Results 1 to 9 of 9

Thread: Is proxy realy safe ?

  1. #1
    Member
    Join Date
    Apr 2003
    Posts
    37

    Unhappy Is proxy realy safe ?

    Hello,
    I am playing around with my home LAN, and installed a Linux PC to act as a firewall.

    Now I am getting interested in firewall security issues in generall, and start to wonder how safe a network, that has ports open to the Internet, realy is?

    I was planning to install Skype at home, and read this web page:
    http://www.skype.com/help/guides/firewall.html
    Ideally, outgoing TCP connections to all ports (1..65535) should be opened.
    Wow, what kind of a stupid firewall is that? Opening all ports to any host, even if "only" from the LAN side?

    Now having any port open from LAN to Internet seems to me a security risk. Any Virus or other user installed "bad program" could then send data to any host on the net, if it finds the open port ?

    But one can not restrict hosts for HTTP, that would be impossible.

    Ok, so if I open port 80 on the firewall from LAN to Internet ?
    Now any program can use that port. Not only my web browser. A virus could "call home" and upload my C: drive or what ever it wants to do...

    So my next thought is to use a Proxy server right?
    We have a proxy server at work, that has to be the right way to get a fool proof security right?

    So I installed a proxy server, and only allow the proxy server IP to contact the outside world.
    My workstation has no direct access to the Internet from any port.

    Then I install Skype and BANG it authenticates me and is up and running. What ?!?

    I double check my firewall settings, nope no holes there.
    Then I get it, the Proxy server. Skype has detected the ip of my proxy server and is using that !
    Ok, so I stop the proxy server, and confirm that Skype is now unable to connect.

    So a software, Skype or a virus, can be programmed to detect my proxy server and use that for 2 way communication from my LAN to the Internet. Thats no good?

    Now im really confuced, so I installed Skype at work, to test if it will connect there, and yes it did.

    The person who is in charge of the Proxy server at work, told me that he has turned off proxy authentication, because of strange problems, and that is why Skype now can use the proxy server.

    So I asked him to turn on authentication for my IP and he did.
    Yes ! Skype was unable to connect to the Internet.

    Only IE should be able to use the proxy, without me (the user) knowing it is accessing Internet, right?

    Wrong again. Doh.

    I installed FireFox and it was aslo able to authenticate to the proxy without prompting me for a password ! And so did msn-messenger...

    If FireFox can do that, then I suppoce any program could be programmed to authenticate transparetly also !

    Only way to controll what program uses the Internet, that I can think of, is to have a personall firewall on all PC's on the LAN, that can allow only certain exe files to access certain ports?
    That should prohibit a virus from using the proxy / 80 port.

    But that would not help if a user would disable the local firewall and install own p2p type of programs, or even bring his personal laptop to work.

    So my question is:
    "Is there really no secure way to enable www (http, https) for users behind a firewall ?"
    I did not do it.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Authentication on the proxy at work is probably done using "Integrated Authentication". This means your browser will authenticate you 'automagicly' using NTLM authentication. Both IE and FF support this. None of the malware I've encountered is able to do this.

    For added protection you'll need to use a proxy that can do content scanning. It will proxy requests based on a rule set. It's also able to filter out any malware or 'bad' traffic.

    As for the proxy protocol, don't use socks. A lot of programs are able to use a socks proxy. With socks you can proxy a huge amount of different things. It's better to use a http proxy. This will allow ONLY http traffic. But even then some programs are able to use this. MSN is one example. Filtering this on your content scanner is a way to block it and everything else you don't want.

    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Member
    Join Date
    Apr 2003
    Posts
    37
    Yes, IE and FF supports "automagical authentication", but why would they be the only programs that knows how to code this? Is it not just a question of time, before p2p and virus programs starts to use the same system?

    Im no programmer, but some how I would imagine that if some one finds security holes and can spread viruses that way, its would not be a big supprice that they would be able to program a "automagical" authenticating viri.

    The proxy at work is a HTTP proxy, still Skype was able to use it :/

    At home I have DansGuardian (http://dansguardian.org/) that is a contet filtering system.
    I try to run Skype through it when I get home.

    Do you have any links / info about other content scanning systems?

    I would imagine it would be prety easy to make the data to look like HTML by a virus or p2p program? So I dont know if content scanning really can solve the problem?
    I did not do it.

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Authentication on the proxy at work is probably done using "Integrated Authentication". This means your browser will authenticate you 'automagicly' using NTLM authentication. Both IE and FF support this. None of the malware I've encountered is able to do this.
    A HTTP tunneling "tool" called httpport, can do it too. And also mimic a browser of your choice. Its not rock science. Its more a matter of research.
    BTW, i disagree about integrated authentication. I rather prefer every connection popups a logon screen. I want to be sure that every http connection will pass thru autentication.
    Someone can write a worm (it is not already there) the uses IE engine and connects to its "master".
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by cacosapo
    BTW, i disagree about integrated authentication. I rather prefer every connection popups a logon screen. I want to be sure that every http connection will pass thru autentication.
    Me too but my users don't. Even a single sign-on system seems to be to much "trouble" for them.
    Why do I need to logon? Why can't I just click on this? Why doesn't <insert some program> work?... etc... You know the drill
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Member
    Join Date
    Apr 2003
    Posts
    37
    I agree that users whine a lot, and if they got the promtp, they be just like that.

    But is there a way to force the authentication as "cacosapo" writes? How do you turn off the integrated authentication?

    I tried to logon into a different domain, then I get the logon prompt. But also get the option to save password.

    I saved the password, and tested a small exe program I found, that lists all IE saved passwords.
    There it was in plain text server name (or ip rather) / username / my password.

    I guess there just is no safe way to have Internet for the users...
    I did not do it.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Turning Integrated Authentication on/off happens on the proxy server. You could use Basic Authentication, then you would get a popup. BUT IE (FF probably too) is kind enough to cache it so it's only asked once per session. If it didn't you would have to enter a username/password for EVERY request (every single html page, every picture, etc).

    However, Basic authentication will send your username/password cleartext across the network. In that respect Integrated (NTLM) is better.

    IIR there's a registry setting that you can change to prevent Windows from storing these cached credentials. Can't remember which one though...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    many varities of malware install themselves as IE plug-ins. if your FW allows IE it also allows the plugins that are a part of IE.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    I hate to sound negative, but I would seriously consider not using software based firewalls unless you are not too worried about your system being compromised.

    The bottom line is the software based firewall is only as secure as the OS it is running on. Period.

    If you want to get serious about firewalls you may want to consider something hardware, It will probably cost the same or less than the linux box you proxy through now. The security benefits of a basic SPI firewall running Nat will out perform (especially for speed) your basic software firewall.

    To answer your question. No, you cannot possibly secure http completely. Any connection you have can eventually be exploited for a weakness. The best thing you can do is keep your data protected/encrypted, backed up, and "treat every day like a good day to lose your data."
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •