home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 7.7 Using the TIS Internet Firewall Toolkit for Proxying Chapter 7
Proxy Systems
Next: 8. Configuring Internet Services
 

7.8 What If You Can't Proxy?

You might find yourself unable to proxy a service for one of three reasons:

  • There's no proxy server available.

  • Proxying doesn't secure the service sufficiently.

  • You can't modify the client, and the protocol doesn't allow you to use modified procedures.

We describe each of these situations in the following sections.

7.8.1 No Proxy Server Is Available

If the service is proxyable, but you can't find a modified-procedure server or modified clients for your platform, you can always do the work yourself. Modifying a normal TCP client program to use SOCKS is relatively trivial. As long as the SOCKS libraries are available for the platform you're interested in, it's usually a matter of changing a few library calls and recompiling. You do have to have the source for the client.

Writing your own modified-procedure server is considerably more difficult, because it means writing the server from scratch.

7.8.2 Proxying Won't Secure the Service

If you need to use a service that's inherently insecure, proxying can't do much for you. You're going to need to set up a victim machine, as described in Chapter 5 , and let people run the service there. This may be difficult if you're using a dual-homed nonrouting host to make a firewall where all connections must be proxied; the victim machine is going to need to be on the Internet side of the dual-homed host.

Using an intelligent application-level server that filters out insecure commands may help, but requires extreme caution in implementing the server and may make important parts of the service nonfunctional.

7.8.3 Can't Modify Client or Procedures

There are some services that just don't have room for modifying user procedures (for example ping and traceroute) . Fortunately, services that don't allow the user to pass any data to the server tend to be small, stupid, and safe. You may be able to safely provide them on the bastion host, letting users log in to the bastion host but giving them a shell that only allows them to run the un-proxyable services you want to support.


Previous: 7.7 Using the TIS Internet Firewall Toolkit for Proxying Building Internet Firewalls Next: 8. Configuring Internet Services
7.7 Using the TIS Internet Firewall Toolkit for Proxying Book Index 8. Configuring Internet Services