Windows as Proxy Server vs. other firewall approaches.....

[Fred Marshall]

I'm trying to read up on comparing a Windows-based proxy server (such as
WinProxy) with NAT routers with stateful packet inspection (SPI). So, I'm
very much in a learning mode.

My problem is this:

I can't tell to what degree proxy servers are still technologically
advantageous in view of rapid evolution of DSL routers, etc.
Most of my Google searches on "proxy server" find ads from the companies
that sell proxy server software.

I see the words regarding how communications are "stopped" at the proxy
server but somehow I'm not convinced that this makes much difference from a
security point of view. "Stopping" and "translating" in some semantic sense
have to be the same thing don't they? Things can still get through can't
they?

Places to learn more would be appreciated.

Comments regarding the clear advantage of a proxy server would also be
appreciated! I'm trying to decide if a NAT / SPI or just NAT router
cascaded with WinProxy makes sense.

If you could have one or the other and not both, which would you use and
why?

My impression is that a non-transparent proxy server is a pain to
administer. Is it worth it?

Is a transparent proxy server setup any better than a NAT router?

What questions should I be asking and have not?

Thanks,

Fred

 

[Ron Lowe]

I'm trying to read up on comparing a Windows-based proxy server (such as
WinProxy) with NAT routers with stateful packet inspection (SPI). So, I'm
very much in a learning mode.

My problem is this:

I can't tell to what degree proxy servers are still technologically
advantageous in view of rapid evolution of DSL routers, etc.
Most of my Google searches on "proxy server" find ads from the companies
that sell proxy server software.

I see the words regarding how communications are "stopped" at the proxy
server but somehow I'm not convinced that this makes much difference from a
security point of view. "Stopping" and "translating" in some semantic sense
have to be the same thing don't they? Things can still get through can't
they?

Places to learn more would be appreciated.

Comments regarding the clear advantage of a proxy server would also be
appreciated! I'm trying to decide if a NAT / SPI or just NAT router
cascaded with WinProxy makes sense.

If you could have one or the other and not both, which would you use and
why?

My impression is that a non-transparent proxy server is a pain to
administer. Is it worth it?

Is a transparent proxy server setup any better than a NAT router?

What questions should I be asking and have not?

Thanks,

Fred

Slightly simplified answer:

Proxy Servers and NAT are 2 different technologies
designed to achieve roughly the same end result:

Share an internet connection amongst several machines,
which all have private internal IP addresses not visible on the Internet.
Both also provide a degree of inherent firewalling,
even without any explicit firewall in them.

Proxy Servers accept eg HTTP requests from client machines on internal IP
addresses, and then pass on the HTTP request to the destination server using
the external IP address, on behalf of the client. The proxy becomes a
man-in-the-middle, appearing almost as a server to the client side, and as a
client to the external server.

To use a proxy server, you must set up a proxy server *per protocol*.
In otherwords, you need to set up an HTTP proxy, and FTP proxy, and so on
for every type of Internet access. Some protocols may not have a proxy
available for them, and some may require manual tweeking to work.

Also, you must set up the client to be proxy-aware so it sends it's requests
to the proxy rather than trying to send it directly to the site you wish to
connect to.

Examples of Proxy servers include WinGate an WinProxy.

NAT is another way of doing this, but it operates at a lower level.
Again, it sits as a man-in-the-middle, but it does on-the-fly translation of
the internal IP address and port numbers to the external IP address and port
numbers. You do not need to configure individual protocols, or set up the
clients to be aware of the NAT. It works invisibly low down at the IP level.

Although I say it works invisibly, like proxies,some protocols do not work
well with NAT, and may require some manual intervention or may not work at
all.

Windows XP has a built-in NAT program called Internet Connection Sharing.
So you shouldn't need any 3-rd party proxy or NAT programs.

Broadband routers all perform Internet Connection Sharing using NAT built in
to them.

You would only use 1 Internet sharing system on your network.
With XP, that would normally be NAT, either from ISC or a router.

Simplest and most reliable is a router.
Next best choice would be XP ICS.
LAst choice would be a 3-rd party NAT or proxy.

I tend to favour NAT over proxies because of their ease of use.

Do you need a firewall as well as NAT?
Probably.

NAT blocks unsolicited inbound connections naturally.
It permits replies to your outbound connections.
So it's statefull by design.
But it does nothing to block unexpected outbound connections originating
from within your network.
Also, it's a border device and does nothing to inspect traffic between the
machines on your LAN.

So for those reasons, I'd be inclined to run a host firewall on each
internal machine too.
The Windows XP firewall is not easily configurable to permit file and print
sharing from the
LAN, so on a network behind NAT, I'd not use it.

At the moment, I'd use the free version of ZoneAlarm.
XP-SP2 will include a better firewall too.

 

[Fred Marshall]

from


Slightly simplified answer:

Proxy Servers and NAT are 2 different technologies
designed to achieve roughly the same end result:

Share an internet connection amongst several machines,
which all have private internal IP addresses not visible on the Internet.
Both also provide a degree of inherent firewalling,
even without any explicit firewall in them.

Proxy Servers accept eg HTTP requests from client machines on internal IP
addresses, and then pass on the HTTP request to the destination server using
the external IP address, on behalf of the client. The proxy becomes a
man-in-the-middle, appearing almost as a server to the client side, and as a
client to the external server.

To use a proxy server, you must set up a proxy server *per protocol*.
In otherwords, you need to set up an HTTP proxy, and FTP proxy, and so on
for every type of Internet access. Some protocols may not have a proxy
available for them, and some may require manual tweeking to work.

Also, you must set up the client to be proxy-aware so it sends it's requests
to the proxy rather than trying to send it directly to the site you wish to
connect to.

Examples of Proxy servers include WinGate an WinProxy.

NAT is another way of doing this, but it operates at a lower level.
Again, it sits as a man-in-the-middle, but it does on-the-fly translation of
the internal IP address and port numbers to the external IP address and port
numbers. You do not need to configure individual protocols, or set up the
clients to be aware of the NAT. It works invisibly low down at the IP level.

Although I say it works invisibly, like proxies,some protocols do not work
well with NAT, and may require some manual intervention or may not work at
all.

Windows XP has a built-in NAT program called Internet Connection Sharing.
So you shouldn't need any 3-rd party proxy or NAT programs.

Broadband routers all perform Internet Connection Sharing using NAT built in
to them.

You would only use 1 Internet sharing system on your network.
With XP, that would normally be NAT, either from ISC or a router.

Simplest and most reliable is a router.
Next best choice would be XP ICS.
LAst choice would be a 3-rd party NAT or proxy.

I tend to favour NAT over proxies because of their ease of use.

Do you need a firewall as well as NAT?
Probably.

NAT blocks unsolicited inbound connections naturally.
It permits replies to your outbound connections.
So it's statefull by design.
But it does nothing to block unexpected outbound connections originating
from within your network.
Also, it's a border device and does nothing to inspect traffic between the
machines on your LAN.

So for those reasons, I'd be inclined to run a host firewall on each
internal machine too.
The Windows XP firewall is not easily configurable to permit file and print
sharing from the
LAN, so on a network behind NAT, I'd not use it.

At the moment, I'd use the free version of ZoneAlarm.
XP-SP2 will include a better firewall too.

Ron,

Thanks much for the reply! That's very helpful.

It wasn't my understanding that a NAT box would do stateful packet
inspection unless one obtained the ones that specifically do SPI. I see
that there are now inexpensive routers that have SPI added.

Hmmmmm... here are some diabolical (?) thoughts:

- In a simple network with one gateway / proxy server, the proxy server
knows that it is a proxy server. So, why does it need to be specifically
addressed? Any external address is surely directed to it. But OK, that's
how it's implemented I guess.
- In a NAT implementation it is clear that any external address needs to be
dealt with by changing the source IP address and adding a port.

It's not clear to me how these are different in what is presented to the
outside world - either outgoing messages or listening "ports"

I'm dealing with a system that is designed with a cascaded translation
arrrangement as follows:
NAT router is the outer layer between the internet and the mid-layer
connection. It is connected to a WinProxy server which is the inner layer.
All clients are behind the inner layer - connected to the inside of the
WinProxy server.

It's this way because it was perceived to be somehow "better" to have a
"hardware firewall" in combination with the proxy server.

I do understand why cascaded NAT are used - to isolate individual sections
of a network (e.g. 2 connected LANs with *some* isolation between them). I
have not yet figured out how 2 layers of NAT (or proxy server) provide any
advantage otherwise at the inner layer.

So, as I rearchitect this system I have a number of choices:

1) leave it with two layers because that's deemed "acceptable" and live with
the complexity of the proxy server. Or, leave it with two layers because it
is clearly superior in some (as yet undefined) way.

2) get rid of the proxy server altogether because it provides little
improvement and adds a lot of complexity. This would have the perceived
disadvantage that there is no proxy server and, thus, is not as good a
firewall. But, if the NAT router has SPI then I wonder......

3) get rid of the NAT router because somehow the proxy server is "better".
This would have the perceived disadvantage that it's a Windows-based
"software firewall" only.

So far I have not heard why a proxy server is somehow superior.

If one were to start with a proxy server and add a NAT router "hardware
firewall" to augment the proxy server then I could sort of understand the
evolution. However, doing this then begs the question: "why keep the proxy
server?"

I hope the orgin of my questions is clearer now. I do appreciate the help!

Fred

 

[Ron Lowe]

Inline...

It wasn't my understanding that a NAT box would do stateful packet
inspection unless one obtained the ones that specifically do SPI. I see
that there are now inexpensive routers that have SPI added.

NAT is stateful by definition.
Here's how an incoming packet is handled:
Destination port explicitly forwarded (static routing)? -> forward packet.
Destination port exists as entry in dynamic NAT table (stateful
routing )? ->forward packet
Else silently drop packet.

The addition of a stateful firewall doesn't add much *if* NAT is already in
place, but it might let you add some static firewall rues ( blocking
specific source / destination etc ), and of course you could add outbound
firewall rules too. You can use this for example to prevent a virus on
your LAN from bulk-emailling the entire internet, by permitting outbound
connections on SMTP port to only your ISP's mailserver.

Where the SPI firewall becomes criticaly important is when the router is
being used in a no-NAT configuration, as a pure IP forwarding router. This
is the case if you have a routed subnet from your ISP. In this case,
there's no NAT to block un-solicited inbound connections to machines on the
LAN. A static port filter firewall would not be much use, because you need
to allow the firewall to dynamically permit replies to outbound connections,
so the firewall needs to maintain state, ie a record of connections
initiated from the inside, and use this state table to determine whether an
inbound packet is unsolicited, or solicited ( in reply to an outbound
request. )

Hmmmmm... here are some diabolical (?) thoughts:

- In a simple network with one gateway / proxy server, the proxy server
knows that it is a proxy server. So, why does it need to be specifically
addressed? Any external address is surely directed to it. But OK, that's
how it's implemented I guess.

*IT* knows it's a proxy server.
But internal machines onthe LAN don't know about it unless you tell them.
The internal machines on your LAN need to be explicitly told to use it.

Yes, external machines like web servers will see all traffic from your LAN
as coming from the proxy, and these machines do not need to know it's
actually a proxy, not the actual originating machine. They just reply to the
machine they see as the originator, and if that happens to be a proxy, well
and good.

- In a NAT implementation it is clear that any external address needs to be
dealt with by changing the source IP address and adding a port.

Changing a port, not adding a port.

