Solved

How much value is an application proxy ?

Posted on 2002-05-29
8
307 Views
Last Modified: 2010-08-05
Greetings

I am at present evaluating whether I want an application proxy as part of my perimiter defences, in addition to packet filtering.  If you had asked me last week, I would have said definitely yes.

The ability to ensure that packets conform to application level protocols ought to ensure that if a server is compromised then the narrow channel of communication via the application protocol ought to compartmentalise the breach.  I have seen this view supported in multiple expert quarters, used as a sales pitch, and have been given the same view by experienced penetration testers who all say that an application proxy alway makes it harder to leverage an exploit.

My comfort in this line of thinking, safe behind my proxy firewall, is disturbed by the discovery that netcat comes in a version that will operate as a http server.

My engineers tested a scenario where a buffer overflow exploit in IIS established netcat on port 80 passing all traffic straight through a http proxy.  Ugggh.

Now I know that we need to keep up to date on patches, we are using URLScan so the exploit would not actually have worked on production servers, we know about shield technologies such as Appshield and Ubizen, We know about tripwire etc, we know about hardening ACLs etcs.  We may put in strong authentication at the border firewalls in the future.

The question is, if we do all of the above, does an application proxy short of shield technology really add any value?

Additional points for anyone who can tell me anthing I don't already know.
0
Comment
Question by:tonimargiotta
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
Comment Utility
As you found out yourself: with a http proxy anyone might tunnel anything from somewhere to everywhere.
This is necesary for people who need the ability to circumvent (political, social) restrictions. And it's a pain for every (firewall-)admin.
I don't comment the boss' view of this problem ;-)

'cause there exist several such proxies/forwarders, there is a need for more sophisticated firewalls. Simple and/or statefull packetfilters are not enough here.
Application level proxies (aka adaptive proxy) might get closer to the problem, but keep the additional amount configuration and checking (logs etc) in mind.
You have decide yourself if they are worth the time and $$$ for your purpose (protect sensitive data, network traffic).
0
 
LVL 3

Expert Comment

by:DVB
Comment Utility
A validating application proxy can add value to your perimeter. However, this depends n how well the application handles validation, and if the protocol itself has parameters that can be validated. An application layer proxy can stop a lot of attacks, but if the protocol itself is vulnerable, then the proxy cannot help you much.
Most of the older protocols have been designed without the requirement of security in mind. A good protocol which can be defended by a proxy is SMTP, where the protocol itself has relatively few holes (the primary one being lack of authentication, leading to lots of open relays). A bad example is http, where almost anything can be tunneled in. If you know the exact format of the data you are expecting, you can write a custom proxy to handle those requests, but otherwise, it is tough to defend against an attack that runs over http. Your best solution is to use a proxy to grab attacks like nimda et al which have specific signatures and run a secure http server along with paranoid application writers.
Defense in depth is a good strategy when it comes to security.
0
 

Expert Comment

by:marky_ny
Comment Utility
Here is another point that many miss: Proxies ensure that there are 2 TCP connections and the packet that reaches your internal servers (in the inbound traffic scenario) is built with the IP stack of the _firewall_, not some hacked out Linux box. So, in addition to any protocol interrogation features, even a dumb proxy will protect against fragmentation attacks and other "irregular IP packet" anomalies.

Just my 2 cents.
0
 
LVL 1

Expert Comment

by:m4rc
Comment Utility
id agree with DVB, in that it really depends on the application (protocol) you are thinking of proxying.  Of course the IIS attack worked, it would have worked w/o the proxy, because it is sent via valid http.  but someone that is not using a tunnel and tries to use that port, maybe ssh to port 80, would not go through the proxy.

i guess what im trying to say is sure, there are ways around anything.  put up a fence, and ppl can climb over the fence.  but thats not an argument for not putting up a fence.

a problem w/ proxies, of course, can be the load they have to handle, opening two network connections for each proxied connection.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Accepted Solution

by:
DVB earned 100 total points
Comment Utility
The hardware problem should not exist currently, most of the current hardware has more than enough power to handle a small to medium load. the original problems with proxy based firewalls were:
They had to handle a high load, which made connections slow.
There had to be a proxy for your protocol.

The advances in hardware have made the first point moot.
You can even proxy encrypted stuff by using a self signed certificate between the client and the proxy, and a PKI between the proxy and the remote machine.

The second point, of course sucks. And with everything running over port 80, I wouldn't trust a non validating proxy to do much.
But an application proxy can be useful if placed as a part of  a properly designed security perimeter.

Router with ACLs for ingress and egress filtering <--> Packet layer firewall with default deny/drop stance <--> Application proxy <--> DMZ <--> Packet filter <--> Proxy <--> Internal network
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
hmm, the comments/suggestion end up in my very first comment, nothing new added ...

tonimargiotta, are you still listening?
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to ahoffman.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Thanks for closing.

j
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now