Chapter 6. Security

This chapter describes how to make and keep your proxy server secure. It describes SSL and HTTPS. It also discusses how to use the Proxy Manager to implement security features in your server.

Why Do I Need Security?

Without thorough security, information transmitted over the Internet is susceptible to fraud and other misuse. Information traveling between your computer and a server uses a routing process that can extend over many computer systems. Any one of these computer systems represents an intermediary with the potential to access the flow of information between your computer and a trusted server. You need security to make sure that the intermediaries don't deceive you, eavesdrop on you, copy from you, or damage your communications.

The SSL protocol delivers server authentication, data encryption, and message integrity. SSL is layered beneath application protocols such as HTTP, SMTP, Telnet, FTP, Gopher, and NNTP, and layered above the connection protocol TCP/IP. This strategy lets SSL operate independently of the Internet application protocols.

There are two types of security: application level and network level. Application security ensures that data passed over the network can't be stolen by a third party. Network security ensures that third parties can't intrude on your network and gain access to the network files and resources. This chapter deals with application-level security.

What is SSL?

The Secure Sockets Layer (SSL) protocol for Internet security (developed by Netscape Communications to ensure private and authenticated communications) is an open platform put into the public domain for the Internet community.

SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL uses technology licensed from RSA Data Security Inc.


Note: SSL has been submitted for consideration as a standard security approach for World Wide Web browsers and servers on the Internet.


How Does SSL Work?

SSL uses a security handshake that is used to initiate the TCP/IP connection. This handshake results in the client and server agreeing on the level of security they will use. After the handshake, SSL encrypts and decrypts the byte stream of the application protocol being used (for example, HTTP, NNTP, or Telnet). This means that all information in both the HTTP request and response is fully encrypted, including

  • The URL the client requests

  • All submitted form contents (for example, credit card numbers)

  • Any HTTP access authorization information (for example, user names and passwords)

  • All data sent from the server to the client.

For more detailed information, see the SSL Protocol specification at http://home.mcom.com/ssl.html.

What About SSL and the Proxy Server?

When a client requests an SSL connection to a secure server through a proxy server, the proxy opens a connection to the secure server and then simply copies data in both directions without intervening in the secure transaction.

Figure 6-1. SSL Connection and Data Transfer


To use SSL proxying with HTTPS URLs, the client must support both SSL and HTTPS (such as the Netscape Navigator). HTTPS is implemented using SSL with normal HTTP. Clients without HTTPS support can still access HTTPS documents using Netscape Proxy's HTTPS proxying capability (see “What is HTTPS?” for more information).

SSL proxying is a lower-level activity that doesn't affect the application-level (HTTPS). SSL proxying is just as secure as SSL without proxying; the existence of the proxy in between does not in any way compromise security or reduce the functionality of SSL.

With SSL, the data stream is encrypted, so the proxy has no access to the actual transaction. Consequently, the access log cannot list the status code or the header length received from the remote server. This also prevents the proxy, or any other third party, from eavesdropping on the transactions.

Because the proxy never sees the data, it can't verify that the protocol spoken between the client and the remote server is SSL. This means the proxy also can't prevent other protocols from being passed through. You should restrict SSL connections to only well-known HTTPS ports, namely port number 443 as assigned by the Internet Assigned Numbers Authority (IANA). If there are sites that run the secure server on some other port, you can make explicit exceptions (via the Resource Manager) to allow connections to other ports on certain hosts. You would do this using the connect://* resource. At a later date, when more protocols are enhanced with SSL, you can use the standard port numbers for those protocols.

The Netscape Proxy SSL proxying capability is actually a general, SOCKS-like capability that is protocol-independent, so you can use this feature for other services, too. The Netscape Proxy handles SSL proxying for any application that has SSL support, not only the HTTPS protocol.

Configuring SSL proxying

To configure SSL Proxying

  1. Jump to the Resource Manager from the Proxy Manager page.

  2. Select the connect://*:443 resource from the list of existing resources (the default HTTPS port number is 443). If you don't already have this resource, type connect://*:443 in the wildcard pattern text box. (“connect://…” is an internal proxy notation and doesn't exist outside of the proxy.)

    If you want to allow connections to other ports, you can use similar URL patterns.

