Microsoft's New, Improved Proxy Server

Proxy Server 2.0 is a firewall, a Webcache server, and more

For many corporations, the Internet is becoming an important business tool, but with that tool comes the concern of security. To meet that concern, a networking industry sector has grown up around firewalls, proxy gateways, and related security products.

Microsoft is active in this market. In November 1996, Microsoft introducedProxy Server 1.0 as a cost-effective Internet gateway. Proxy Server lets youcontrol traffic between your corporate network and the Internet by acting as anintermediary between them. Through application and circuit layer gateways thatare tightly integrated with ordinary Windows NT Server access control, theproduct lets users on a local network access Internet resources efficiently andtransparently while keeping out traffic from the Internet. In addition, ProxyServer includes caching capabilities, improving performance for frequentlyaccessed Web sites.

When Proxy Server 1.0 (then called the Internet Access Server, or Catapult)was in beta, Mark Joseph Edwards wrote a two-part overview of the product. Checkout "Microsoft's Internet Access Server," September 1996, and "ConfiguringMicrosoft's Internet Access Server," October 1996, for an excellentoverview of Proxy Server 1.0.

Proxy Server 1.0 had two major shortcomings. First, although it providedapplication and circuit layer security, it lacked the packet filtering functionsthat would put it in the same class as firewall products. Second, Proxy Server1.0 lacked the scalability to let multiple proxy servers work together toprovide intelligent caching and access services to the end user.

In designing Proxy Server 2.0, Microsoft has addressed these problems and ispositioning Proxy Server 2.0 as a combination firewall and cache server: oneproduct that gives you secure and fast Internet access from your corporatenetwork. I'll examine the new features that make Proxy Server 2.0 a morecompelling product than its predecessor.

More Administration Choices
Proxy Server 2.0 gives the net manager a flexible set of administrativetools. As in the previous version, you can use the Internet Service Manager(ISM) to manage proxy services. ISM is the most complete method available; itgives you access to all administrative functions. The ISM main screen lists eachof the installed Proxy services (Web Proxy, WinSock Proxy, and SOCKS Proxy) andany Internet Information Server (IIS) services you have installed.

Each proxy service has its own set of property sheets. Microsoft hasreformatted the Web Proxy Service sheet, shown in Screen 1, to list functionsthat all three services share (with some exceptions for the SOCKS Proxy). Otherproperty sheets are more specific to each service. New in the administrativetoolbox is a command-line interface for querying and configuring Proxy Server.One great application of this tool is to use scripts to simultaneously configuremultiple proxy servers. The two command-line utilities for configuring multipleservers are RemotMsp and WspProto. Table 1 lists the capabilities of eachutility. The initial release doesn't support an HTML administrative tool, butMicrosoft has promised that you'll be able to download the tool from theMicrosoft Web site.

Configuration Backup and Restore
The new configuration backup function creates a text file (similar to an.ini file) that contains a complete list of all parameters defined for allinstalled proxy services. Click Server Backup on the Service property sheet ofany of the proxy services, choose a directory, and away you go. This function isan easy way to get a manual dump of the configuration on the local machine, butyou can't use it for remote machines. You can use the command-line utilityRemotMsp for either local or remote backup.

Similarly, restoring a Proxy Server configuration is also a manual process,and just as simple. A neat feature is the ability to choose Partial Restore; youreach this option by clicking Server Restore on the Web Proxy Service Propertiessheet, then choosing Restore Configuration. With Partial Restore, you canrestore only noncomputer-specific parameters, such as user permissions. Thiscapability is useful for setting up multiple proxy servers without having tocode scripts. Just configure user permissions on one proxy server the way youwant it, back up the configuration, and do a partial restore for each of theother servers.

Packet Filtering
Microsoft refers to Proxy Server 2.0 as a firewall primarily because of itsnew packet-filtering capability. This feature lets an administrator rejectspecific packet types at the IP level before they reach any of the higher-layerservices (Web, WinSock or SOCKS). Enabling packet filtering causes Proxy Serverto drop all packets sent to the external interface, except for those that matcha default list of predefined packet filters. Note that you create a filter forthe packet types you want the proxy server to accept. Screen 2 shows thePacket Filters tab.

By default, selecting packet filtering also enables dynamic packetfiltering. This feature is an intelligent component that enables and disablesfilters based on the current state of a protocol sequence. For example, a Telnetclient can request the proxy server to open a connection to a server on theInternet. The proxy chooses a source port, say 1500, creates a filter allowingTelnet traffic to and from port 1500, and then establishes a TCP connection tothe server. When the Telnet session is complete, the proxy disables the filterand denies further access to port 1500 from the external interface.

You can disable dynamic filtering and rely on your ability to define thecorrect static filters for your needs. However, static filters can be difficultto code correctly. Thinking that you have adequate protection when you reallydon't is not a good security practice. If you must use static filtering, makesure that you check your configuration by scanning the ports on your externalinterface. Use a TCP port scanning tool (e.g., AGNet Tools from the AG Group) tocheck that only the ports you intended to expose are visible.

When you enable packet filtering, you also select IP fragment filtering,which you can use to prevent a FRAG denial-of-service attack.Fragmentation is a function of the IP protocol that routers perform toaccommodate networks of varying maximum frame sizes. For instance, a routerfragments a 1400 byte datagram received from an Ethernet segment if it is boundfor an X.25 network, which has a maximum frame size of 576 bytes. Receivinghosts must reassemble these fragments. Sending multiple bogus fragments to ahost will keep it busy tracking lots of fragments that never get reassembledback into a datagram, eventually causing a severe depletion of resources.

Intruders can exploit this aspect of the protocol to get through a packetfilter. Because only the first fragment contains the port information (in theTCP header), the proxy server has no information to base a filtering decision onfor subsequent fragments. The Enable filtering of IP fragments checkbox inScreen 2 lets Proxy Server filter out all fragmented IP datagrams. This actionalso filters out normal fragmented traffic. Leave this box checked for bettersecurity protection, but if you have problems communicating with a specific hostor server through the Proxy Server, keep in mind that this filtering isoccurring.

Microsoft has defined a set of default packet filters (shown in Screen 2),which at first glance look as though they are letting Internet Control MessageProtocol (ICMP) and Domain Name System (DNS) traffic onto the internal network.However, proper operation of the proxy services requires these filters. NormalICMP traffic between a host (in this case, the proxy service) and other hosts orrouters includes protocol exchanges necessary for proper TCP/IP operation.Microsoft chose to open static holes in the wall to accommodate this traffic.Proxy Server doesn't send these packets to the internal network unless youexplicitly configure the proxy service to let them pass. For example, the pingprogram uses ICMP packets. If I want to ping an external host from the internalnetwork, I have to configure a WinSock Proxy service protocol definition foroutbound echo and inbound echo reply in addition to the default ICMP packetfilter. Similarly, Microsoft intends the DNS filter definition to let the proxyservices talk to an external DNS.

Packet Alerts and Logging
In addition to filtering packets, Proxy Server 2.0 lets you keep a log ofpacket-level events. You can log to a text file or to an Open DatabaseConnectivity (ODBC)-compliant database. By default, Proxy Server initiateslogging only for packets that are dropped.

Useful packet-layer information kept in the logs in regular logging modeincludes source and destination address, source and destination port, theprotocol, and a time stamp. You can turn on verbose logging, which increases thesize of the logged event to include the IP header and a portion of the datafield from the packet, saved in hex notation. In the Registry, you can adjustthe size of the captured data field. I don't know about you, but I get aheadache from looking at hex packet dumps. I wish you could convert the hex dumpportion of these logs to a Network Monitor format for easy decoding and viewing.

Logging is great for analysis, but what about situations that require yourimmediate attention? In conjunction with the logging function, Proxy Server 2.0can alert you to suspicious activity at the packet level. If packet-logging isenabled, you can choose for Proxy Server to alert you via email or the NT EventLog if the event frequency exceeds a threshold that you set. For instance, ifthe proxy server rejects more than 20 packets in 1 second (the default), yournetwork might be under attack. An example is someone attempting adenial-of-service attack via SYN flooding. This feature helps an administratorhead off security threats.

FTP Caching
The Web Proxy Service lets you cache objects retrieved via FTP. Note thatProxy Server doesn't cache all FTP traffic, only objects retrieved via FTP thatyour browser can display. For example, Proxy Server won't cache a downloadedexecutable or other file that your browser won't display, or files you downloadwith a Winsock program for FTP (either the command-line FTP or a third-party GUIversion).

Reverse Proxy and Reverse Hosting
If you want to share information on your local Web servers with Internetusers, you'll be interested in reverse proxy and reverse hosting. Proxy Server1.0 lets you publish to the Internet, but only if the Web server resides on thesame machine as the Proxy Server. With reverse proxy, you can configure theProxy Server 2.0 machine to listen for URL requests and forward them to a Webserver on your local network, in effect impersonating the local Web server. Anexternal client uses the URL of the external interface of the proxy server, buta different Web server on the local network returns the pages to the client. Youcan represent only one local server in this manner.

Reverse hosting (also called virtual hosting) offers a slightly differenttwist on this concept. With reverse hosting, you can specify multiple virtualpaths from the main proxy server URL, much as you would for virtual servers onIIS. Then, you set up mapping between the virtual paths and actual URLs on thelocal network. When an external client tries to hit the virtual path, the proxyserver forwards the pages from the real local URL.

Both these services take advantage of caching, which can deflect someexternal traffic from reaching your local network. If the proxy server has therequested URL in its cache, it won't request the URL from the local Web server.Of course, you have to make a good estimate of the expected traffic at your siteto provide enough cache space. You also have to make sure that the proxy serverhardware you're using can handle requests for multiple Web servers.

SOCKS 4.0 Support
As Microsoft gets deeper into the role of providing enterprisewidesolutions, it is learning to deal with client platforms that don't come fromRedmond. SOCKS is a proxy gateway with strong roots in the UNIX community. TheSOCKS proxy service can provide access to a "socksified" client, whoseTCP/IP stack can attach to a SOCKS server. Most UNIX platforms and Macintosh andWindows offer client support for SOCKS.

Microsoft describes the SOCKS Proxy Service as a cross-platform version ofthe WinSock proxy service. But it's closer to a plain vanilla proxy thatsupports only TCP (not User Datagram Protocol--UDP) and requires you to manuallyadd permissions (by default, the SOCKS proxy denies all access). The SOCKS Proxybases permissions on source address (individual IP address or Internet domain).Because the intended platforms are non-Windows, the SOCKS proxy performs no NTuser authentication.

Incidentally, the Internet Engineering Task Force (IETF) has adopted as anInternet standard a later version of SOCKS (SOCKS 5) that adds several features,including authentication. If you plan to use the SOCKS proxy, make sure that theclients you are using are compatible with SOCKS 4.0, the version that Microsoftsupports.

HTTP 1.1 Support
The most recent version of HTTP improves performance significantly overprevious versions by supporting persistent connections. In the widelyimplemented HTTP 1.0, retrieving multiple objects on a Web page (e.g., text,graphics, audio clips) requires a separate TCP connection for each object. HTTP1.1 improves on this activity through the use of persistent connections, inwhich you can retrieve multiple objects with one TCP connection. This reducedoverhead can improve end-to-end performance dramatically (assuming that HTTP wasa bottleneck). A proxy has two connections, one from the Web client to the proxyand another from the proxy to the Web server. Because the proxy is an activeparticipant in mapping between the two connections, Proxy Server must supportthe new version of the protocol to reap the benefits.

Multiserver Configurations
Caching improves the performance the client sees, primarily by cutting downon the number of requests the client needs to generate to servers on theexternal network. Proxy Server 1.0 lets you run multiple proxies in anenterprise, but it has no mechanism for coordinating the caching between them.With multiple proxies, you often end up, over time, with multiple versions ofthe same cached objects on different proxies. Also, Proxy Server offers no wayto intelligently share loading between the proxies. One proxy can be scramblingto keep up with client requests while others stand idle.

Microsoft has responded to these problems with the Cache Array RoutingProtocol. CARP uses two types of intelligent routing--distributed andhierarchical--between proxy servers. Distributed routing occurs between membersof a proxy server array; hierarchical routing occurs between proxy serversconfigured in a chain.

An array is a group of proxy servers that you administer as one logicalentity. All members of the array keep an array membership list. Each proxyserver updates the list regularly to account for proxies coming online or goingdown. Array members are peers and communicate with one another to cooperativelyservice requests from clients. Proxy Server uses a hash, a commonalgorithm in searching and sorting, to determine which member of the arrayservices the request. (For a discussion of hash functions, see Mark Minasi, "WindowsNT Logons," June 1997.)

Array members feed each combination of proxy server name and URL name intothe hash algorithm to generate a score. The highest score determines which proxyserver will service requests for that specific URL. Each proxy server runs thealgorithm and keeps scores in a hash table. The algorithm is deterministic--thehash table entries are the same in all proxy servers, without theircommunicating with one another. This scheme addresses a drawback of an earliercache routing scheme called the Internet Cache Protocol (ICP), which used aquery protocol between proxies to find a specific URL. Besides minimizingprotocol chatter between proxies, the hash scheme is good for load-balancingbecause it has positive scalability. The more members in the array list, themore evenly distributed the load.

A chain is a hierarchical grouping of proxies. A proxy server that is amember of a chain forwards client requests that it can't service to the nexthigher-level proxy in the chain. The downstream proxy in the chain is closest tothe client; the furthest upstream proxy is closest to the Internet. Requestsflow only upstream or among members of an array.

You can combine chains and arrays. In a chain, the upstream entity can beone proxy server or an array. Downstream proxies can obtain a copy of theupstream array list by polling. With the array list, downstream proxies cancreate a hash table for an array to determine which member of the array needs torespond to a request for a URL.

Figure 1 shows an example of proxies distributed between a branch officeand a corporate site. Clients in the branch access the Internet through ProxyServer Z, over a leased line to the corporate net, then through the Proxy Array,following these steps:

I have two observations about this example. In step 4, if Proxy C does nothave the URL cached, Proxy C looks for the URL on the Internet. Second, becauseProxy Z caches the URL, two copies are cached. You gain a performance advantagebecause users in the branch now have a local copy cached, and they don't have tochew up any more leased-line bandwidth to retrieve it from the corporate net. Ifyou implement chains properly, they can put the cache close to the users whoneed it.

Multiserver Administration
You can add or remove array members via the Array property screen. Screen 3shows two members of the CORP array, MSCPDC and WEBSTER. Although this exampleuses NetBIOS names, you also can use fully qualified domain names and the DNS.The system will propagate changes made here to other array members to keep themin sync.

To configure chains, use the Routing tab on the Web Proxy ServiceProperties screen, as shown in Screen 4. In the Upstream Routing section, thelast upstream Proxy Server selects Use direct connection. Downstreamproxies choose Use Web Proxy or array. Select Modify to get to Advancedrouting options (shown in Screen 5), where you can add the name of the nextupstream proxy. Note that an upstream proxy can be running Proxy Server 1.0 or athird-party proxy gateway, because the downstream proxy is acting as a clientwith respect to the upstream proxy. If the upstream proxy is an array, you canautomatically poll for the array configuration. From this dialog box, you canalso select proxy-to-proxy authentication for the chain; this choice requires anaccount with Administrator privileges on the upstream machine.

You can configure a backup route from the Enable backup routesection of Screen 4. The fault-tolerance process is dynamic. The system uses thebackup if the primary route is down; but the system periodically polls theprimary and uses it again when it comes back up.

And That's Not All...
Proxy Server 2.0 has many improvements over the previous release. Inaddition to the features I've discussed, Proxy Server 2.0 includes clientconfiguration scripts, server proxying, and domain filtering. You can alsoextend the product via third-party applications that use the Internet Server API(ISAPI). Some third-party enhancements already available are Trend MicroInterScan Web Protect for virus scanning, Cyber Patrol Proxy for contentfiltering, and Market Wave Hit List and TELEMATE.Net for reporting. Depending onyour situation, Proxy Server could fulfill a significant part of your needs forsecure Internet access.