home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 7.6 Using SOCKS for Proxying Chapter 7
Proxy Systems
Next: 7.8 What If You Can't Proxy?

7.7 Using the TIS Internet Firewall Toolkit for Proxying

The free TIS FWTK , from Trusted Information Systems, includes a number of proxy servers of various types. The TIS FWTK also provides a number of other tools for authentication and other purposes, which are discussed where appropriate in other chapters of this book. Appendix B provides information on how to get the TIS FWTK .

Whereas SOCKS attempts to provide a single, general proxy, the TIS FWTK provides individual proxies for the most common Internet services (as shown in Figure 7.4 ). The idea is that by using small separate programs with a common configuration file, it can provide intelligent proxies that are provably safe, while still allowing central control. The result is an extremely flexible toolkit and a rather large configuration file.

Figure 7.4: Using the TIS FWTK for proxying

Figure 7.4

7.7.1 FTP Proxying with TIS FWTK

The TIS FWTK provides FTP proxying either with modified client programs or modified user procedures ( ftp-gw ). If you wish to use the same machine to support proxied FTP and straight FTP (for example, allowing people on the Internet to pick up files from the same machine that does outbound proxying for your users), the toolkit will support that but you will have to use modified user procedures.

Using modified user procedures is the most common configuration for the TIS FWTK . The support for modified client programs is somewhat half-hearted (for example, no modified clients or libraries are provided). Because it's a dedicated FTP proxy, it provides logging, denial, and extra user authentication of particular FTP commands.

7.7.2 Telnet and rlogin Proxying with TIS FWTK

The TIS FWTK Telnet ( telnet-gw ) and rlogin ( rlogin-gw ) proxies support modified user procedures only. Users connect via Telnet or rlogin to the proxy host, and instead of getting a "login" prompt for the proxy host, they are presented with a prompt from the proxy program, allowing them to specify what host to connect to (and whether to make an X connection if the x-gw software is installed, as we describe in "Other TIS FWTK Proxies" below).

7.7.3 Generic Proxying with TIS FWTK

The TIS FWTK provides a purely generic proxy, plug-gw , which requires no modifications to clients, but supports a limited range of protocols and uses. It examines the address it received a connection from and the port the connection came in on, and it creates a connection to another host on an appropriate port. You can't specify which host it should connect to while making that connection; it's determined by the incoming host. This makes plug-gw inappropriate for services that are employed by users, who rarely want to connect to the same host every time. It provides logging but no other security enhancements, and therefore needs to be used with caution even in situations where it's appropriate (e.g., for NNTP connections).

7.7.4 Other TIS FWTK Proxies

TIS FWTK proxies HTTP and Gopher via the http-gw program. This program supports either modified clients or modified procedures. Most HTTP clients support proxying; you just need to tell them where the proxy server is. To use http-gw with an HTTP client that's not proxy-aware, you add http://firewall/ in front of the URL . Using it with a Gopher client that is not proxy-aware is slightly more complex, since all the host and port information has to be moved into the path specification.

x-gw is an X gateway. It provides some minimal security by requiring confirmation from the user before allowing a remote X client to connect. The X gateway is started up by connecting to the Telnet or rlogin proxy and typing "x", which puts up a control window.

Previous: 7.6 Using SOCKS for Proxying Building Internet Firewalls Next: 7.8 What If You Can't Proxy?
7.6 Using SOCKS for Proxying Book Index 7.8 What If You Can't Proxy?