you're reading...
IT, Security

Web Security

The fourth article in my series on web security concentrates on Custom Proxies.
A custom proxy uses simpler, easily available software to provide a gateway to the Web for all users.
Custom Proxies
This is both the simplest and the more difficult of all the solutions to put in to production. It’s the simplest as the solution is only as complex as you wish and the most difficult as it requires the most specialised knowledge.
The list of available software is not huge and by a long long way the most common are Squid and ISA.
These two cover also both the commercial and open source communities with the respective pros and cons.

Microsoft ISA
Not an expert here so I will leave this to those that are: mostly. ISA is Microsoft’s Internet Security and Acceleration server. It has recently been incorporated into a new product Microsoft Forefront TMG.
The main advantage and the main disadvantage are theatre it is a Microsoft product.
Commercial software can turn into a significant cost overhead. This product will set you back (including the OS) $2500[1] or more.
The brand also means that it is easy to obtain specialist skills, though they can be costly.
Anything labelled “Microsoft” is a malware/hacker magnet and ISA is no exception. There have been several[2] incidents in recent years. This is partly the pull of the brand causing more stress testing in the product. Also take into account that the number of vulnerabilities is diminishing, 1 in 2009 and 1 2010. But you need to remember the new name and MS Forefront has a couple more associated to it and of course the underlying OS, Microsoft Windows Server 2008, for which there are over 200 vulnerability advisories.
No system is entirely without flaws but Microsoft systems are more actively assaulted, due to popularity.
Also, Microsoft have a reasonable record getting patches out there – thus no outstanding alerts at the time of writing.
The features we’re interested in are the Caching Proxy system, though it has others.
The Caching Proxy speeds up web access for users by keeping a localised copy of recent or popular requests.
MS ISA allows rules to be created to allow or deny access to specific websites by specific users.
One big advantage, if you have an Active Directory installation, is almost automatic integration into tour named user base. This is extremely useful when trying to identify users, either for new rules or from the logs.
Microsoft system aren’t the easiest to work with as far a logs are concerned but they do exist and can be use to track/prove accesses.
Custom rules can be created based on users’ IP addresses. The GUI does significantly aid simple configuration and is easy for those used to other Microsoft configuration interfaces to pick up.
And there my knowledge ends – for now. I have seen a few installations but primarily as accelerators rather than Caching Proxies.

I have far more experience with Squid, a search on this blog will show that. In the interests of evenhandedness I will restrict my comments to match those I made for MS ISA.
Squid is primarily a Caching Proxy with the emphasis on Improving web browsing performance[3].
The software is released under the GNU GPL and is therefore Open Source. Installation can be made onto many platforms including Linux and Microsoft Windows.
Support for Squid is Community led but Commercial support is available[4] if a more formal approach is required. Community support does have the advantage that many different configurations of the product will already have been tested and so your question is likely to get an authoritative answer in a reasonable timescale. A potential problem can be confusing or occasionally incorrect advice.
Another issue of Open Source software is that it is harder, generally speaking, to obtain specialist skills. Squid bucks this trend by being itself a common installation and many Linux engineers will already have the necessary experience to administer such a system.
Security is less of an issue in general with Squid but it still has issues[5], 13 at last count and 1 was unpatched and it dates back to 2009[6]. However this flaw is rated “less critical“.
The advantage of Squid comes in the flexibility of it’s configuration options and access control mechanisms. Custom rules for almost every eventuality can be created.
Another advantage is that the system is very light and does not require a large physical system in order to serve several hundred clients.
The disadvantages include the complexity apparent when viewing the configuration options. A very well worked Squid configuration may very well require a skilled practitioner to even understand. This make knowledge transfer more tricky but not impossible. There is no builtin GUI. However, this can be an advantage as configuration file formats are more flexible, both in construct and size.
Another disadvantage is trying to get Squid hooked into your Active Direct or LDAP environment. Several previous posts here and elsewhere will show you quite how awkward this can get.

Other solutions
Ok nothing to say here at the moment. I am aware of several other options but they are significantly less popular and more difficult to support. Indeed, many appliance based systems are also available as software packages, giving you greater control over the installed OS and other services on the same system.

Next time I’ll look at some of the SaaS options that are available.

[1]Microsoft.Com 24/01/2011
[2]Secunia.Com (MS ISA 2006) 24/01/2011
[3]Squid Cache 24/01/2011
[4]Squid Cache.Com (Support Vendors List) 24/01/2011
[5]Secunia.Com (Squid 3) 24/01/2011
[6]Secunia.Com (Advisory 34019) 24/01/2011

Back to top
– Posted using BlogPress from my iPhone

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: