Proxy Servers for Beginners pt4

VI. Best practices when setting up a proxy server for your LAN.

As always with any server-based software, the best time to eliminate problems with setting up a proxy server is in the planning stage. This is also the worst time to make a mistake, as any problems with your plan for implementing a proxy server can compromise what you are trying to achieve by installing one, as opposed to a simple mistake made during the actual installation phase which can easily be corrected.

Before you begin to install a proxy server, you should draw up a list of objectives; what do you expect a proxy server to do for you and your network? If you wish to use NAT to reduce the amount of public IP addresses, you need proxy servers that will support this for you. If you want to improve performance by using caching then be sure the proxy server you are buying supports this. Often, the cheaper ones don't. You get what you pay for in this world after all, but it's the small to medium organisations whose budgets are limited and who will find the cheaper solutions tempting who are most likely to need to make a small Internet connection "stretch further" by using caching.

Do your users need to use special applications to connect to the internet, for example, IRC clients, NNTP, ICQ, FTP clients, etc? Check these will work behind a proxy, possibly using socks proxy. If not, you'll need to either provide an alternate route to the Internet for those people using these things, or find other versions of software that will work behind a proxy.

Assess how many people on your network are likely to be trying to connect to the Internet at any one time and ensure that the proxy server you buy and the operating system and server hardware you choose to run it are able to support this amount of users. Proxy servers need a good fast internal network connection, and depending on what else you require beyond the basics they may need other things too. For example, a proxy server that is doing a lot of packet filtering will require more processor power than one that does not, to allow it to keep up with the network traffic it is watching. If you make heavy use of caching then you will need to specify plenty of hard drive space on your proxy server to hold the cache, and to help performance these should be fast hard drives (striped disk arrays are ideal).

If you are planning to use the NAT functions of your proxy server then you need to plan your IP address scheme for your internal network to consider this. It is recommended that you use one of the three private IP address ranges (shown in Table 1) for the internal network, and a public IP address for your proxy server's external connection to the Internet.

General practice is to use two network cards and configure one with an IP address from your internal address scheme to connect to your LAN and the other with a public IP address (usually assigned by your ISP or upstream Internet connection provider) to talk to the Internet. A common mistake when adding a proxy server is to just place it on the network rather than between the network and the Internet (see fig. 2). This will allow proxy to work, but will not enable security properly, contrasting with fig 1b where traffic must pass through the proxy. For those of you with modest Internet connection needs, the external network card can actually be a modem or ISDN terminal adapter to enable you to use a dial-up Internet connection. This ensures that all traffic between your LAN and the Internet has to pass through the proxy server, which prevents people on either your internal network or the Internet from bypassing whatever filters and settings you have set up on the proxy server

When setting up your proxy server software and the operating system it uses, pay special attention to security issues. Your proxy server will be the point of contact between your LAN and the Internet. I don't want to drum up paranoia by claiming the whole world will be out to "get" you, but if they do go after you they'll only be able to see your proxy server, so that's what they'll go after.

Install your base operating system paying particular attention to the vendor's hints and tips regarding "hardening" the installation. Be sure to apply all security related patches; on NT, for example, this means installing the most recent service pack and post service pack hot fixes that apply to your installation.

Users of other server operating systems should check with their vendor to see what's required for your systems. NO operating system is secure out of the box, and anyone who tells you otherwise is dangerous; do not allow them near your servers!

Consider separating the proxy server and other 'external' servers from your normal network servers. That means using servers devoted to web and/or proxy server duties that do not handle your normal LAN duties. If you are using NT, take advantage of the domain security model by putting such servers in separate domains from your main network. Only expose the services you need to have exposed on the external network adapter. For example, with NT this means blocking things like the NetBIOS ports and disabling un-needed services from either starting or at least from binding to the external network adapter.

For other operating systems such as Linux, don't leave ports open to the outside world that you don't need (If you don't need to let people telnet into your proxy server from the Internet then make sure they can't!) and don't leave un-needed services running, e.g. sendmail.

VIII. Links to products and more information.

For those of you who want to know more, and maybe look at a few different proxy server products, see the links below. Please email bofh@mvps.org if you know a link that should be on here.

Microsoft's Proxy Server homepage.  Includes free, downloadable 90-day evaluation copy. www.microsoft.com/proxy

Since I originally wrote this, Proxy Server 2.0 has been replaced by ISA server, which is a big improvement on the old product. http://www.microsoft.com/isaserver/

Surrogate sockets. Provides functionality similar to the Winsock proxy client for non-Microsoft operating systems that are behind a proxy server. http://www.edu-tec.com/surrogatesocket/

Sambar proxy server. www.sambar.com 

Wingate proxy server. www.wingate.com

Sybergen network's Sygate. www.sygate.com

Novell's Border Manager homepage. www.novell.com/bordermanager/ 

Squid, proxy server for Unix based servers. Squid will run on most variants of Unix including Linux, Free/NetBSD, Solaris, SCO UNIX, AIX, and can even be run on Win NT and OS/2. squid.nlanr.net 

Netscape Proxy Server. This is available for both NT and Unix. www.netscape.com/proxy/v3.5

Top