on a granted or denied list. All access is granted except to sites listed or all access is denied except to sites listed. The system administrator through the use of the Unlimited protocol of the WinSock Proxy may override filtering.
Issue
Unauthorized Users - Most corporations desire to control access to the Internet. Authentication of users connecting to this medium will provide some comfort level that the appropriate persons are using the access facility. Poor or no authentication may lead to a loss of accountability in the use of the private and public network.
Feature
User Level Authentication - This feature is implemented and operates differently within the Web Proxy and the WinSock Proxy Servers. Use of an anonymous logon, between Client and Proxy Server, is the most common access method to the Internet. Use of this method assumes that the connection is coming through the internal network and is essentially trusted. There is no security involved with this connection, other than assuring the client is on the internal network. Microsoft Proxy Server offers two kinds of user level authentication.
Basic Authentication - With Basic Authentication enabled, a username and password are passed to the Microsoft Proxy Server in the uuencoded format. UUencoding means that the text is scrambled, but normal ASCII characters are visible, so the username Murray might come out as Nvttbz. To the casual viewer this may seem unusable; however, encoded text is easily unscrambled by certain code breaking programs.
Windows NT Challenge/Response Authentication - Windows NT Challenge/Response (NTCR) authentication is Windows NT’s highest level of security. NTCR is typically run in a networked environment that includes Windows NT Servers and Windows NT Workstations. Windows 95 workstations can also use NTCR to provide secure client authentication. Windows for Workgroups and Windows 3.1 can not utilize this method by default, but may be upgraded to do so.
The WinSock Proxy provides access control similarly to the Web Proxy. When access control is enabled, the WinSock Proxy authenticates all users with the Windows NT Challenge / Response method. When access control is disabled, the WinSock Proxy allows anonymous access.
In the WinSock Proxy, if access control is disabled, then all users have access. This is the equivalent of disabling access control in the Web Proxy. If access control is enabled, only those users granted permission to the specific protocol can access the Proxy Server.
Issue
Visibility of Internal Network Addresses to the Internet – Must provide transparent access from a private network to the Internet while protecting the internal network.
Feature
Proxy Architecture - The Proxy Server provides IP address aggregation. For every client request it receives, the Proxy Server issues that request to the external network using its external IP address, thus concealing the internal network addresses from the outside. When services are proxied by the Microsoft Proxy Server, the source IP address of each service request is re-mapped to that of the Proxy Server external network adapter. This ensures that any unauthorized party cannot determine the internal network addresses of client workstations and later attempt to penetrate those workstations through some other open access point.
Issue
Denial of Service Attacks - The "Denial of Service Attack" uses automated tools to flood the port(s) of the system providing access to the network with requests for connections that will be denied. Flooding the entry ports exploits the fact that a single point of control can also be a single point of failure. These attacks cause a Server to become so occupied with the attack that it either crashes or only responds to the attack scenario preventing any legitimate uses of the Server.
Feature
Many features of the UNIX operating system that could be used in denial of service attacks are functions that are not available in a standard Windows NT Server installation. These features include Server services for finger, rexec, rlogin, etc. In addition attempts to TELNET to an open port produce a successful packet acknowledgment which prevents the ‘SYN’ attack.
Caching is the process of storing objects such as graphics, sound bites, and documents on the local hard drive of the Proxy Server. If a client requests information from the Internet that has already been cached by Proxy Server, Proxy Server will pass the cached information to the client rather than going out to the Internet and retrieving the information. Caching increases performance in the following ways:
|
Provides the ability to support more clients with less bandwidth. |
|
Provides much faster response time for clients when cached information is present. |
|
The ability to service clients with Internet information when the target Internet site is not available. |
Proxy Server uses two types of caching. The first is passive caching and the second is active caching.
Passive caching is the basic mode of caching used by Proxy Server. Proxy Server is positioned between the client PC and the Internet and intercepts requests from the client. Before forwarding the request to the Internet, Proxy Server determines if the cache can satisfy the request.
Normally, in passive caching, an object is placed in the cache and a Time-To-Live (TTL) is associated with that object. During this TTL, all requests for the object are serviced from cache without generating any Internet traffic. After the TTL has expired, future client requests for an object will generate Internet traffic to the site where the object was retrieved. The response from the server will be stored in the cache and a new TTL will be calculated. If the data is not in the cache, Proxy server retrieves the data from the Internet, returns it to the client, and then inserts it into the cache.
Proxy Server uses active caching to improve the client-perceived performance by increasing the likelihood that a requested object will be found in the cache. Active caching works as a superset to passive caching. Active caching allows Proxy Server to update cache objects on it’s own without having to rely on clients to request the objects. Proxy Server performs active caching according to the following guidelines:
|
Popularity of an object: The more times an object has been requested by clients on a LAN, the more likely Proxy Server is to actively make sure that object is current. |
|
Server load: Proxy Server performs more aggressive active caching during periods of low server load than during high load. |
|
Object expiration: Proxy server will verify objects which are closer to passing their TTL than it will objects that have a longer time to live. |
When Proxy Server performs active caching, the objects in the cache are more likely to be current. This helps to increase performance for clients because Proxy Server is less likely to have to go out to the Internet to retrieve data when current copies of objects are present in the cache. Non-peak times are used to update each cache object.
Proxy Server supports both inbound and outbound packet filtering. Proxy Server dynamically determines which packets can be passed through to the internal network's circuit and application layer proxy services. Individual packet filters are configured to prevent packets from being passed through Proxy Server except for the ones specified. Instead of the network administrator having to manually predefine and permanently open a set of ports for different applications, this feature opens ports automatically only as needed, then closes the ports when the communication ends. This approach reduces the number of exposed ports in either direction and provides a high level of security for your network.
You can restrict access to remote Web sites by domain name, IP address, and subnet mask. You can choose to grant access to all Web sites except those listed or deny access to all Web sites except those listed. The settings are global and affect all users who access the Internet through the Proxy Server computer.
The main goal in my preliminary evaluation was to test the capabilities of Proxy Server’s caching software and it’s filtering capabilities. Although Proxy Server also provides firewall like security, it was not tested in this evaluation. A detailed evaluation of the security features will be tested at a later date in cooperation with the Computer Emergency Response Team (CERT). Figure 5 shows the testbed configuration.
Figure - 5 Architecture for a Small Directorate
The evaluation was conducted over a three week time period with the assistance of the Technical Services Branch and several users from throughout the organization. Testing was conducting with two control groups. The first group consisted of users who accessed the net without using Proxy Server. The users in the second group used Proxy Server to access the Internet. Performance measurement and data collection was done through the use of NT Performance Monitor and the software metrics for Proxy Server 2.0. The remainder of this section will highlight specific areas tested and the results of those tests.
Prior to installing Proxy Server 2.0 an additional network adapter was added to the test server. Installation of Proxy Server 2.0 went without a hitch. It took about 30 minutes to load Proxy Server and to reapply NT Service Pack 3. Proxy Server successfully built the LAT with the IP addresses of the test network. Minimal security was configured for this evaluation. Table 5 shows the configuration of the server used during this test.
Table - 5 Testbed Server Configuration
Computer Name |
Network Protocol |
Operating System and Hardware Configuration |
||||||||||||||||||||||
| PROXY-1
|
TCP/IP |
|
Installation of the client software worked as advertised. Each client connected to the share that was created during installation of Proxy Server. The client software was configured so that it would automatically configure Internet Explorer to use the Proxy Server as its gateway for Internet access. Table 6 depicts the configuration of the client computers used in this evaluation.
