Security Basics mailing list archives
Re: Should proxy have one interface or two
From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Tue, 15 Jul 2008 16:06:15 +0300
---------- Forwarded message ---------- From: Rivest, Philippe <PRivest () transforce ca> Date: 2008/7/14 Subject: RE: Should proxy have one interface or two To: Gleb Paharenko <gpaharenko () gmail com> No that's a very normal and accepted network setup. i don't remember the name of that setup but a single firewall setup is considered basic security. If you want to add security heres how you could do it. Internet | | (pub int) (1) Router | |------------- ProxyLan | Internal router (2) | | Lan Dual firewall will help you grant access to public resource/client and limit access to private and internal resources. This is done using 2 firewalls that would "share" a single network together, that network in you design should be proxylan. Router (1) will face internet and be more user friendly (usually) and router (2) will have a goal to protect/limit access from and to internal host/server. Using this you could have a single policy setup differently on each router. Firewall (1): grant access to HTTP server in "PROXYLAN" (external web site) Firewall (1): grant access to MAIL server in "Proxylan" (Mail forwarder to internal mail server) Firewall (1): grant telnet/ssh/ftp access to servers in Proxylan Firewall (1): grant access to VPN concentrator (for external connexion) Firewall (1): DENY ALL Firewall (2): Grant HTTP request & answer only if initiated from LAN Firewall (2): Grant access from MAIL server within "PROXYLAN" to mail server prime within lan (to sync them) Firewall (2): Grant access from VPN Concentrator to ALL (exemple) Firewall (2): DENY ALL Basically, we denied all access in firewall 2 that was Ssh telnet ftp mail - limited to server to server communication http request & answer - only those that a internal host initiated and the list could go on. Hope this helped :P :P Merci / Thanks Philippe Rivest, CEH Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. -----Message d'origine----- De : Gleb Paharenko [mailto:gpaharenko () gmail com] Envoyé : 14 juillet 2008 04:41 À : Rivest, Philippe Objet : Re: Should proxy have one interface or two 2008/7/11 Rivest, Philippe <PRivest () transforce ca>:
Ok your question is a not very well structured so I may of miss-understood it. A Proxy is a device that takes a connexion, filters it and sends it to the third party device. Client -----> PROXY ------> Third party The filter parts, makes sure that your TCP stack is well formed (for exemple). It also can be used (should) as a NAT device, hiding the internal IP. Doing so it also prevents a direct connexion to the third party. If you use a setup like this: Client \ \ \ Proxy / / Third party Why cant your client do: Client | | | Proxy | | Third party That's why you have 2 interface, to prevent the bypassing of the proxy, to enforce the filter option, to hide the internal IP/naming convention and so on. You can also, with the normal proxy setup filter web based URL for exemple. Hope this helped :P
My scheme is Internet | | (pub int) Router ------- ProxyLan | | Lan The Lan and ProxyLan - are separate subnetworks. Antispoofing is on on router interfaces. And router has ACL's which allows only Lan to ProxyLan (reflexive in terms of Cisco). Is this scheme still has issues?
Merci / Thanks Philippe Rivest, CEH Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la
part de Gleb Paharenko Envoyé : 11 juillet 2008 08:09 À : security-basics () securityfocus com Objet : Should proxy have one interface or two Hi, list. In many network designs web proxy server has two interfaces. One is for internal clients, second is outgoing interface for proxy. Why it is not use one interface both for incoming requests from users and for outgoing requests from proxy? Of course this interface should be in separate subnet with firewalled control on it and it should be SNATed as well. Hope I clearly describe my question, of why it is better to have two interfaces in different subnets for web-proxy. -- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko
-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko -- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko 2008/7/11 Gleb Paharenko <gpaharenko () gmail com>:
Hi, list. In many network designs web proxy server has two interfaces. One is for internal clients, second is outgoing interface for proxy. Why it is not use one interface both for incoming requests from users and for outgoing requests from proxy? Of course this interface should be in separate subnet with firewalled control on it and it should be SNATed as well. Hope I clearly describe my question, of why it is better to have two interfaces in different subnets for web-proxy. -- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko
-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko
Current thread:
- Should proxy have one interface or two Gleb Paharenko (Jul 11)
- Re: Should proxy have one interface or two ॐ aditya mukadam ॐ (Jul 14)
- Message not available
- Re: Should proxy have one interface or two ॐ aditya mukadam ॐ (Jul 14)
- Message not available
- Re: Should proxy have one interface or two ॐ aditya mukadam ॐ (Jul 14)
- RE: Should proxy have one interface or two Сергей Цапок (Jul 15)
- Re: Should proxy have one interface or two Gleb Paharenko (Jul 15)