J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.

6 Proxy Servers

CHAPTER 3.6
Proxy Servers
A Proxy Server is a software application that acts on behalf of client
applications, making requests to servers across a network, such as the Internet,
for resources such as Web pages.

Requests "By Proxy"

At the very least, all proxy servers, by definition, provide the function of
making requests to remote servers on behalf of client applications. This means
that clients, such as Netscape Navigator, after they have been configured to go
through a Proxy Server, will no longer "talk" directly to any of the Web servers
from which the user requests information. All requests go to the proxy server, the
proxy server makes the request, the information is delivered back to the proxy
server and the proxy server then delivers the information to the client application.

This may initially seem like a less efficient process, and in some cases it
can be, but by using a proxy server a great deal of control and additional network
traffic information is provided to the system administrator. And if the proxy server
is a caching server, as almost all are today, the proxy server model can
dramatically increase efficiency on the network by reducing the number of
requests that must be sent out of the LAN or WAN.

Caching
The caching function for the proxy server is very similar to that of the Web
browser – to decrease requests across the network. Almost every current proxy
server today provides the administrator complete control over the size of the
cache, how long things will be stored in cache, what types of information will be
stored in cache, and a number of other cache settings. Caching proxy servers
have proven to reduce the number of external requests by a significant number.
This can promote better use of the "pipe" that connects a school's or district's
network to the Internet. Caching proxy servers can also bring about better use of
a WAN, if multiple servers are used throughout the WAN at critical routing points.

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

Monitoring Network Traffic

Most proxy servers provide extensive logging and reporting either through
a native feature of the software or through a third-party plug-in program. In either
case, another significant feature of the proxy server is its ability to report on
network traffic and on who is doing what. If all Internet applications in a school
are configured to pass requests through a proxy server, the proxy server will
have the best and most natural vantage point for reporting on network traffic and
where people are going on the Internet.

Routers and firewalls can provide similar logging and reporting. Consider
which, if any, you want logging and reporting this type of information. Logging
and reporting can often be turned on or off or configured to log or report only
certain things. Logging and reporting can tax CPU and RAM, as well as disk
space; if logging and reporting is not required or necessary for a certain
component, don't enable it.

Filtering
The lines between firewalls and proxy servers can be blurred in some of
today's products. In fact, Microsoft touts their proxy server as a proxy/firewall
combination. The reason the lines have blurred is that proxy servers have taken
on some of the duties of the firewall–to control network traffic.

Proxy servers can control network traffic in several ways. One method
Netscape Proxy 2.5 provides is filtering certain type of file, using identifiers
known as MIME types. For example, if the "application/octet-stream" file type,
which is identified by a file extension of bin or exe, is filtered out, any requests
made for such a file by any client using the proxy will be denied.

An extremely powerful tool available in Netscape Proxy 2.5 is the ability to

filter out specific beginning and ending HTML tags from Web pages before
passing the rest of the file along to the client. As the administrator you are offered
a few obvious tag sets that you may wish be stripped out of every page before
the page gets to the Web browser.

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

For example, administrators may find Java Applets a security risk and,
therefore, configure the proxy server to strip out the tags, as well as everything in
between, so that no Java Applets can be delivered to client computers. Through
HTML tag filtering, administrators can even filter out all images or any other
HTML tags they want to, by manually specifying those tags in the proxy
configuration.

Each filtering method mentioned above comes standard in Netscape

Proxy Server 2.5 and many other current proxy servers. Another filtering feature
standard in most proxy servers is the ability to define a "deny" or "allow" list of
URLs. The administrator of the proxy server can configure the server to check a
list of URLs stored on the system before fulfilling a user's request. A text can list
either the URLs that the proxy will allow, or the URLs that are to be explicitly
denied. This last feature can provide the administrator with some control over
what sites people can visit on the Internet, but it is in no way practical to expect
each administrator of a proxy server to build their own complete list of sites to
deny. Proxies such as Netscape Proxy Server and Microsoft Proxy Server
provide the ability to manually build "allow lists" or "deny lists", but do not come
standard with comprehensive content filtering capabilities.

Some proxy servers, such as N2H2's BESS Server, are marketed as

content filtering proxy servers. When such a proxy server is purchased, a
subscription is also purchased to continually update an extensive list of "deny"
sites. With Netscape and Microsoft Proxy Server, a third-party application and
service must be implemented. There are many available to plug directly in to
either proxy server. Another filtering capability that can come standard in some
proxy servers or as a third-party plug-in for others is virus checking. Netscape
Proxy 2.5, for example, partners with Trend Micro to provide InterScan VirusWall.
VirusWall does come built in, but it is still separately licensed and the service to
acquire virus updates is sold separately. It works by scanning incoming HTTP
and FTP traffic for viruses while the proxy server is requesting, caching, filtering,
and logging. If a virus is detected, the proxy prevents the download, alerts the
user, and logs an entry in the virus scanning log for the administrator.

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

Testing your Security Plan

Return for a moment to the three-step continual process involved in
having a successful security model in place for an organization. The three steps
include :

• Planning

• Implementing

• Verifying

The final step to this process, which generally leads you directly back to
the planning step, is verification. Verificiation can be viewed as a test of the first
two steps – planning and implementing. Therefore, two determinations come out
of the verification process.

• How well you planned; in other words, how well you were able to
determine your assets and threats in order to plan an appropriate
security model.

• How well you implemented; in other words, how well you were able
to deploy the planned security model to protect the defined assets.
Was your security plan complete ?

Finding the "holes" in your system is a part of the planning process, but
once you have completed planning and implementing, it's time to re-test your
system for vulnerabilities. This is often referred to as security scanning or
vulnerability analysis.

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

A Proxy Server is designed to restrict access to information on the Internet. If, for
example, you do not want your users to have access to pornographic materials, a
proxy server can be configured to refuse to pass the request along to the
intended Internet server.
A proxy server operates on a list of rules given to it by a System
Administrator. Some proxy software uses list of specific forbidden sites, while
other proxy software examines the content of a page before it is served to the
requester. If certain keywords are found in the requested page, access to it is
denied by the proxy server. Technologically, there's no substantial difference
between a caching server and a proxy server. The difference comes in the
desired outcome of such a server's use. If you wish to reduce the overall amount
of traffic exchanged between your network and the Internet, a caching server
may be your best bet. On the other hand, if you wish to restrict or prohibit the
flow of certain types of information to your network, a proxy server will allow you
to do that.
There are several different packages that will allow a System
Administrator to set up a caching or proxy server. Additionally, you can buy any
of a number of turn-key solutions to provide these services.
Nameserver Concepts
Zone
A zone is part of the name space (such as ee.usm.maine.edu or bbn.com
delegated to a single server. If a nameserver is listed at the internic (or a higher
level nameserver as authoritative for parot of the name space, and it has full data
on that part of the name space then it is authoritative for that zone.

Regional Telecom Training Centre.Mysore

 J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

Domain
A domain is also part of the name space, but it may cover several zones
(maine.maine.edu is a domain that covers both the usm.maine.edu and the
caps.maine.edu zones).
Zone Example

.edu zone

.edu

.mit.edu

.maine.edu
uu

.usm.maine.edu

.edu domain

.usm.maine.edu zone

.maine.edu zone

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

Domain Delegation
• Top two levels delegated from the NIC.
• Third level and lower delegated by the site controlling the next
higher domain.
For example,
.edu - controlled by the NIC.
.maine.edu - delegated by the NIC to named.caps.maine.edu.
.usmacs.maine.edu - delegated by named.caps.maine.edu to
csir1.usmacs.maine.edu
Resolvers
• The DNS client
• Generates the queries, for domain name information, that are sent
to a name server.
• Completely separate from the name server function.
• Configured via /etc/resolv.conf.
;
; Bind Data
;
domain ee.usm.maine.edu; used to fully qualify non canonical DNS
requests.
nameserver 130.111.130.7; where are my nameservers.
nameserver 130.111.32.11; and in what order to I query them.
nameserver 130.111.128.213; Note, these are IP addresses only.
nameserver 128.89.2.34;

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

Name Servers
• The DNS Server
- Answers DNS Queries sent by resolvers
- Listens at UDP and TCP port 53.
• UDP for routine queries.
• TCP used for zone transfers.
• Configurations
- Caching-only : relies on other name servers for authoritative
answers.
- Primary : contains the writeable authoritative copy for the
zones that it is primary for
- Secondary : contains mirror copy of the data from a primary
nameserver. No updates take place here, used to provide
redundancy.

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

How Does it Work ?

EEUNIX.EE.USM.MAINE.EDU

USM NAMESERVER
1. Query sent to configured
nameserver : "What's the address
for cyber.bbn.com?"
2. Query sent to root nameserver
: "What's the address for
ROOT NAMESERVER cyber.bbn.com?"

USM NAMESERVER
3. Response from root server : "Ask
these guys, they know?" "Here is
their IP addresses".
4. Query sent to BBN nameserver
: "What's the address for
BBN NAMESERVER cyber.bbn.com?"

USM NAMESERVER
5. Response from BBN nameserver
"cyber.bbn.com's address is
192.1.100.48"

6. Response from usm

EEUNIX.EE.USM.MAINE.EDU nameserver "cyber.bbn.com's
address is 192.1.100.48"

Regional Telecom Training Centre.Mysore

J.T.O. (Phase I) : INTERNET, Module – 8, Chapter 3.6 Proxy Servers

Named Configuration Files

• Boot file (named.boot) : general named configuration parameters.
• Root cache (named.ca) : cache containing root domain name
server names and addresses.
• Loopback entry (named.local) : Used to locally resolve loopback
address.
• Forward mappings (hosts.db) : File mapping host names to IP
address.
• Reverse mappings (hosts.rev) : File mapping IP addresses to
names.
• All these files except for named.boot are defined in the named.boot
file, and can be set locally.
Primary Vs Secondary Servers
• Primary
- Data loaded from a file.
- One primary server per zone.
• Secondary
- Data transferred from a primary server.
- Data may be stored in a file.
- Checks every refresh period with the primary, looking for
changes.
- Might have many secondaries per zone.

Regional Telecom Training Centre.Mysore