Re: Should proxy have one interface or two
- From: "Gleb Paharenko" <gpaharenko@xxxxxxxxx>
- Date: Tue, 15 Jul 2008 16:06:15 +0300
---------- Forwarded message ----------
From: Rivest, Philippe <PRivest@xxxxxxxxxxxxx>
Date: 2008/7/14
Subject: RE: Should proxy have one interface or two
To: Gleb Paharenko <gpaharenko@xxxxxxxxx>
No that's a very normal and accepted network setup.
i don't remember the name of that setup but a single firewall setup is
considered basic security. If you want to add security heres how you could do
it.
Internet
|
|
(pub int) (1)
Router
|
|------------- ProxyLan
|
Internal router (2)
|
|
Lan
Dual firewall will help you grant access to public resource/client and limit
access to private and internal resources. This is done using 2 firewalls that
would "share" a single network together, that network in you design should be
proxylan. Router (1) will face internet and be more user friendly (usually)
and router (2) will have a goal to protect/limit access from and to internal
host/server. Using this you could have a single policy setup differently on
each router.
Firewall (1): grant access to HTTP server in "PROXYLAN" (external web site)
Firewall (1): grant access to MAIL server in "Proxylan" (Mail forwarder to
internal mail server)
Firewall (1): grant telnet/ssh/ftp access to servers in Proxylan
Firewall (1): grant access to VPN concentrator (for external connexion)
Firewall (1): DENY ALL
Firewall (2): Grant HTTP request & answer only if initiated from LAN
Firewall (2): Grant access from MAIL server within "PROXYLAN" to mail server
prime within lan (to sync them)
Firewall (2): Grant access from VPN Concentrator to ALL (exemple)
Firewall (2): DENY ALL
Basically, we denied all access in firewall 2 that was
Ssh
telnet
ftp
mail - limited to server to server communication
http request & answer - only those that a internal host initiated
and the list could go on.
Hope this helped :P :P
Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@xxxxxxxxxxxxx
Téléphone: (514) 331-4417
www.transforce.ca
Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
-----Message d'origine-----
De : Gleb Paharenko [mailto:gpaharenko@xxxxxxxxx]
Envoyé : 14 juillet 2008 04:41
À : Rivest, Philippe
Objet : Re: Should proxy have one interface or two
2008/7/11 Rivest, Philippe <PRivest@xxxxxxxxxxxxx>:
Ok your question is a not very well structured so I may of miss-understood
it.
A Proxy is a device that takes a connexion, filters it and sends it to the
third party device.
Client -----> PROXY ------> Third party
The filter parts, makes sure that your TCP stack is well formed (for
exemple).
It also can be used (should) as a NAT device, hiding the internal IP. Doing
so it also prevents a direct connexion to the third party.
If you use a setup like this:
Client \
\
\
Proxy
/
/
Third party
Why cant your client do:
Client
|
|
| Proxy
|
|
Third party
That's why you have 2 interface, to prevent the bypassing of the proxy, to
enforce the filter option, to hide the internal IP/naming convention and so
on. You can also, with the normal proxy setup filter web based URL for
exemple.
Hope this helped :P
My scheme is
Internet
|
|
(pub int)
Router ------- ProxyLan
|
|
Lan
The Lan and ProxyLan - are separate subnetworks. Antispoofing is on on
router interfaces. And router has ACL's which allows only Lan to
ProxyLan (reflexive in terms of Cisco).
Is this scheme still has issues?
Merci / Thanksla
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@xxxxxxxxxxxxx
Téléphone: (514) 331-4417
www.transforce.ca
Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De
part de Gleb Paharenko
Envoyé : 11 juillet 2008 08:09
À : security-basics@xxxxxxxxxxxxxxxxx
Objet : Should proxy have one interface or two
Hi, list.
In many network designs web proxy server has two interfaces. One is
for internal clients, second is outgoing interface for proxy.
Why it is not use one interface both for incoming requests from users
and for outgoing requests from proxy? Of course this interface should
be in separate subnet with firewalled control on it and it should be
SNATed as well. Hope I clearly describe my question, of why it is
better to
have two interfaces in different subnets for web-proxy.
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
2008/7/11 Gleb Paharenko <gpaharenko@xxxxxxxxx>:
Hi, list.
In many network designs web proxy server has two interfaces. One is
for internal clients, second is outgoing interface for proxy.
Why it is not use one interface both for incoming requests from users
and for outgoing requests from proxy? Of course this interface should
be in separate subnet with firewalled control on it and it should be
SNATed as well. Hope I clearly describe my question, of why it is
better to
have two interfaces in different subnets for web-proxy.
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
- References:
- Should proxy have one interface or two
- From: Gleb Paharenko
- Should proxy have one interface or two
- Prev by Date: CFP now open for ClubHack2008 - India
- Next by Date: Re: Similar product to tripwire enterprise?
- Previous by thread: RE: Should proxy have one interface or two
- Next by thread: USB Endpoint Security
- Index(es):
Relevant Pages
|