Table - 6 Client Computer Configuration
Computer Name |
Network Protocol |
Operating System and Hardware Configuration |
||||||||||||||||||
| Client1 Client2 Client3
|
TCP/IP |
|
As more managers become concerned about workers accessing inappropriate sites and sites that take up lots of bandwidth such as pointcast.com, blocking access to such sites becomes a number one priority. Site filtering is a feature that was heavily tested. We selected several sites that were deemed inappropriate to test the filtering mechanism. The filtering worked like a charm. Not only did it prevent the testers from accessing these sites, but we were also able to customize the error message that was returned. With the customized error messages, there is no doubt in the mind of the user that he/she tried to access unauthorized sites. These attempts were also logged. When reviewing the logs, we were able to tell who the users were who tried to access these sites. This tool now allows management to punish the individual instead of mass punishment for everyone. Both IP filtering and domain filter was used to block access. The following list contains some of the sites that were blocked during the test:
|
www.playboy.com |
|
www.pointcast.com |
|
www.penthouse.com |
There are several ways to measure the caching performance of Proxy Server. You can measure how fast the proxy server fulfills requests from its cache or you can also measure how fast the proxy server fulfills requests across a network connection. Figure 6 shows the performance numbers we experienced during the evaluation of Proxy Server the numbers have been rounded to the nearest percentage point.
Figure - 6 Proxy Server Cache Performance
As the chart illustrates, the cache fulfills 45% of the Web requests handled by the Proxy Server computer. This would translate directly into network traffic reduction of that same percentage. Twenty-five percent of the requests are fulfilled solely from the cache and with the cache being aware of the objects expiration date that is based on the TTL. The remaining 20% that is served from the cache requires that the Proxy Server computer contact the original Web site to determine if the Web content has been modified since it was last cached. These figures were obtained by using NT Performance Monitor and the software metrics for Proxy Server.
In most cases, this translated into response times that were 50-75% faster for the users of Proxy Server over the users who did not go through the Proxy Server. Over an extended period of time, this can result in significant savings in productivity and bandwidth costs.
Although I’ve been using Proxy Server on my home network for a year and a half, this is my first evaluation of its possible use in an enterprise environment. I use it to provide cheap Internet access for my home network. It allows all four of my computers to surf the Internet on the same phone call.
Proxy Server shows great promise for use in my organization and throughout the theater. Some of the benefits that units stand to gain are:
|
Bandwidth savings = cost savings |
|
Maximum use of available network facilities |
|
Sharing of the Internet connection resource among many users |
|
Single, secure gateway to manage and monitor |
|
Ability to offer Internet access appropriate to the individual or group |
|
Ability to track usage by user |
|
Increased Internet performance – especially if caching is enabled |
|
Cheaper than traditional firewalls |
In two weeks I’m scheduled to brief management on my findings up to this point. I think they will be very receptive to what I will have to tell them. Although the extensive security features of Proxy Server were not tested in this evaluation, they will be tested at a later date. The primary reason for possibly deploying Proxy Server at this time is to increase Internet performance. A lot of our business processes have been reengineered and the solution in just about every case has been to develop some type of web application. Some of these applications include financial and personnel systems which are considered crucial to readiness.
In most cases, technology can be used to solve our business problems. However, in the military politics is the biggest hurdle you have to get over. Even though it’s plain to see that establishing a Proxy Server architecture based on figure 3-4 would be beneficial; it will be an uphill battle trying to get the plan implemented.
This type of deployment would require each directorate to give up a little bit of control which in the past they have been unwilling to do. The one-star general in each directorate likes having someone in their own shop to fix their problems as opposed to having to call a centralized help desk. The Chief of Staff (two-star general) would have to support the plan in order to garner the support needed from each of the directorates.
However, I will recommend that each directorate consider implementing a Proxy Server design based on figure 3-3. This will provide them with the opportunity to increase Internet performance and provide management with the tools needed to monitor and manage Internet use in their respective directorates.
In closing I would like to reiterate the fact that I believe in the upcoming months, we will experience a heavy deployment of Proxy Servers in the European Theater. At this time there are several ongoing projects to address this very situation.
Microsoft (1997). Microsoft Proxy Server: Network Planning. [On-Line]. Available:
http://microsoft.com/proxy/guide/Netscenarios.asp
Microsoft (1997). Microsoft Proxy Server’s Impact on LANs Connected Via the Internet. [On-Line]. Available:
http://microsoft.com/syspro/technet/tnnews/features/proxyfx.htm
Wolfe, David (1997). Designing and Implementing Proxy Servers. Indianapolis: Sams.Net Publishing.
Cheswick and Bellovin (1994). Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Publishing Company
Microsoft Official Course # 664C. Supporting Microsoft Proxy Server
Microsoft Proxy Server Users Manual
