|
Proxy
Server Security - How to Secure Common Proxies
Of necessity
we can't cover every possible proxy server you may encounter. We've
listed references for the most common ones below, for any others, please
consult the vendor's website or technical support team for information.
CISCO
ADSL Routers - CBOS OS (678 etc.)
These
routers have TELNET enabled on port 23 by default. Due to the lack of
security present on these devices this is frequently used to compromise
the router and has therfor been included as part of our normal proxy
checking routines. If you connect using one of these routers, please
follow the steps below to resolve any issues with our proxy monitors.
- If
you do not require telnet administration capability AT ALL, disable
it. To do this, follow these steps :
- Log
into your router, enter ENABLE mode (you'll need the admin password)
then enter the following commands
- set
telnet disabled
- write
- reboot
(router
will now reboot)
- If
you require telnet to remain enabled, change the port it uses to something
other than 23. To do this, follow these steps :
- Log
into your router and enter ENABLE mode (you'll need the admin
password) then enter the following commands :
- set telnet port <your port no. here>
- write
- reboot (router will now reboot)
CISCO
Routers - IOS OS (827 etc.)
These
routers have TELNET enabled on port 23 by default. Due to the lack of
security present on these devices this is frequently used to compromise
the router and has therfor been included as part of our normal proxy
checking routines. If you connect using one of these routers, please
follow the steps below to resolve any issues with our proxy monitors.
- Enable
access control to restrict telnet access to those within your local
network. To do this, follow these steps :
- Log
into your router and enter ENABLE mode (you'll need the admin
password) then enter the following commands :
- conf
t
- access-list
1 permit <local IP address> 0.0.0.255
- line
vty 0 4
- access-class
1 in
- exit
- exit
- copy
run start
SOCKS
4/5 Proxies
Socks
4/5 proxies generally depend on Access Control Lists (ACL's) for security.
The method of defining ACL's differs from one proxy vendor to another,
your best source of information will be the documentation for your proxy
software or the vendor's website. Information on securing some of the
more common Socks 4/5 proxies is below.
Microsoft
Proxy Server
WinProxy
SyGate Proxy Server
WinGate
Proxies (users of versions prior to 2.1 must upgrade)
SQUID
Proxies
Squid
is a well-known open source proxy, designed mainly for use when proxying
HTTP traffic. It will however quite happily proxy almost any TCP traffic
unless it is configured to prevent this. Once again, ACL's are the primary
method of securing Squid against unauthorised use. See http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.2
for details of Squid ACL's.
HTTP
Proxies
Most
HTTP proxies (webcaches) can also act as 'bridge' proxies, allowing
other types of TCP data to be transmitted throgh the cache. This behaviour
is usally undesirable in a webcace and should be switched off if possible.
Consult your manual for the exact procedure needed to secure your HTTP
proxy.
General
Advice
If
your proxy is unsupported, of an unknown type or you're just not sure
how to set up ACL's properly, you can achieve much the same result by
using a firewall to block external access to your proxy. You should
set your firewall to deny all inbound non-authenticated access from
outside your LAN to any port used by your proxy. That will ensure that
nobody outside your LAN can access the services provided by your procy
server.
DALnet's
ACL Requirements
If
you're setting up ACL's to restrict access to your proxy, please follow
the guidelines below if you intend to connect to DALnet from the same
IP address as the proxy server.
- Your
proxy MUST NOT allow non-authenticated access from the internet at
large.
- It
MUST NOT respond to requests on ports 23, 80,81, 3128 or 8080 from
any IP address outside your LAN.
- Your
proxy SHOULD run an ident daemon and ideally require user authentication
(username & password) for access.
|
