Understanding Web Proxy placement and network basics help

K

Kdes

Well-Known Member
Joined
Aug 21, 2007
Messages
158
Reaction score
3
Good Day

I please need help to understand the basics of a network and the placement of where the Web Proxy would go for web content filtering. Would it go between the router and firewall or perhaps between the LAN and firewall, or even just simply on the LAN and then use firewall rules?

Network_Basic.gif
 
Usually your web proxy is also your firewall, or at least most decent firewalls have a option to enable web proxy on them, what firewall do you currently use?
 
It would normally be on your LAN behind your Firewall, but as per your diagram it could literally be between the LAN and Firewall or between the firewall and Modem/Router.

But like irBosOtter says in many cases the Firewall and Proxy are all one and the same.

However if you are asking how a basic network works...maybe you aren't the right person to be asking these questions.
 
Thanks for the quick reply's.
Not really using anything at the moment, i was just wondering how it would be with straight/plain, router, firewall and switch devices? So i could understand the basic setup before going into Vlans and All in all-in-one devices.

SauRoNZA mentioned that it would normally be between the lan and firewall or between the firewall and router.

If it is between the Lan and Firewall, would that mean you would physically connect the 1st nic to the firewall and the 2 nic to the switch. Or would you just connect the proxy straight to the switch and not the firewall?

So is the below correct?

Network_Basic_3.gif
 
If you don't want any traffic to be able to bypass the proxy server then yes, one port to firewall and other port to switch. Not sure if one can still setup proxy servers in a "one nic scenario", last setup like that I had to do was with a ISA 2006 server, but then it could only be used purely for caching purposes. (Well, also outbound rules, but no publishing)
 
Last edited:
You can pretty much place it where you feel like. Although as said, behind the firewall is a better idea than in front of it.

You might also need to consider how are you redirecting to your proxy? Via WCCP, pac files etc

Also as suggested, UTM is pretty much the standard for most companies and can be pretty inexpensively done.
Most decent firewalls can offer caching solutions as well.
 
Typically, the proxy would be on your local network, same as your workstations (or on a separate server network, depending on the size of your company). The firewall would be configured to drop/reject any outbound traffic from any IP other than the proxy, such that the proxy is the only computer on the internal network that is able to reach the internet.

The proxy then is configured to allow or deny traffic selectively according to whatever rules you desire, such as authentication, malware detection, site "rating" or categorisation, etc, etc.
 
RoganDawes said:
Typically, the proxy would be on your local network, same as your workstations (or on a separate server network, depending on the size of your company). The firewall would be configured to drop/reject any outbound traffic from any IP other than the proxy, such that the proxy is the only computer on the internal network that is able to reach the internet.

The proxy then is configured to allow or deny traffic selectively according to whatever rules you desire, such as authentication, malware detection, site "rating" or categorisation, etc, etc.
Click to expand...

Hi RoganDawes
Thank you for your reply.
If i understand correct you saying this would be a one NIC proxy setup. Pretty much connect straight to your LAN switch?
 
Kdes said:
Hi RoganDawes
Thank you for your reply.
If i understand correct you saying this would be a one NIC proxy setup. Pretty much connect straight to your LAN switch?
Click to expand...

No, that would not be a one nic setup. Two nics, one going to your internal network, and other one to the firewall. So all traffic has to pass through the proxy to get out through the firewall.

But in the senario he described natting is also happening on the proxy, not to many companies would do that, unless they place the firewall behind it in transparent mode so that double natting does not happen.

Edit: I also suspect you are only taking about outgoing web traffic and other programs for clients that need to communicate out over the internet. Think that's where I misunderstood a bit, if you have any internal servers that needs publishing to the internet then you will still need to configure that on the firewall, just thought that "such that the proxy is the only computer on the internal network that is able to reach the internet" if that's the case one obviously have no internal servers that needs publishing
 
Last edited:
irBosOtter said:
No, that would not be a one nic setup. Two nics, one going to your internal network, and other one to the firewall. So all traffic has to pass through the proxy to get out through the firewall.

But in the senario he described natting is also happening on the proxy, not to many companies would do that, unless they place the firewall behind it in transparent mode so that double natting does not happen.
Click to expand...

Actually, YES, that WOULD be a one NIC setup. No need to do fancy routing or dual-hosting, simply allow or deny traffic on HTTP ports at the firewall, based on the IP address that it is coming from. If it is coming from the proxy, allow, otherwise deny. The proxy wouldn't do any NAT, it would simply make another request from the IP address of the proxy (duh!) that the firewall would then NAT.
 
Ok so like anything in IT, there is many ways of doing things. Looks like either way will work fine. Was just wondering what the typical company setup would be.

I have been doing some other reading and it seems these days transparent proxy's are becoming very popular. Because there is no way to tell the browsers to use transparent proxy. I would think in a transparent proxy setup one would want to force the traffic though. Which means the only way would be between lan and firewall. Is that correct?
 
