RE: Proxy server

Yes, it will restrict everything except that traffic. It was meant as an
example only to illustrate the point. I used 8080 as a commonly used port for
proxy servers. I'm also assuming that the proxy server is sitting in a DMZ. So
hosts will only be able to get to it. You would need an additional ACL on the
DMZ interface to allow the proxy out to the web.

Your ACL seems to imply that the proxy is sitting on the same network as the
inside hosts. The proxy is allowed out to port 80 and 8080. Everything else on
the inside can't get to port 80 or 8080 but is allowed to do anything else.
The issue I see with this is that they're still free to access the web via any
other port. Meaning they could easily use proxy software like UltraSurf (just
as an example) which runs on port 9666.

Because of things like this I would not want all my inside hosts to have this
access to the internet. Thats why I recommended locking down *ALL* access from
the inside->out. If there are specific hosts that need that access to perform
their job duties I could allow them. After their boss requests approval, my
boss and I discuss/approve and change management is notified/scheduled. Some
places have even more draconian hoops to jump through. This is stuff that they
don't test on the CCIE lab thus making it OT but still good practice in the
field. :D

Steve Means
Security Instructor/Consultant
smeans_at_ccbootcamp.com
CCBOOTCAMP - A Cisco Learning Partner
877.654.2243 Toll Free
+1.702.968.5100 Direct Outside the USA
+1.702.446.0357 Fax
YES! We take Cisco Learning Credits

________________________________

From: omar maiah [mailto:omar.maiah_at_gmail.com]
Sent: Tue 6/23/2009 12:25 PM
To: Steve Means
Cc: Dale Shaw; Ali El Moussaoui; ccielab_at_groupstudy.com
Subject: Re: Proxy server

nice and simple, but this will restrict everything else like telnet, ICMP,
isn't it ?
and shall we only allow tcp port 8080 ?
because i'm using a proxy with 80 port
so i do 2 statements

access-list 101 permit tcp host proxy_IP any eq www
access-list 101 permit tcp host proxy_IP any eq 8080
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq 8080
access-list 101 permit ip any any

what do you think ?

On Tue, Jun 23, 2009 at 6:03 PM, Steve Means <smeans_at_ccbootcamp.com> wrote:

        I've got a firewall config for you:

        access-list INSIDE permit tcp any host x.x.x.x eq 8080 (where x.x.x.x is the
IP of your proxy and 8080 is the port)
        access-list INSIDE deny ip any any log
        !
        access-group INSIDE in interface inside

        Meaning do not allow internal users to go to the web AT ALL, only to the
proxy. It always amazes me when people have restrictive outside->in policy but
not the other way around. Least access principal. Poke holes if you have to
for job functions, but at least start by locking down access. Of course the
use of this depends on your existing access policy, hopefully you have a
written one. :D

        WCCP and PBR are other solutions, but then they still have access out for
things other than HTTP. This leaves you with the possibilty of private
proxy/reverse proxy and any number of other workarounds.

        Steve Means
        Security Instructor/Consultant
        smeans_at_ccbootcamp.com
        CCBOOTCAMP - A Cisco Learning Partner
        877.654.2243 Toll Free
        +1.702.968.5100 Direct Outside the USA
        +1.702.446.0357 Fax
        YES! We take Cisco Learning Credits

________________________________

        From: nobody_at_groupstudy.com on behalf of Dale Shaw
        Sent: Tue 6/23/2009 5:10 AM
        To: Ali El Moussaoui
        Cc: omar maiah; ccielab_at_groupstudy.com
        Subject: Re: Proxy server

        Hi Ali,

        On Tue, Jun 23, 2009 at 10:03 PM, Ali El Moussaoui<mousawi.ali_at_gmail.com>
wrote:
> Oh Really! Man i tried it on 3750 (Metro) and 2960 and couldnt find it .
Ya
> true this feature is not really well documented. One big problem i faced
> with WCCP is that Router ID can not be hard coded , its automatically
> computed and i dont like it!!!
> Ali

        Yeah. On the 3750 you need to use the 'routing' SDM template to make
        it work (like PBR), but it does work. You need to use L2 redirect and
        mask assign, you can't use 'redirect out' and you need to be careful
        what your ACL does if you use a redirect-list (traffic can be punted
        to the CPU for processing, which kills performance) -- those are just
        the restrictions that come to mind. It's a similar story on the 6500.

        On Tue, Jun 23, 2009 at 10:06 PM, omar maiah<omar.maiah_at_gmail.com> wrote:
> another question maybe its silly but i don't have a clue about proxy
> servers,
> when a user send an http request using a proxy, does the proxy change the
> source or the destination IP address ?

        When using a proxy in non-transparent mode (i.e. the client is
        explicitly configured with the proxy's IP and port), the client makes
        a TCP connection with the proxy, issues the request (e.g. HTTP GET),
        then the proxy server establishes a second connection to the
        destination server. There are two (or more, depending on HTTP)
        separate TCP connections involved. The destination server sees the
        request coming from the proxy server, not the original client,
        although it is possible through HTTP headers for the destination
        server to know the connection was proxied.

        cheers,
        Dale

        Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>

        _______________________________________________________________________
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html

--
Eng. Omar Ma'ayah
Blogs and organic groups at http://www.ccie.net