home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Book HomeBuilding Internet FirewallsSearch this book
PreviousNext

9.8. What If You Can't Proxy?

You might find yourself unable to proxy a service for one of three reasons:

  • No proxy server is available.

  • Proxying doesn't secure the service sufficiently.

  • You can't modify the client, and the protocol doesn't allow you to use proxy-aware procedures.

We describe each of these situations in the following sections.

9.8.1. No Proxy Server Is Available

If the service is proxyable, but you can't find a proxy-aware-procedure server or proxy-aware clients for your platform, you can always do the work yourself. In many cases, you can simply use the dynamic libraries to wrap existing binaries.

If you can't use dynamic libraries, modifying a normal TCP client program to use SOCKS is relatively trivial. As long as the SOCKS libraries are available for the platform you're interested in, it's usually a matter of changing a few library calls and recompiling. You do have to have the source for the client.

Writing your own proxy-aware-procedure server is considerably more difficult because it means writing the server from scratch.

9.8.2. Proxying Won't Secure the Service

If you need to use a service that's inherently insecure, proxying can't do much for you. You're going to need to set up a victim machine, as described in Chapter 10, "Bastion Hosts", and let people run the service there. This may be difficult if you're using a dual-homed nonrouting host to make a firewall where all connections must be proxied; the victim machine is going to need to be on the Internet side of the dual-homed host.

Using an intelligent application-level server that filters out insecure commands may help but requires extreme caution in implementing the server and may make important parts of the service nonfunctional.

9.8.3. Can't Modify Client or Procedures

There are some services that just don't have room for modifying user procedures (for example ping and traceroute). Fortunately, services that don't allow the user to pass any data to the server tend to be small, stupid, and safe. You may be able to safely provide them on a bastion host, letting users log in to a bastion host but giving them a shell that allows them to run only the unproxyable services you want to support. If you have a web server on a bastion host, a web frontend for these services may be easier and more controllable than allowing users to log in.

PreviousHomeNext
9.7. Using Microsoft Proxy ServerBook Index10. Bastion Hosts
Library Navigation Links

Copyright © 2002 O'Reilly & Associates. All rights reserved.