There is a wealth of information stored on systems connected to the Internet. Because of this, your users probably argue that they really need access to the World Wide Web to do their jobs. The graphical interfaces of browsers and Web pages make it easy to access this information, but, along with this ease can come problems. Web services allow for the transfer of a wide variety of file types and for running a number of different programs. This complexity means a greater potential for security problems. Web services are essentially generic file transfer mechanisms and require logging and access control consistent with FTP and terminal services.
The HTTP proxy and authenticating HTTP proxy included with the Gauntlet Firewall securely handles requests for information via hypertext, Gopher, and file transfer. The proxy supports hypertext transfer via the HTTP, SHTTP, and SSL protocols; Gopher transfer via Gopher and Gopher+ protocols; and file transfer via FTP.
This chapter discusses the concepts behind the HTTP proxy and authenticating HTTP proxies and explains how they work; how to configure the proxies for Web, Gopher, and file transfer services; and how to configure these services to run through the firewall. In addition, it includes information on running HTTP servers. The chapter consists of the following sections:
The HTTP proxy is an application-level proxy that provides configurable access control and logging mechanisms. The HTTP proxy, which runs on the firewall, passes HTTP, SHTTP, SSL, and Gopher requests, and FTP URLs and selectors through the firewall, using rules you supply. You can configure the proxy to allow connections based on:
source IP address
source hostname
destination IP address
destination hostname
Using these options, you can configure your firewall to allow clients on the inside network to access Web and Gopher sites on the outside network. You can also limit the Web sites your employees can access from systems on the inside network. The proxies log all successful and unsuccessful connection attempts and the amount of data transferred.
The authenticating HTTP proxy works in conjunction with the HTTP proxy to authenticate users. Using the authenticating HTTP proxy, you can configure the proxy to allow connections based on user name. You can require all users to use strong or weak authentication before accessing information on the outside network.
You can configure the HTTP proxy to allow outside hosts to access Web and Gopher servers behind your firewall on inside networks. According to most security policies (including the Gauntlet Firewall default), this access is not a good idea. By design, these services require easy access by people all over the Internet.
The firewall runs the HTTP proxy (http-gw) as a daemon listening for requests on TCP port 8080. When the firewall receives requests for services (via HTTP, SHTTP, SSL, Gopher, Gopher+, or FTP) on this port, the proxy looks at the request and places it in one of several categories. The proxy then checks the appropriate configuration information and determines whether the initiating host has permission to use the desired service to the desired destination. If the host does not have permission, the proxy logs the connection and displays an error message.
If the host has permission, the HTTP proxy passes the request on to the desired host using the standard port (or the port specified in the request). As the outside host returns data to the firewall, the firewall translates the data into the form the client expects and returns the data to the client. The proxy remains active until either side terminates the connection.
The default configuration for HTTP requests allows all inside hosts to access any Web sites. In this scenario, the Web browser (configured to know about the HTTP proxy) on the inside host passes a request with a URL for a particular Web page to the firewall on port 8080. The firewall calls the HTTP proxy. The proxy examines the request and determines that it is a basic request for HTTP service. The proxy checks the source and destination ports in its configuration information. It then sends the request on to the Web server specified in the URL. When it receives the requested data, it passes the data back to the requesting Web browser.
If you have not configured or cannot configure the Web browser to know about the HTTP proxy, you can change your HTTP configuration so that the firewall calls the HTTP proxy for requests on port 80. To do this, you will need to log in to the firewall as root and use your favorite text editor to edit the file /usr/local/etc/mgmt/rc/S110http. Look for the line containing the port number:
PORT = 8080 |
and change the port number from 8080 to 80. In order for your changes to take effect, you will need to restart the http proxy with the following commands:
/usr/local/etc/mgmt/rc/S110http stop; /usr/local/etc/mgmt/rc/S110http start |
Another option is to run a second or even a third HTTP proxy on an alternate port (such as port 80).
If you want to authenticate users before allowing them to access information, the firewall runs the authenticating HTTP proxy (ahttp-gw) as a daemon listening for requests on TCP port 8080. When the firewall receives requests for service on this port, it performs the normal configuration checks to make sure the initiating host has permission to use the desired service to the desired destination.
If the host has permission, the authenticating HTTP proxy prompts the user to authenticate. It verifies the information with the Gauntlet authentication database. If the user provided proper authentication, the authenticating HTTP proxy passes processing over to the HTTP proxy.
The proxy remains active as long as a persistent connection between the source and destination remains. Each time the connection breaks (due to inactivity, pressing the stop button, selecting a link before the initial page finishes loading, or any other reason), the authenticating HTTP proxy reauthenticates you. If you are using reusable passwords, your browser remembers this information and reauthenticates on your behalf. If you are using strong authentication, you must reauthenticate each time the connection breaks.
If the request is for Gopher services (from a Web or Gopher client), the firewall calls a second copy of the HTTP proxy, running as http-gw on TCP port 70.
If the request is for FTP services (from a Web client), the firewall still calls the HTTP proxy and uses the HTTP rules if you have your FTP proxy set to the HTTP proxy. If you have not set an FTP proxy in your Web browser, the FTP proxy (ftp-gw) handles requests for FTP service.
If the request is for some sort of secure HTTP transaction using either the SHTTP protocol (on TCP port 8080) or SSL protocol (on TCP port 443), the proxy performs the appropriate hand-off with the secure server at the other end of the connection.
If you have not configured or can not configure the Web browser to know about the HTTP proxy as the security proxy, the firewall calls the SSL plug proxy for all requests on port 443.
To access the HTTP proxy configuration:
From within the Gauntlet Firewall Manager, select Services.
Click the HTTP tab.
The HTTP window displays.
To access the SSL proxy configuration:
From within the Gauntlet Firewall Manager, select Services.
Click the SSL tab.
The SSL window displays.
Configuring the Gauntlet Firewall involves planning, indicating which daemons the system will run, configuring the proxies to enforce your security policy, turning on the proxies, creating authentication user entries, and rebooting your firewall.
When planning proxy settings for Web and Gopher services:
Determine which services you will allow.
Determine your policies for source and destination sites.
Determine whether you wish to require authentication.
Configure the proxies to enforce your security policies.
To configure HTTP proxy settings:
You do not need to configure any settings to use the HTTP proxy service. If you wish, you can use some of the optional settings, or create configuration sets. Refer to the online help for specific information about the available settings. Some commonly used settings include:
Enabling Java, JavaScript, or ActiveX blocking, available in the configuration set screen in the Gauntlet Firewall Manager. Refer to the online help for information on this feature.
Content Scanning, available in the configuration set screen in the Gauntlet Firewall Manager. Refer to Chapter 30, “Managing Content Scanning,” for more information.
To configure Authenticated HTTP proxy settings:
On the HTTP configuration tab, click Authenticate. If you are placing the HTTP proxy into a service group that requires authentication, click Inherit from SrvcGrp.
If you wish, you can use some of the optional settings. Refer to the online help for specific information about the available settings.
To enable the HTTP, SSL, or Gopher proxy service:
On the HTTP, SSL, or Gopher configuration tab, click Enabled.
Add the HTTP, SSL, or Gopher proxy configuration to the service groups that you want to use the HTTP, SSL, or Gopher proxy.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
The firewall enables the HTTP, SSL, or Gopher proxy.
If you are using authenticated HTTP, you must create entries in the user authentication system. Refer to Chapter 6, “Users and User Groups,” for more information.
Depending upon your configuration, your users may need to modify their activities to access sites using their Web browsers or Gopher tools.
Under the default configuration the HTTP proxy runs on TCP port 8080, not the standard HTTP port (80). In order to handle Web requests, users must configure their browsers to know about the proxies, as explained under “Using Proxy-Aware Browsers”. Once you have configured your Web browser, the firewall and the HTTP and SSL proxy are transparent. When using a browser that does not support proxies with a firewall that is not configured for transparency, users need to modify their activities, as explained under “Using Non-Proxy-Aware Browsers”.
If you have enabled authentication for the HTTP proxy, users must use a proxy-aware browser. It must support persistent connections if you wish to use strong authentication. Once you have configured their Web browser, they are aware of the proxy because they must authenticate to access outside sites.
