Lesson 3 | Design Decisions for a Proxy Server Solution |
Objective | Explain factors that determine the appropriateness of Proxy Server Solution |
Design Decisions for Proxy Server Solution
When using Proxy Server, your design decisions for an internet-connectivity solution must be based on the security requirements, the network configuration, the number of Internet-exposed resources, and the number of geographically distributed locations for the organization.
Proxy Server is an appropriate solution for Internet connectivity if:
Internet and private network access is restricted on a user-by-user basis or on a resource-by-resource basis
Restricting Access
Using the Web Proxy Service, you can restrict access by configuring limitations on the network services with which users can connect.
The Web Proxy Service allows you to control what users or groups can access resources using
- HTTP:(Hypertext Transfer Protocol) The Hypertext Transfer Protocol is used to communication with Web Servers to transfer to the content of web pages to a web client, such as Microsoft® Internet Explorer.
- HTTPS:(Secure Hypertext Transfer Protocol) HTTPS is used to protect the data moving to and from a secure web server.
- FTP:(File Transfer Protocol) A member of the TCP/IP suite of protocols, used to copy files between two computers on the Internet. Both computers must support their respective FTP roles: one must be an FTP client and the other an FTP server.
- Gopher: A network service used in the past to allow users to search the contents site. Gopher has lost favor in most environments, but may still be encountered at some university sites.
Similar access controls can be placed over a much wider variety of services using the WinSock Proxy Service.
Question:
I manage a small network on a residential site, which is looking to restrict staff use of the internet (especially out of hours) to 30-minute sessions per user. The network is a Windows 2000 domain, but the internet area could be on its own subnet linked directly to the router.
At the moment we are looking at cheap solutions like Internet Caffe from Antamedia, but I wondered if there was something that could be done through Linux. Perhaps some form of LDAP terminal server using a MySQL database?
The transport layer security protocol project (TLSP) makes me think that someone else must have asked this question at least once,
but the web discussions all seem to head back towards MS servers, which seems a pity. The machines are all low-spec P400/800s, with 128-256 RAM, which could possibly be increased. Access to a common shared drive (via CIFS or NFS) and a shared printer (networked Brother) would also be useful. Obviously, all the programmes that you might want are there
- MPlayer,
- RealPlayer,
- Firefox,
- Thunderbird,
- Xpdf,
- OpenOffice.org,
- Gaim/Kopete etc.
Any suggestions would be greatly appreciated, as the Windows options seem to require fairly careful running.
Answer:
Proxy software such as Squid would be ideal for this, as you can configure it to require authentication and time out after a given duration.
You will know exactly who is accessing sites and what they are doing. You can find Squid at www.squid-cache.org, and there are plenty of example configurations in the documentation. The hardware you are using sounds more than adequate, and nearly all current Linux distributions provide the tools and programs you list. Mandriva, Ubuntu, Fedora or even SUSE are great options for desktop systems as an alternative to Microsoft Windows.
- The private network is in a routed or non-routed environment (See below)
- A number of private network resources need to be shared with Internet-based users
- The private network encompasses multiple geographic locations
Routed or non-routed
The only requirement for Proxy Server is that all internal network clients are able to access the internal interface of the Proxy Server computer.
In a routed environment, you need to ensure that internal network clients remote from the Proxy Server internal interface are able to access the appropriate routes to reach the proxy server. A proxy server acts as an intermediary between your computer and the Internet. It is most frequently used when there is a corporate intranet and users are connected to a LAN. It can also work with a firewall to provide a security barrier between your internal network and the Internet. In addition, corporate administrators can balance proxy loads and block undesirable sites. Proxy servers are becoming more advanced in their ability to reduce network traffic by caching content that is frequently requested by the browsers they serve.
Proxy Server Characteristics
A proxy server consists of the following characteristics.
- A proxy server can freely modify application layer data
- It usually receives a TCP session from the origin
- It usually forms a TCP session to target
- It may read application layer data to define target
- A proxy server is target of an IP packet when using the IP protocol
Application server routing SOAP Requests
The following list contains characteristics of an application delivering SOAP requests.
- Conforms to well-defined routing protocols
- Usually receives a TCP session from origin
- Usually forms a TCP session to target
- May read application layer data to define target
- Is target of an IP packet when using the IP protocol
Dynamic Host Configuration Protocol
All Windows Server operating systems support (DHCP) Dynamic Host Configuration Protocol that businesses can use to assign IP addresses to computers on the company network automatically. DHCP lets network administrators add systems to the network quickly, without having to configure IP address and gateway information manually. In addition to assigning IP addresses, you can also configure DHCP to provide connection details to computers on the network if your company uses a proxy server to filter and serve Web traffic between the local network and the Internet. By creating predefined options and values in the DHCP settings, browsers on network computers connect to the Internet using proxy server settings specified by the administrator on the Windows Server machine.
Question: Proxy Server is an appropriate solution only if the private network is in a routed environment (True or False?).
Anwser: False. The private network may be in either a routed or non-routed environment.
Proxy Server Design Requirements and Constraints
Before you create your Proxy Server design, you must gather the requirements and constraints, both business and technical, of the organization.
As you create your design, you make design decisions based on the requirements and constraints that you collect. The list of the design requirements and constraints that you collect includes
- Characteristics of the data transmitted through the proxy server, including
- The amount of data transmitted through the proxy server
- The confidentiality of the data transmitted through the proxy server
- Resources in the private network that must be accessed by Internet-based users
- Plans for future network growth
- Characteristics of existing proxy server including
- Protocols in use in the private network
- Proxy server placement
- Wide area network (WAN) connections in use
- Response times for applications that access resources through the proxy server(s)
- Acceptable percentage of time that users require access through the proxy server(s)
Proxy Server Design Decisions
After you determine the business and technical requirements and constraints, apply the information you gathered to make Proxy Server design decisions. To create your Proxy Server design, you must choose the
- Types of connections, persistent or nonpersistent, that each proxy server must support
- Types of Proxy Server clients that must be supported by each proxy server
- Connection technologies, including T1, Public Switched Telephone Network (PSTN), Integrated Services Digital Network (ISDN), Digital Subscriber Line (DSL), or X.25, that each proxy server must support
- Dynamic routing protocols or manual routing table entries that each router must support
- Multiple connections and multiple proxy servers to improve availability and performance
- Criteria that you will adopt to filter traffic
The lessons that follow in this chapter provide the information required for you to make specific Proxy Server design recommendations.
Internet Connectivity Designs
The most common solution that you will provide in your designs is found in Internet connectivity designs. In Internet connectivity designs, you connect private networks to the Internet. Your primary concern in Internet connectivity designs is to provide Internet access for private network users and to give private network resources access to Internet users. Typically, in Internet connectivity designs, the proxy server takes the place of a firewall. As a result, security is one of your primary concerns in Internet connectivity designs.
In the next lesson, you will learn the benefits of integrating Proxy Server with other networking services.