RoganDawes said:
Actually, YES, that WOULD be a one NIC setup. No need to do fancy routing or dual-hosting, simply allow or deny traffic on HTTP ports at the firewall, based on the IP address that it is coming from. If it is coming from the proxy, allow, otherwise deny. The proxy wouldn't do any NAT, it would simply make another request from the IP address of the proxy (duh!) that the firewall would then NAT.
Click to expand...

No, it would not be necessarily. A proxy with only one nic can be by passed obviously....


You can still block it at the firewall but proxy can be bypassed, suppose for smaller setups it's fine?
Only way it cannot be bypassed is with one nic to the network and another nic to the firewall, thereby ALL network traffic has to pass trough the proxy to get out over the firewall...
Do people still set it up in the way you describe? I had a setup like that years ago at my house actually for caching purposes
 
Last edited:
Kdes said:
Ok so like anything in IT, there is many ways of doing things. Looks like either way will work fine. Was just wondering what the typical company setup would be.

I have been doing some other reading and it seems these days transparent proxy's are becoming very popular. Because there is no way to tell the browsers to use transparent proxy. I would think in a transparent proxy setup one would want to force the traffic though. Which means the only way would be between lan and firewall. Is that correct?
Click to expand...

Yes, it would be between lan and firewall mostly, or even between routers on your network, all depends on what you want to use it for. Like you see and said, many ways to do things, all comes down to what you want to accomplish
 
irBosOtter said:
No, it would not be necessarily. A proxy with only one nic can be by passed obviously....
Click to expand...

You claim this, and then go on to say exactly what I detailed.

You can still block it at the firewall but proxy can be bypassed, suppose for smaller setups it's fine?
Only way it cannot be bypassed is with one nic to the network and another nic to the firewall, thereby ALL network traffic has to pass trough the proxy to get out over the firewall...
Do people still set it up in the way you describe? I had a setup like that years ago at my house actually for caching purposes
Click to expand...

If the firewall is blocking all http traffic, except for traffic from the proxy, how exactly would you bypass it? Assuming no "collusion" using a website/server outside the firewall, that is. Obviously there are millions of ways of getting around the firewall if there is a cooperating endpoint outside. E.g. tunneling over DNS.

Even then, with a suitably configured firewall, and appropriately paranoid proxy, you can block most ways of getting around the firewall.

Disclaimer: I wrote WebScarab and OWASP Proxy
 
Kdes said:
Ok so like anything in IT, there is many ways of doing things. Looks like either way will work fine. Was just wondering what the typical company setup would be.

I have been doing some other reading and it seems these days transparent proxy's are becoming very popular. Because there is no way to tell the browsers to use transparent proxy. I would think in a transparent proxy setup one would want to force the traffic though. Which means the only way would be between lan and firewall. Is that correct?
Click to expand...

Again, it depends. You can implement transparent proxies using e.g. Linux's TPROXY iptables target. Yes, that Linux server would need to be on the path that the packets take to get from the client to the internet. A suitable program on the firewall can repackage those connection using the SOCKS protocol, and pass them on to the proxy server. That would then fulfill the request on behalf of the client.

An alternative would be to use policy based touring to direct only http traffic to the proxy, and route all other traffic to the firewall.
 
In all corporate implementations I've managed the proxy is on the internal network with one nic (excluding the admin interface). For users to connect to the internet they need to surf via the proxy server. The firewall has rules setup so that only the proxy server can connect out, and by default blocks all other connections out.

There is no way to bypass this.
 
RoganDawes said:
You claim this, and then go on to say exactly what I detailed.



If the firewall is blocking all http traffic, except for traffic from the proxy, how exactly would you bypass it? Assuming no "collusion" using a website/server outside the firewall, that is. Obviously there are millions of ways of getting around the firewall if there is a cooperating endpoint outside. E.g. tunneling over DNS.

Even then, with a suitably configured firewall, and appropriately paranoid proxy, you can block most ways of getting around the firewall.

Disclaimer: I wrote WebScarab and OWASP Proxy
Click to expand...

Then re-phrase this in your first reply please, cause it's confusing (or it's wrong)

"The firewall would be configured to drop/reject any outbound traffic from any IP other than the proxy, such that the proxy is the only computer on the internal network that is able to reach the internet.

That statement sounds like the proxy is the firewall as well seeing it has to handle ALL outgoing traffic and the only one being able to access the internet.

But now suddenly it's only HTTP/HTTPS traffic... but you said ALL outbound traffic?
If it was ALL traffic like you said it would have to be a proxy with two nics.... and the proxy would then also probably be your firewall and will probably nat as well lol unless you meant transparent proxy server and not just proxy server...

And what I mean by bypassing is a one nic proxy can be bypassed, does not mean you will have internet access if it's blocked at the firewall, but it can still be bypassed if you remove the proxy setting s from a client. Two nic transparent proxy cannot be bypassed....
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X