Microsoft is about to launch another powerful tool into the BackOffice Suite.
The product, a proxy server code named Catapult, makes connecting your intranet
to the Internet much safer than ever before. The tentative release name for this
little gem is the Microsoft Internet Access Server (IAS), and it is in beta 3
testing as I write this article. Slated for release sometime before the end of
this year, this product will let you sleep a little better at night, knowing
your network is now a safer environment.
What Is a Proxy?
First, the definition of proxy in a
general sense is the "authority or power to act for another." In a
network environment, a proxy server has the authority to act on behalf of other
computers on the network. The IAS serves as proxy by providing access to the
TCP/IP networks such as the Internet while keeping the workstation address
anonymous. Workstation anonymity makes intruder attacks on your machine almost
impossible. I say almost because a trojan horse or virus can still
infiltrate your workstation through a file you download from the Internet, so to
be completely safe at the workstation level, you need more than a proxy server.
But when the workstation is anonymous, a potential intruder has no way of
knowing what client address to attack.
How a Proxy Works
Proxies keep workstations anonymous by
servicing TCP/IP protocol requests for the client. First, the client workstation
makes a TCP/IP-based protocol request, such as entering a universal resource
locator (URL) into a Web browser to pull up a Web page. The client sends the
request to the proxy server and waits for the reply. Then, the proxy server
receives the request and sends it to the destination address, substituting its
server address for the client address. This substitution maintains the anonymity
of the client address. Next, the destination processes the request and sends the
results back to the proxy server. Finally, the proxy returns the results to the
client.
Eliminate Alternative Routes
Simple enough, right? Actually, it
is. The secret to establishing a proxy server is to make sure it is the only
route to your workstations and servers. The proxy server needs at least one
valid, routable IP address. If a real route to the rest of your network doesn't
exist, traffic can't reach your machines.
You can eliminate alternative routes in two ways. The first is to choose an
arbitrary Class C network pool to use internally. For instance, pick something
such as 206.136.112.0 out of the air for one of your Class Cs. This choice gives
you 206.136.112.1 through 206.136.112.254 as internal addresses. This Class C
network pool is probably assigned to someone already, and the routes on the
Internet point to that network, not yours, so you're safe using arbitrary
addresses this way. (For more on IP addressing, see Mark Minasi, "How to
Set Up IP," Windows NT Magazine, February 1996; "NT
Workstations Using an IP Router," May 1996; and "Unlock Your Gateway
to the Internet," June 1996.)
The second way is to use what I'll call test address pools. Several
non-routable test address pools are available from InterNIC, the US organization
that manages domains on the Internet. What you need to understand about these
test addresses is that lots of people all over the Internet use them. None of
the backbone Internet Service Providers (ISPs) include routes to these
addresses, so they are useless for routable traffic but perfect for internal use
behind a proxy server.
You're safe using Class C addresses out of the Class A network address pool
of 10.0.0.0. This pool provides more than enough IP addresses for an average
intranet. If you need fewer than 254 addresses, use a Class C network from this
pool. For example, you can have a Class C network, ranging from 10.0.0.1 through
10.0.0.254, that uses a subnet mask of 255.255.255.0. If you need more than one
Class C for internal addresses, simply subnet the 10.0.0.0 again (break the pool
into more manageable pieces for routing in different directions), creating
additional address pools. Subnetting can get rather complex, so seek
administrative help if necessary.
IAS Features
IAS consists of the Remote Windows Socket (RWS)
service and the proxy service. Either of these services or both provide secure
access for your intranet.
The proxy service operates with TCP/IP only and is CERN-Proxy compatible,
which broadens the scope of available client software. The proxy server supports
Web, gopher, and ftp and has a caching feature that can store frequently
requested documents for a given period. Caching reduces bandwidth utilization
and speeds information delivery to the client. The proxy lets you configure what
to cache, what not to, and the size of the cache. You can implement user-level
security, controlling who can and cannot access any particular service. You can
also implement IP address filtering, so you can determine overall access to the
proxy by granting and denying access according to a workstation's address. The
RWS service allows other types of TCP/IP protocols through the IAS and supports
most popular Internet tools.
RWS works with an Internet Packet eXchange (IPX)/Sequenced Packet eXchange
(SPX) protocol on your network. This combination can provide an additional level
of security in the form of a protocol barrier. TCP/IP can't talk to IPX/SPX, so
you get the picture. RWS is compatible with most existing Windows Sockets
1.1-compatible applications and lets you control inbound and outbound access by
port number, protocol, and user or group. You can establish restrictions via
filters that control access to Internet sites by domain name, IP address, and
subnet mask.
The IAS integrates seamlessly into an existing Microsoft Internet suite. If
you're already running Microsoft's Internet Information Server (IIS), IAS fits
like a glove, letting you control the services through the Internet Service
Manager, which comes with both IIS and IAS.