Subject:
Proxy Server 2.0 features & market positioning by Microsoft Program
Manager
Date:
Wed, 03 Sep 1997 19:57:14 -0700
From:
Kerry
Organization:
Microsoft
Newsgroups:
microsoft.public.proxybeta
This message is in response to a posting by Itai Dor-on on this
newsgroup
about Proxy Server version 2.0 Beta. Itai had several questions about
Proxy
Server 2.0 features, security, and market positioning.
I am a Program Manager for Microsoft Proxy Server. I would like to
clarify
the feature-set and market positioning of Proxy Server v2.0, and respond
to
some specific comments in Itai's posting.
Proxy Server version 2.0 is currently in 'Beta' status, with the final
retail release scheduled for later this calendar year. I would like to
apologize for lack of complete product documentation & marketing
information at this time. We are working on improved documentation on
the
product, to be available before or at product final release. In order to
give many people access to our beta versions for evaluation and feedback
purposes, we made the decision to put these pre-release versions on the
web. We did this, knowing that the final complete set of documentation
and
marketing information was under development and ask beta customers to be
patient while we finish this up and make it available as soon as
possible.
First, a bit of history: Microsoft Proxy Server version 1.0, released
last
October, was positioned as an extensible (via ISAPI) security &
performance
product for connecting private networks to the Internet. The product
includes an application-layer proxy service (Web Proxy) for http, ftp &
gopher, and a circuit-layer (Windows Sockets API layer) proxy service
(WinSock Proxy) for support of all Internet protocols by transparently
remoting client TCP/UDP requests. The version 1.0 product offers the
following features:
- Performance & Management
- Passive Caching
- Active Caching
- Tight Integration with Windows NT & IIS
- Easy GUI setup & admin tools
- Dial-on-Demand
- Support for IPX/SPX or TCP/IP on private network
- Security
- Runs on dual-homed machine with IP routing disabled
- Built on top of the Windows NT secure networking O/S
- IP address aggregation (hides internal addresses)
- Uses a Local Address Table (LAT) to identify internal/external
addresses
& block external requests
- Access control by user, protocol, domain (both proxy services)
- Transaction logging to file or database
We do not refer to Proxy version 1.0 as a firewall, because it does not
have the complete set of security features and functionality we consider
necessary to position the product as a firewall. However, we do say that
Proxy version 1.0 has 'firewall class securty' because all of our
testing
indicates that when configured properly, the Windows NT 4.0 and Proxy
Server 1.0 combination offer a very high level of security. In fact, in
an
independent security evaluation of Proxy Server v1.0 by Coopers &
Lybrand,
they did not find any security risks associated with the product (please
download the Coopers & Lybrand whitepaper from
http://www.microsoft.com/proxy/).
Proxy v2.0: Microsoft Proxy Server version 2.0 Final Beta was made
available on the web this week. Proxy Server version 2.0 is "An
extensible
firewall and content cache server, providing Internet security while
improving network response-time and efficiency". The most significant
features added to the version 2.0 product are:
- Performance & Management
- Hierarchical Caching
- Distributing Caching
- Administration of multiple proxies
- Product-wide performance improvements
- Security
- Dynamic Packet Filtering
- Logging of dropped packets
- Real-time alerting
- Reverse Proxy/Virtual Hosting
- Server Proxy (support for internal servers)
In addition, we've added a SOCKS version 4.3 service to improve our
support
of non-Windows clients. We also continue to support extensibility via
the
ISAPI Filter APIs for compatibility with Proxy Server add-ons developed
by
independent software vendors for Proxy Server versions 1.0 and 2.0.
Proxy Server version 2.0 offers security at three layers. We offer
application-layer proxies for http, ftp, gopher (Web Proxy) and
circuit/API-layer proxies (WinSock Proxy & SOCKS Proxy). We also add
security at the IP packet layer with our dynamic packet filtering
feature.
The kernel-mode packet filtering is integrated with the proxy services:
ports are 'opened' as necessary, resulting in packets being allowed up
the
stack for the minimum duration necessary and only on ports being used.