NAT example, browsing to www.google.com:

Internal machine 192.168.0.2
NAT router 192.168.0.1 on Internal side, 81.187.191.65 Public side.
Destination Web site 64.233.167.104

Client machine sends packet to server from random port >1024:

Source IP : Port = 192.168.0.2 : 1025
Destination IP : Port = 64.233.167.104 : 80

This packet is sent to the router's MAC address, because the router
is the defauly gateway, and the destination IP address is outwith the local
subnet.

The NAT function in the router changes the packet as follows:

Source IP : Port = 81.187.191.65 : 5000
Destination IP : Port = 64.233.167.104 : 80

The modified packet is sent on to the web server, and the NAT router
maintains the mapping:
External : 5000 <-> Intenal 192.168.0.2 : 1025
in the NAT table.

The webserver gets the packer, and replies:

Source IP : Port = 64.233.167.104 : 80
Destination IP : Port = 81.187.191.65 : 5000

The router looks at the response, and sees that the destination port
matches a dynamic entry in the NAT table. So the router modifies the
incoming packet with the data fromthe NAT table, and passes the
modifies packet back into the LAN:

Source IP : Port = 64.233.167.104 : 80
Destination IP : Port = 192.168.0.2 : 1025

The original client gets the reply, un-aware of the shenannigans
that went on in between.

It's not clear to me how these are different in what is presented to the
outside world - either outgoing messages or listening "ports"

None, really.
In both cases, all traffic will appear to come from one machine.
Either the NAT box or the proxy box.

Like I say, they are 2 different technologies for doing the same thing.
They operate at different levels in the network layer-cake.

I'm dealing with a system that is designed with a cascaded translation
arrrangement as follows:
NAT router is the outer layer between the internet and the mid-layer
connection. It is connected to a WinProxy server which is the inner layer.
All clients are behind the inner layer - connected to the inside of the
WinProxy server.

It's this way because it was perceived to be somehow "better" to have a
"hardware firewall" in combination with the proxy server.

I do understand why cascaded NAT are used - to isolate individual sections
of a network (e.g. 2 connected LANs with *some* isolation between them). I
have not yet figured out how 2 layers of NAT (or proxy server) provide any
advantage otherwise at the inner layer.

So, as I rearchitect this system I have a number of choices:

1) leave it with two layers because that's deemed "acceptable" and live with
the complexity of the proxy server. Or, leave it with two layers because it
is clearly superior in some (as yet undefined) way.

2) get rid of the proxy server altogether because it provides little
improvement and adds a lot of complexity. This would have the perceived
disadvantage that there is no proxy server and, thus, is not as good a
firewall. But, if the NAT router has SPI then I wonder......

3) get rid of the NAT router because somehow the proxy server is "better".
This would have the perceived disadvantage that it's a Windows-based
"software firewall" only.

So far I have not heard why a proxy server is somehow superior.

It's not, IMHO.

If one were to start with a proxy server and add a NAT router "hardware
firewall" to augment the proxy server then I could sort of understand the
evolution.

However, doing this then begs the question: "why keep the proxy
server?"

It does indeed.

I hope the orgin of my questions is clearer now. I do appreciate the help!

Fred

Personally, I like to reduce complexity.
I would most likely want to loose the proxy.
I don't think the proxy adds much to the security in the situation you have.
But it adds a level of complexity, and it will reduce functionality you may
want in the future.

But then again I don't see the whole picture.
There may be other reasons it's there.
You'd need to get the whole case history.

Is it possibly being used as an Internet Access control system, to permit
certain
users and deny others Internet Access?

Of course there are political as well as technical considerations, and if it
is the case that the management are heavily wedded to this setup, you may
have a hard time persuading them to change it.

Even security aside, there may be reluctance to mess with a
currently-working setup it in case it breaks.

Perhaps if the proxy machine were to suffer an unexpected and catastrophic
failure.... ;-)

 

[Fred Marshall]

Thanks Ron!!