DESIGN & DEVELOPMENT OF APPLICA THE PROXIES FOR SECURE INTERNET ACCEI

Abstract

Secure Internet access for the organization can be provided through stateful packet filtering firewall and Application (proxy) firewall. Stateful packet filtering firewall cannot detect application level attacks. High-end application firewalls are expensive and are not available because of export restrictions. The existing application firewall, such as squid-cache, uses a large set of access control lists (acl), which increases its complexity. Further, these firewalls don't have (a) any mechanism for detecting tunneling & (b) proper backing up of information flowing through proxy. A need was felt to develop indigenous Application level firewall based on tiny secure proxy servers to meet the custom needs and features. This dissertation presents an approach & implementation of proxies for secure Internet access, to meet the above requirements. These proxies along with doing authentication, command filtration, & URL filtration, can prevent tunneling by analyzing the frequency & content-length of POST operations or by performing content filtration on POST message contents. They take backup of information flowing through them so that administrator can get proper feedback. The proxies work in conjunction with standard packet filtering firewall like ip-filter. They become the HTTP/FTP application servers for all Internet host client requests. The proxy servers will serve the connection requests originating from the internal hosts on behalf of the real servers. They will receive TCP/IP packets for above services and re-assemble the packets belonging to a given application session. The proxy servers will subject the assembled data to Header/URL/RE filtering rules. If these messages pass through those filtering rules, enable them to pass to the real server. In case of a failure, drop the messages & make their entry in the logfile. The approach presented in this dissertation can prevent approximately 90'° of the tunneled data to pass through proxy firewall during interactive tunneled sessions. The proposed proxy firewall contains two proxy servers: HTTP & FTP. These proxies are implemented in C++ for linux platform. These servers uses dual homed host architecture forfrewall configuration.