We
only filter external interfaces, and the default state of received
packets
for all TCP/IP protocols and TCP/UDP ports is 'drop'. Packets are
dropped
for the following reasons:
- TCP/IP protocol or port number unexpected
- IP Spoof attempt
- Badly formed fragment
- Fragments not supported (config. option)
- Log disk full
In addition, our packet filtering supports:
- Configuration of static filters for services running on the Proxy
server
machine
- Internal servers (email, WWW, etc.) communicating with external
servers/clients
- DMZ networks containing IPs routable on the Internet
- Logging of all dropped packets
- Real-time alerting based on thresholds via NT event log and/or email
The added security features and functionality in Proxy Server version
2.0
does make this product an excellent firewall solution, and our
positioning
statement (above, in quotes) indeed refers to the product as a firewall.
Some customers will use Proxy Server v2.0 as their only Internet
security
device, while other customers will want the combined feature-set of
multiple products or desire multiple layers of security and will
therefore
use our product in conjunction with other security products. It is much
more likely that a site would have multiple kinds/layers of security
devices, than they would have multiple kinds/layers of mail servers.
This
is why we differentiate between sites that currently have firewall
products
and those that do not.
Comments on some of the other issues Itai raises in the posting:
>You don't understand our Reverse Proxy feature<
Reverse Proxy allows the Proxy Server to forward external client
requests
to internal web servers in a controlled, secure way. The proxy appears
to
the clients as a single or multiple web servers (client requests are NOT
proxy requests), and the routing of requests by the proxy is transparent
to
the clients. The proxy administrator creates a mapping table associating
Internet domain names (with or without paths) to internal domain names
(with or without paths). Internal machines not listed in the mapping
table
will never receive requests from the proxy. By using DNS names (via the
http HOST header) and/or URI paths, the proxy can impersonate multiple
web
servers simultaneously with the advantage of offering security, logging,
&
caching for these web sites.
>You believe that Proxy Server is for outbound access only<
Microsoft Proxy Server version 1.0 supports internal clients accessing
external servers. In Proxy Server version 2.0, we have added support for
internal servers and inbound access. Again, these features are
configurable
by the administrator to avoid unnecessary security risks. The new
features
to support internal servers are:
- Reverse Proxy (This supports internal Web servers - see above for more
information)
- Server Proxy (This supports any TCP/UDP server running on an internal
Windows/Windows NT machine)
This is a new feature of the WinSock Proxy. It is set up by installing
the
WinSock Proxy client on the internal server machine, and the WinSock
Proxy
will remote the internal server's Winsock listen() and other
APIs. For
security, the WinSock Proxy will authenticate a user account on the
internal server machine.
- DMZ networks (This supports any TCP/IP-based internal server on a
machine
with an IP address that can be routed on the Internet)
This is a feature of our packet filtering and can be used for internal
non-Windows server machines such as UNIX mail servers. Security is done
by
IP address.
>You mention that firewalls are either "Application Gateways" or "Filtering
Gateways"<
With three layers of security, Proxy Server v2.0 is both.
- Application-layer security via the Web Proxy.
- Circuit/API-layer security via the WinSock Proxy and SOCKS Proxy.
- IP-layer security with dynamic packet filtering.
>You ask about our support for SMTP<
We do not include an application-layer proxy for SMTP. Our product
supports
SMTP clients and servers via circuit-layer proxies and packet filtering,
however we do not verify the integrity of the structure of SMTP packets.
Most concerns about the structure of SMTP packets are due to serious
security bugs that have been found in UNIX-based SENDMAIL servers.
Microsoft Exchange Server does not have any known SENDMAIL-like security
bugs. In addition, if a mail server is placed on a DMZ network, our
packet
filtering can be used to protect other internal machines and other
machines
on the DMZ network.
>You seem to be confused about what's included in Proxy Server vs. what
ISVs add with ISAPI extensions<
Everything described in this message is built into the Proxy Server
product
(version 1.0 or 2.0, as specified). ISVs have written Proxy Server
extensions using the ISAPI Filter interface for such functionality as
virus-scanning, content-filtering, and application/script blocking. For
a
list of add-on products to Proxy Server version 1.0, click on the
'Partners
Showcase' button at http://www.microsoft.com/proxy/.
I hope this clarifies the feature-set and positioning of Microsoft Proxy
Server. We will continuously update the information on our web site,
develop more detailed marketing literature, and improve product
documentation for the final retail release.
|
|