If you wish configure transparent web access on your firewall, you will need to change the default HTTP proxy configuration so that the proxy runs on the standard HTTP port (80). Refer to “Changing the HTTP Proxy Port” for instructions on configuring the HTTP proxy to run on port 80. The SSL proxy handles all requests on the standard SSL port (443),so users do not need to modify their activities for secure transactions.
Many Web browsers, such as Netscape Navigator and Microsoft Internet Explorer, are aware of application proxies for different types of Web services. Once you configure these browsers, the browser sends the request to the appropriate proxy.
If you are using the authenticating HTTP proxy, make sure the browser supports proxy authentication and persistent connections.
The steps vary depending upon the browser, operating system, and version. Some allow you to indicate the information using a dialog box from a preferences menu, while others require you to edit a configuration file, and others use environment variables.
To configure the browser:
Open the settings window for the Web browser you are using.
Provide information about the various proxies.
FTP
Leave name and port for the FTP proxy blank. This allows the FTP proxy to do the processing.
Gopher
Enter name of the inside interface of the firewall and port 8080.
HTTP
Enter name of the inside interface of the firewall and port 8080.
Security
Enter name of the inside interface of the firewall and port 8080.
No Proxy For
Enter names of hosts for which you do not want to access the HTTP proxy in the No Proxy section. These are generally hosts on your trusted networks. These include:
– inside IP address of your firewall (if you plan to use the graphical user interface to configure your firewall)
– hostnames of any internal or corporate HTTP servers
– localhost (127.0.0.1)
 | Note: If you use the IP address instead of the hostname in any of these settings, you must use the IP address of the inside interface of the firewall. |
Once configured, the proxy is transparent to the user. Users can continue to access the Web as they did before. If you have configured the proxies to block certain types of services (for example, no Gopher services) or to block certain destinations (for example, no educational—.edu—sites), users will see your denial messages.
Once configured, users are aware of the proxy. In a particular session, the proxy prompts for authentication the first time you attempt to access a site on the outside network.
To use Web service using weak authentication:
Open a URL.
Authenticate to the proxy.
Continue as before.
If you are using weak authentication, enter your user name and password when your browser prompts you. The proxy remembers this information and reauthenticates you if the connection breaks.
If you are using strong authentication, enter your user name when your browser prompts you. The proxy uses your user name to determine the type of authentication you are using. It prompts you a second time with the appropriate challenge. Enter your user name and your response. Be prepared to reauthenticate each time your connection breaks.
Some older Web browsers are not aware of proxies. When using these browsers, you must explicitly send your requests through the firewall.
Configuration steps vary depending upon the browser, operating system, and version.
To configure the browser, set up the default home page as the name of the firewall, using the inside address:
http://fire-in.yoyodyne.com:8080 |
For regular use of a Web browser, if you cannot create a default home page, prefix each URL you enter with the name of the firewall. For example,
http://www.clientsite.com |
becomes
http://fire-in:8080/http://www.clientsite.com |
where fire-in is the hostname of the inside interface of the firewall (fire-in.yoyodyne.com). You must also prepend all saved URLs in bookmarks and hotlists.
Unless you have configured the HTTP proxy to be transparent for Gopher access, users may need to rewrite each Gopher address. If a user has a set of bookmarks for Gopher servers that were created before you installed the firewall, the user may need to modify the bookmark information to include the name of the firewall. For example:
name Big University Gopher Server host gopher.bigu.edu port 70 type 1 path |
becomes
name Big University Gopher Server host fire-in.yoyodyne.com:8080 port 70 path gopher://gopher.bigu.edu:70/11/ |
By its very nature, a Web server requires easy access by the public. If you place the Web server behind the firewall, you are allowing an additional type of access within your security perimeter. If you place the Web server on the firewall itself, you are allowing additional access to your firewall.
The best solution is generally to place your Web server on a system outside the perimeter. Follow good security practices for this system: turn off all other services, create the minimum number of user accounts, use strong authentication, patch your operating system and applications, use checksums to watch for file changes, and back up frequently.
You can also use the Info Server included with the Gauntlet Firewall as a Web server on the firewall itself. Refer to Chapter 29, “Managing Web and Gopher Servers,” for more information.