Proxy Server Security - How to Secure Common Proxies/Routers
Of necessity we can't cover every possible proxy server you may encounter. We've listed references for the most common ones below, for any others, please consult the vendor's website or technical support team for information.
CISCO ADSL Routers - CBOS OS (678 etc.)
These routers have TELNET enabled on port 23 by default. Due to the lack of security present on these devices this is frequently used to compromise the router and has therfor been included as part of our normal proxy checking routines. If you connect using one of these routers, please follow the steps below to resolve any issues with our proxy monitors.
If you do not require telnet administration capability AT ALL, disable it. To do this, follow these steps:
- Log into your router, enter ENABLE mode (you'll need the admin password) then enter the following commands:
- set telnet disabled
- write
- reboot (router will now reboot)
If you require telnet to remain enabled, change the port it uses to something other than 23. To do this, follow these steps:
- Log into your router and enter ENABLE mode (you'll need the admin password) then enter the following commands:
- set telnet port <your port no. here>
- write
- reboot (router will now reboot)
CISCO Routers - IOS OS (827 etc.)
These routers have TELNET enabled on port 23 by default. Due to the lack of security present on these devices this is frequently used to compromise the router and has therfor been included as part of our normal proxy checking routines. If you connect using one of these routers, please follow the steps below to resolve any issues with our proxy monitors.
Enable access control to restrict telnet access to those within your local network. To do this, follow these steps:
- Log into your router and enter ENABLE mode (you'll need the admin password) then enter the following commands:
- conf t
- access-list 1 permit <local IP address> 0.0.0.255
- line vty 0 4
- access-class 1 in
- exit
- exit
- copy run start
SOCKS 4/5 Proxies
Socks 4/5 proxies generally depend on Access Control Lists (ACL's) for security. The method of defining ACL's differs from one proxy vendor to another, your best source of information will be the documentation for your proxy software or the vendor's website. Information on securing some of the more common Socks 4/5 proxies is below.
Microsoft Proxy Server
WinProxy
SyGate Proxy Server
WinGate Proxies (users of versions prior to 2.1 must upgrade)
SQUID Proxies
Squid is a well-known open source proxy, designed mainly for use when proxying HTTP traffic. It will however quite happily proxy almost any TCP traffic unless it is configured to prevent this. Once again, ACL's are the primary method of securing Squid against unauthorised use. See http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.2 for details of Squid ACL's.
HTTP Proxies
Most HTTP proxies (webcaches) can also act as 'bridge' proxies, allowing other types of TCP data to be transmitted throgh the cache. This behaviour is usally undesirable in a webcace and should be switched off if possible. Consult your manual for the exact procedure needed to secure your HTTP proxy.
General Advice
If your proxy is unsupported, of an unknown type or you're just not sure how to set up ACL's properly, you can achieve much the same result by using a firewall to block external access to your proxy. You should set your firewall to deny all inbound non-authenticated access from outside your LAN to any port used by your proxy. That will ensure that nobody outside your LAN can access the services provided by your procy server.
DALnet's ACL Requirements
If you're setting up ACL's to restrict access to your proxy, please follow the guidelines below if you intend to connect to DALnet from the same IP address as the proxy server.
- Your proxy MUST NOT allow non-authenticated access from the internet at large.
- It MUST NOT respond to requests on ports 23, 80,81, 3128 or 8080 from any IP address outside your LAN.
- Your proxy SHOULD run an ident daemon and ideally require user authentication (username & password) for access. |
|
Thanks for flying DALnet!
Tip of the day
Want to know more about DALnet's history? check out http://docs.dal.net/docs/history.html
|
|
|