  3. Click the Submit this form button, and then restart the proxy.


Caution: If the proxy is misconfigured, it is possible to abuse the SSL proxy to achieve "telnet-hopping." Someone can use the proxy to make it appear that a telnet connection is coming from the proxy host, rather than the actual connecting host. This is why you have to pay extra attention to allow no more ports than absolutely necessary and to use access control on your proxy (restricting the client hosts).


SSL Proxy Protocol: Technical Details

Internally, SSL proxying uses the CONNECT method with the destination hostname and port number as a parameter followed by an empty line:

CONNECT energy.sgi.com:443 HTTP/1.0 

A successful response from the proxy server is

HTTP/1.0 200 Connection established
Proxy-agent: Netscape-Proxy/1.1 

followed by an empty line. Then the connection is set up between the client and the remote server, and they can transfer data in both directions until either closes the connection.

Internally, to benefit from the normal Netscape configuration mechanism based on URL patterns, the hostname and port number (energy.sgi.com:443) are automatically mapped into a URL like this:

connect://energy.sgi.com:443

This is only an internal notation used by the Netscape Proxy to make configuration easier and uniform with other URL patterns. Outside of the proxy server, connect URLs do not exist and if the Netscape Proxy receives such a URL from the network, it marks it as invalid and refuses to service the request.

What is HTTPS?

HTTPS is normal HTTP wrapped in a secure SSL layer. If you use the Netscape Navigator (or other SSL-enabled browser) when accessing the proxy server, HTTPS URLs are proxied by using the SSL proxy feature, not by using the HTTPS proxy feature.


Note: Netscape Navigator doesn't use this proxy HTTPS option because it fully supports HTTPS and SSL proxying.

Clients without native HTTPS support or without SSL proxy support can use Netscape Proxy's direct HTTPS proxying feature. HTTPS proxying is similar to proxying other protocols, such as HTTP or FTP. In the HTTPS case, the protocol spoken between the client and the proxy is always HTTP, but only the proxy establishes the secure connection to the remote server. That is, transactions between the proxy and the server are encrypted, while the transactions between the client and the proxy are sent in the clear.

Figure 6-2. Proxy Establishes Connection


This means that in order to achieve maximum security, the network between the client and the proxy must be secure (or trusted) because documents are passed from the proxy to the client unencrypted. For example, a corporation's network behind a firewall could be considered secure, so secure documents cannot be disclosed to an outsider—the outsider has no access to the internal network, and outside of the network, the document is transferred encrypted.

Configuring HTTPS Proxying

To configure HTTPS proxying

  1. Jump to the Resource Manager from the Proxy Manager page.

  2. Select the https://* resource from the list of existing resources. If you don't already have this resource, type https://* in the wildcard pattern text box.

  3. Click the Submit this form button, and then restart the proxy.

Restricting Allowed Hosts

To restrict the hosts that can use the Proxy Manager

  1. Click the Admin Manager link on the Proxy Manager page. The Administrative password form appears.

  2. Scroll down the page to the text boxes. Type wildcard patterns for the hostnames and IP addresses that are allowed into the proxy server. See Table 6-1 for examples of restrictions.

  3. Change the administrative user name or password if you need to (see “Changing the Administrative User Name and Password” for information).

  4. Click the Submit this form button. The Proxy Manager updates the information. Be sure to restart the server.

    Table 6-1. Example Host Restrictions

    Restriction

    Allows access to ...

    *.sgi.com

    Anyone whose host name ends with .sgi.com.

    host1.sgi.com, host2.sgi.com

    Allows only two hosts—the ones with host names of
    host1.sgi.com or host2.sgi.com.

    host*.sgi.com

    Anyone whose host name starts with the text “host” and ends with the domain .sgi.com.

    (host1|host2).sgi.com

    Either host1.sgi.com or host2.sgi.com, but doesn't allow any other hosts.

    198.93.92.*

    Anyone whose IP address begins with the numbers 198.93.92. For example, 198.93.92.23 is allowed, but 198.93.921.78 is not (note the placement of the last dot).


Changing the Administrative User Name and Password

To change the administrative user name and password

  1. Click the Admin Manager link on the Proxy Manager page. The Administrative password form appears.

  2. Scroll down the page to the user name and password text boxes.

  3. Type a new user name. You can use “admin” for the user name for convenience. You can skip this step if you want to change only the password.

  4. Type the current password for the administration account.

  5. Type the new password. Make sure you retype the password to ensure accuracy.

  6. Click the Submit this form button. The Proxy Manager updates the proxy server with the new user name and password. Be sure to restart the proxy server for this change to take affect.