Corporate networks always have proxy servers, while on home networks
they're often an overlooked form of defence. But maybe they shouldn't be.
A local proxy server can help to improve the throughput of your broadband connection, restore order to a troubled network and add another line of defence against malware infections.
What are proxies?
'Proxy' means substitute. To the computers on the local network, a proxy server is a substitute for connecting directly to the web. There are several different types of proxy server. For example, a web proxy server keeps copies of recently accessed web pages on your hard disk.
When you access a page, the proxy serves the cached version if it's up to date. This is faster than downloading static files from the site. All internal computers must use the local web proxy server for it to be effective.
In the settings for your web browser, there's a page to point it at a proxy server rather than the network's default gateway. This gateway is usually a router or the computer attached to your broadband modem. Some proxy servers also block content, especially on corporate networks.
You may be tempted to disable the proxy settings in your browser to view sites your boss would rather you didn't during work hours. However, to ensure that everyone on the network uses the proxy to access the internet, system administrators block all access to the internet at their firewall, except traffic coming from or going to the proxy. So to access anything outside the local network, you must use the proxy.
Forcing everyone to use the proxy gives system administrators great control over what their users can access. The same principle can be used at home by parents and those simply keen to bolster security.
If you find unexpected access attempts in a firewall's log file from inside a proxy-protected network, they're probably coming from malware that doesn't know how to test for a local proxy and has tried to go directly online.
Installing FreeProxy
FreeProxy (or FreeProxy Internet Suite) is a free Windows-based proxy server that can provide web caching for faster access and is able to block banned web domains. It works on Windows 7 and should ideally run on its own computer. The app is available for free from here.
Once downloaded, unzip the file and double-click on the setup application. When the installation wizard appears, click 'Next' to accept the licence agreement, the default the destination folder and Start menu folder, then click 'Install'. When the release notes pop up, click 'Next', then 'Finish'. Click Start and select 'FreeProxy Control Centre'.
Let's begin by configuring and testing FreeProxy for basic use. Open a command line and enter ipconfig. Press [Enter] and one or more blocks of information will appear.
Find the one about the server's Ethernet connection (usually the first one that appears) and note the IP addresses of the default gateway and DNS server. First, we need to stop relying on DHCP to provide IP addresses on demand and use a fixed address instead. This is so other computers on the network can find the proxy server via its address.
In Windows 7 or Vista, open the Control Panel and click 'Network and Internet | Network and Sharing Centre'. In Windows 7, click 'Change Adaptor Settings' in the left-hand pane and double-click the 'Local Area Connection'.
In Vista, click on 'Manage network connections' and double-click on the 'Local Area Connection'.
In XP's Control Panel, double-click 'Network Connections' and then doubleclick the 'Local Area Connection'. Click 'Properties' and a window will appear showing the underlying configuration. Double-click the entry in the protocol list called 'Internet Protocol Version 4 (TVP/Ipv4)'. In XP this is just called 'Internet Protocol (TCP/IP)'.
Another subwindow will appear, giving details on how the computer gets its IP address. Click the radio button marked 'Use the following IP address'. Your default internet gateway (your router) will usually have the address 192.168.0.1, so enter a different number in the fourth position (192.168.0.2, for example).
If you're not sure if this address is already in use, open a command line and enter ping 192.168.0.2. If the command hangs and then returns a set of timeouts, the address isn't in use. Next, enter a subnet mask of 255.255.255.0 and the IP address of your default gateway in the appropriate input boxes.
Select the 'Use the following DNS server addresses' radio button and enter the IP address of the DNS server you noted down earlier. This is probably the same device as the default gateway. Click 'OK' and dismiss the parent windows.
Now we need to make a web browser use the proxy server to access the internet. On a different networked machine, open Internet Explorer 8 and click 'Tools | Internet Options'. Click 'LAN settings' in the Connections tab.
In the subwindow, select the tickbox labelled 'Use a proxy server for your LAN'. Enter the address 192.168.0.2 and change the port number to 8080. Now click 'OK' and dismiss the parent window, then try to surf to a page. The proxy isn't running, so the browser will eventually time out.
In the FreeProxy Control Centre, click the 'Start/Stop' button and a window will appear. To start the proxy server, click the 'Start' button in the Console Mode pane at the bottom.
Windows Firewall may pop up to tell you that it's blocked the program. Ensure that the option to allow FreeProxy to communicate on your home network is selected and click 'Allow Access'. Refresh the page in the browser by pressing [F5]. It should now load properly.
Blocking websites
Proxy servers are often used to block content, and FreeProxy does this admirably via ban lists. Click 'Ban Lists' on the FreeProxy Control Centre and the Ban List Manager will appear. Click 'New'.
Ban lists are split into several categories. Click 'Add' to add a category and a window will appear. Enter a name like Do Not Access. You can define an action the proxy must take when a user tries to access one of the URLs in the category, such as redirecting the user to an external URL or showing a custom error page. Select the 'Standard Response' option and click 'Done'.
To add a URL or IP address to the category, click 'Manage Category Details'. Click 'Add URL/IP' and enter the destination in the input box. If you're entering a URL, omit the 'http://www' prefix.
When you've finished, press 'Done'. Confirm that you want to save your changes and enter a filename for the ban list. So that FreeProxy understands the type of traffic to ban (in this case HTTP), double-click the default Proxy entry on the main pane of the user interface. Select your LAN card in the dropdown Local Binding list and then press 'Permissions'. A subwindow will appear.
Click 'Add Resource' , change the type to 'Ban List URL of IP address' and press 'Done' on each subwindow to dismiss it.
On the main interface, click 'Options', then click the 'Activate the Ban List?' tickbox and select the ban list using the file browser below it. Restart the proxy server and try surfing to a banned site. The browser should load nothing, but allow you to surf elsewhere.
Creating error pages
To link an error page you've made to a category in your ban list, open the list again, click the relevant category and change the redirect response to 'Error Page'.
Click the folder icon and select the error page. Click 'Open' to select it and 'Done' to finish. Click 'Done' in the Ban List window and agree to save the list if required. Click 'Done' and restart the proxy.
Now try to access the banned web page. Your custom error page should appear.
To log the domains and IP addresses that any person or program tries to access from your network, click 'Options'. Click 'Log access data' and the relevant options will become active. Enter a path and filename for the log file and leave the report content on 'Forbidden'. This means you'll only record attempts to access banned content.
Select 'Show full URL' to record the full path to the banned page. Click 'Done', try surfing to a banned URL and inspect the content of the log file.
No comments:
Post a Comment