| |
This section contains the following topics:
The iChain Proxy Services console is locked by default to prevent unauthorized access. The password to unlock the console is the Config user password you specified during the initial configuration.
To use the command line interface, you must unlock the console by entering the following command:
unlock
config_user_password
NOTE: If a config_user_password is not set, the password is null.
Once the console is unlocked, it remains unlocked until you lock it using the lock command.
The HTTP protocol supports a number of different access methods such as GET, POST, and CONNECT.
The CONNECT method is normally used to establish a tunneled connection through which encrypted SSL traffic can be sent.
When proxy servers receive CONNECT requests, they are expected to establish a tunneled connection to a specified DNS host or IP address on a specified port. This allows the tunneled connection to be set up to any address and port.
It is not safe to assume that all CONNECT requests received by proxy servers are actually for SSL traffic.Outsiders frequently scan the Internet for proxies on port 8080 and other commonly used proxy ports to discover proxy servers that are accessible to them.
If a proxy server that supports the CONNECT method is inside a firewall, and the proxy server is accessible from outside the firewall, outsiders can request a tunneled connection to any address and port inside the firewall.
The proxy will set up the connection, allowing the outsider to have access to machines inside the firewall which would normally be inaccessible.
To the machines inside the firewall, it appears that the connection is originating from the proxy server address inside the firewall rather than from outside the firewall.
Attackers can use the CONNECT method to request that a publicly accessible proxy server set up a tunneled connection which passes through the proxy. This hides the real address of the attacker.
Attackers can then chain through several proxies by having the first proxy connect to the second, the second connect to the third, and so on, making it very difficult for law enforcement to discover where the attack is actually originating.
By default iChain Proxy Services enables the CONNECT method for forward proxy services and disables it for transparent proxy services for the following reasons:
For proxy services that require CONNECT method support, iChain Proxy Services monitors the data flowing through the tunneled connection. If the data is not SSL-related, the proxy server immediately tears down the tunneled connection and doesn't forward the data requests. This prevents outsiders from gaining access through firewalls and attackers from establishing chains to hide their identify.
As explained in iChain Proxy Services Protects Your Network, the proxy server is configured by default to use the CONNECT method only when necessary and to verify CONNECT method requests to protect your network against security risks.
We recommend you use the default CONNECT method settings whenever possible.
If you have special configuration requirements and are considering a non-default CONNECT method configuration, consider the following points:
For most installations, only forward proxies need to support the CONNECT method. However, if you configure your transparent proxy to intercept traffic normally intended for a forward proxy (such as port 8080), then the transparent proxy might also need to allow the CONNECT method.
This protects your appliance and network against the establishment of tunneled connections that are not SSL-related. Not using this protection makes your installation vulnerable to the risks described in Security Risks with the CONNECT Method.
| |