Many sites rely on applications such as America Online, CompuServe, Lotus Notes, or custom applications written specifically for their company. Each of these services uses a proprietary protocol. To support these services, you would need a multitude of application-specific proxies. Instead, administrators can use the Plug proxy to tunnel these applications through the firewall because the protocols they use are TCP-based. Other common programs, such as whois and webster, run over TCP. You can also tunnel these TCP-based services through the firewall with the Plug proxy.
The Plug proxy does not support UDP-based services. UDP is not a connection-oriented protocol. Because there is no connection, there are no sequence numbers. This makes it much easier for someone to create a UDP packet that appears valid but contains fabricated source and destination information.
This chapter explains the concepts behind the Plug proxy and how it works, how to configure the proxy for other services, and how to configure these services to run through the firewall. The chapter consists of the following sections:
The Plug proxy is a TCP gateway that provides configurable access control and logging mechanisms. The Plug proxy, which runs on the firewall, passes application requests through the firewall, using rules you supply. It essentially tunnels information from a port on the firewall to a specific port on another system.
The firewall includes instances of the Plug proxy for:
The Plug proxy is protocol neutral, so you can tunnel a variety of other applications. Weigh the risks carefully for each application. For each version of the Plug proxy, you can configure the proxy to allow connections based on:
source IP address
source hostname
source port
destination IP address
destination hostname
destination port
Using these options, you can configure your firewall to allow your travel department to use their custom reservations system through the firewall. Clients on the inside network can communicate with servers on the outside network.
The proxies log all successful and unsuccessful connection attempts and the amount of data transferred.
These access controls allow you to have more control over the connections to and from your system than you have without a firewall. The logging capabilities are also more extensive. However, you may be allowing proprietary protocols into your network, which can be dangerous.
The firewall runs different instances of the Plug proxy (plug-gw) as daemons on different ports for different applications, based on information you supply. This information indicates which services the firewall should run on which ports. For example, you can configure the firewall to run an instance of the Plug proxy on TCP port 5190 to handle America Online requests.
When the Plug proxy receives a request on one of these ports, it checks its configuration information and determines whether the initiating host has permission to initiate this type of request. If the host has permission, the Plug proxy passes the connection on to the specified port on the specified system. This instance of the Plug proxy remains active until either side terminates the connection.
Hosts on both the inside and outside think the firewall is servicing requests. The firewall is simply acting as the tunnel, via the Plug proxy.
To access the Plug proxy configuration:
Configuring the Gauntlet Firewall involves planning, indicating which daemons the system will run, configuring the proxies to enforce your security policy, and enabling your proxy.
This section uses the Quote of the Day (qotd) service as an example. Of course, you must carefully determine if the benefits of something like a quote of the day service outweigh the risks of allowing that type of service within your defense perimeter.
 | Caution: Allowing proprietary protocols through your firewall can potentially have serious consequences. Because the protocols are proprietary, the firewall and the proxy have no information on the data or requests the applications are sending. It is also unknown how safe the application itself is. Always perform a risk assessment before using the plug proxy for proprietary protocols. |
When planning plug proxy settings:
Determine which protocols and which applications you wish to proxy through your firewall.
Determine what port these services use. Verify that the service uses the same port for sending and receiving.
Determine which external hosts can use these services.
Determine which internal hosts can use these services.
As you configure Plug proxy settings, you are actually creating configuration sets. You simply create a different configuration set for each proxy.
To configure a Plug proxy:
On the Plug window, click Add.
The Add Plug Services window displays.
Provide information about your service.
To enable the Plug proxy service:
On the Plug window, click Enabled.
Add the appropriate configuration set to the service groups that you want to use the this configuration set of the Plug proxy.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
The firewall enables the Plug proxy.