Re: Should proxy have one interface or two

["Gleb Paharenko" <gpaharenko () gmail com>]

---------- Forwarded message ----------
From: Rivest, Philippe <PRivest () transforce ca>
Date: 2008/7/14
Subject: RE: Should proxy have one interface or two
To: Gleb Paharenko <gpaharenko () gmail com>


No that's a very normal and accepted network setup.
i don't remember the name of that setup but a single firewall setup is
considered basic security. If you want to add security heres how you could do
it.


Internet
 |
 |
(pub int) (1)
 Router
 |
 |------------- ProxyLan
 |
Internal router (2)
 |
 |
Lan



Dual firewall will help you grant access to public resource/client and limit
access to private and internal resources. This is done using 2 firewalls that
would "share" a single network together, that network in you design should be
proxylan. Router (1) will face internet and be more user friendly (usually)
and router (2) will have a goal to protect/limit access from and to internal
host/server. Using this you could have a single policy setup differently on
each router.


Firewall (1): grant access to HTTP server in "PROXYLAN" (external web site)
Firewall (1): grant access to MAIL server in "Proxylan" (Mail forwarder to
internal mail server)
Firewall (1): grant telnet/ssh/ftp access to servers in Proxylan
Firewall (1): grant access to VPN concentrator (for external connexion)
Firewall (1): DENY ALL

Firewall (2): Grant HTTP request & answer only if initiated from LAN
Firewall (2): Grant access from MAIL server within "PROXYLAN" to mail server
prime within lan (to sync them)
Firewall (2): Grant access from VPN Concentrator to ALL (exemple)
Firewall (2): DENY ALL


Basically, we denied all access in firewall 2 that was
Ssh
telnet
ftp
mail - limited to server to server communication
http request & answer - only those that a internal host initiated


and the list could go on.


Hope this helped :P :P


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.

-----Message d'origine-----
De : Gleb Paharenko [mailto:gpaharenko () gmail com]
Envoyé : 14 juillet 2008 04:41
À : Rivest, Philippe
Objet : Re: Should proxy have one interface or two

2008/7/11 Rivest, Philippe <PRivest () transforce ca>:
> Ok your question is a not very well structured so I may of miss-understood
> it.
>
> A Proxy is a device that takes a connexion, filters it and sends it to the
> third party device.
>
> Client -----> PROXY ------> Third party
>
> The filter parts, makes sure that your TCP stack is well formed (for
> exemple).
>
> It also can be used (should) as a NAT device, hiding the internal IP. Doing
> so it also prevents a direct connexion to the third party.
>
>
> If you use a setup like this:
>
> Client \
>          \
>           \
>            Proxy
>            /
>           /
> Third party
>
> Why cant your client do:
>
>
> Client
>  |
>  |
>  |         Proxy
>  |
>  |
> Third party
>
>
> That's why you have 2 interface, to prevent the bypassing of the proxy, to
> enforce the filter option, to hide the internal IP/naming convention and so
> on. You can also, with the normal proxy setup filter web based URL for
> exemple.
>
> Hope this helped :P

My scheme is


Internet
 |
 |
(pub int)
 Router ------- ProxyLan
 |
 |
Lan


The Lan and ProxyLan - are separate subnetworks. Antispoofing is on on
router interfaces. And router has ACL's which allows only Lan to
ProxyLan (reflexive in terms of Cisco).

Is this scheme still has issues?





> Merci / Thanks
> Philippe Rivest, CEH
> Vérificateur interne en sécurité de l'information
> Courriel: Privest () transforce ca
> Téléphone: (514) 331-4417
> www.transforce.ca
>
> Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
> You could print this email, but it does takes a long time to grow trees.
>
>
> -----Message d'origine-----
> De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la
> part de Gleb Paharenko
> Envoyé : 11 juillet 2008 08:09
> À : security-basics () securityfocus com
> Objet : Should proxy have one interface or two
>
> Hi, list.
>
> In many network designs web proxy server has two interfaces. One is
> for internal clients, second is outgoing interface for proxy.
> Why it is not use one interface both for incoming requests from users
> and for outgoing requests from proxy? Of course this interface should
> be in separate subnet with firewalled control on it and it should be
> SNATed as well. Hope I clearly describe my question, of why it is
> better to
> have two interfaces in different subnets for web-proxy.
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
> http://www.linkedin.com/in/gpaharenko



--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko



-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko

2008/7/11 Gleb Paharenko <gpaharenko () gmail com>:
> Hi, list.
>
> In many network designs web proxy server has two interfaces. One is
> for internal clients, second is outgoing interface for proxy.
> Why it is not use one interface both for incoming requests from users
> and for outgoing requests from proxy? Of course this interface should
> be in separate subnet with firewalled control on it and it should be
> SNATed as well. Hope I clearly describe my question, of why it is
> better to
> have two interfaces in different subnets for web-proxy.
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
> http://www.linkedin.com/in/gpaharenko



-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko