{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}
{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;
\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\nowidctlpar\widctlpar\adjustright \fs20\cgrid \snext0 
Normal;}{\s1\keepn\nowidctlpar\outlinelevel0\adjustright \b\f1\fs20 \sbasedon0 \snext0 heading 1;}{\s2\keepn\nowidctlpar\outlinelevel1\adjustright \b\f1\fs22 \sbasedon0 \snext0 heading 2;}{\*\cs10 \additive Default Paragraph Font;}}{\*\listtable
{\list\listtemplateid-1\listsimple{\listlevel\levelnfc0\leveljc0\levelfollow0\levelstartat0\levelspace0\levelindent0{\leveltext\'01*;}{\levelnumbers;}}{\listname ;}\listid-2}{\list\listtemplateid-160921380\listsimple{\listlevel\levelnfc23\leveljc0
\levelfollow0\levelstartat0\levelspace0\levelindent0{\leveltext\'01-;}{\levelnumbers;}\f0\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid792288672}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0
\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname ;}\listid1672633507}}{\*\listoverridetable{\listoverride\listid-2\listoverridecount1{\lfolevel\listoverrideformat
{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat0\levelold\levelspace0\levelindent360{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 }}\ls1}{\listoverride\listid1672633507\listoverridecount0\ls2}{\listoverride\listid792288672
\listoverridecount0\ls3}}{\info{\author Howard Kirk, Jr}{\operator Howard Kirk, Jr}{\creatim\yr1997\mo11\dy22\hr20\min35}{\revtim\yr1997\mo11\dy22\hr21\min59}{\version4}{\edmins49}{\nofpages10}{\nofwords4275}{\nofchars24370}{\*\company Shatter}
{\nofcharsws29928}{\vern71}}\widowctrl\ftnbj\aenddoc\hyphcaps0\viewkind4\viewscale100 \fet0\sectd \linex0\sectdefaultcl {\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl3
\pndec\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang{\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}
{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}\pard\plain \qc\nowidctlpar\adjustright 
\fs20\cgrid {\f1\fs40\cgrid0 Understanding Microsoft Proxy Server 2.0
\par }{\f1\fs28\cgrid0 By NeonSurge
\par Rhino9 Publications
\par }\pard \nowidctlpar\adjustright {\f1\cgrid0 
\par }{\b\f1\cgrid0 Preface-
\par }{\f1\cgrid0 This documented was not made for people who have been working with Microsoft Proxy Server since its beta (catapult) days. It is made for individuals who are curious about t
he product and security professionals that are curious as to what Microsoft Proxy Server has to offer. This document is also being written for individuals have a general idea of what a Proxy Server does, but wants to know more. This paper goes into discus
sion of Proxy Server Features and Architecture, Access Control, Encryption, and Firewall Strategies (which I have been getting a lot of requests for).
\par 
\par The second part of the documentation goes into Firewall types and strategies, so if that\rquote s the reason you downloaded the documentation, go straight to page 8 I believe.
\par 
\par }{\b\f1\fs24\cgrid0 What is Microsoft Proxy Server?
\par }{\f1\cgrid0 Microsoft Proxy Server is a "firewall" and cache server. It provides additional Internet security and can improve network response issues depending on its configuration. The reason I put the word firewall in quotes is because Proxy Server }{
\b\f1\cgrid0 should not}{\f1\cgrid0  be considered as a stand-alone solution to a firewall need. When you are done r
eading this document, you will have an advanced understanding of the Proxy Server product and also understand firewall techniques and topologies. 
\par 
\par Proxy Server can be used as an inexpensive means to connect an entire business through only one valid IP add
ress. It can also be used to allow more secure inbound connections to your internal network from the Internet. By using Proxy Server, you are able to better secure your network against intrusion. It can be configured to allow your entire internal private 
network to access resources on the Internet, at the same time blocking any inbound access.
\par 
\par Proxy Server can also be used to enhance the performance of your network by using advanced caching techniques. The can be configured to save local copies of requeste
d items from the Internet. The next time that item is requested, it can be retrieved from the cache without having to connect to the original source. This can save an enormous amount of time and network bandwidth. 
\par 
\par Unlike Proxy Server 1.0, Proxy Server 2.0 includes packet filtering and many other features that we will be discussing.
\par 
\par Proxy Server provides it functionality by using three services:
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
Web Proxy: The web proxy service supports HTTP, FTP, and Gopher for TCP/IP Clients.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 WinSock Proxy: The Winsock
 proxy supports Windows Sockets client applications. It provides support for clients running either TCP/IP or IPX/SPX. This allows for networks that may be running more of a Novell environment to still take advantage of Proxy Server.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 SOCKS Proxy: The SOCKS
 Proxy is a cross-platform service that allows for secure communication in a client/server capacity. This service supports SOCKS version 4.3a and allows users access to the Internet by means of Proxy Server. SOCKS extends the functionality provided by the
 WinSock service to non-Windows platforms such as Unix or Macintosh. 
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par }{\b\f1\cgrid0 Proxy Servers Security Features
\par }{\f1\cgrid0 
\par In conjunction with other products, Proxy Server can provide firewall level security to prevent access to your internal network.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Single Contact Point: A 
Proxy Server will have two network interfaces. One of these network interfaces will be connected to the external (or "untrusted") network, the other interface will be connected to your internal (or "trusted") network. This will better secure your LAN from
 potential intruders. 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
Protection of internal IP infrastructure: When IP forwarding is disabled on the Proxy Server, the only IP address that will be visible to the external environment will be the IP address of the Proxy Server. This helps in preventing in
truders from finding other potential targets on your network.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
Packet Layer Filtering: Proxy Server adds dynamic packet filtering to its list of features. With this feature, you can block or enable reception of certain packet types. This enables you to have a tremendous amount of control over your network security.

\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par }{\b\f1\cgrid0 Beneficial Features of Proxy
\par }{\f1\cgrid0 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
IIS and NT Integration: Proxy Server integrates with Windows NT and Internet Information Server tighter than any other package available on the market. Proxy Server actually uses the same administrative interface used by Internet Information Server. 

\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
Bandwidth Utilization: Proxy Server allows all clients in your network to share the same link to the external network. In conjunction with Internet Information Server, yo
u can set aside a certain portion of your bandwidth for use by your webserver services.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
Caching Mechanisms: Proxy Server supports both active and passive caching. These concepts will be explained in better detail further into the document.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Support for Web 
Publishing: Proxy Server uses a process known as reverse proxy to provide security while simultaneously allowing your company to publish on the Internet. Using another method known as reverse hosting, you can also support virtual servers through Proxy.

\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par }{\b\f1\cgrid0 Hardware and Software Requirements
\par }{\f1\cgrid0 
\par Microsoft suggests the following }{\b\f1\cgrid0 minimum }{\f1\cgrid0 hardware requirements.
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Intel 486 or higher. RISC support is also available.

\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 24 MB Ram for Intel chips 32 MB Ram for RISC.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
10 MB Diskspace needed for installation. 100 MB + .5 MB per client for Cache space.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 2 Network interfaces (Adapters, Dial-Up, etc)
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par Following is the suggested }{\b\f1\cgrid0 minimum}{\f1\cgrid0  software requirements.
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Windows NT server 4.0
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Internet Information Server 2.0
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Service Pack 3
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 TCP/IP
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par It is highly recommended that it be installed on an NTFS partition. If an  NTFS partition is not used, not only are you losing NTFS's advanced security features, but also the caching mechanisms of Proxy Server will not work.
\par 
\par It is also recommended that your two network interfaces be configured prior to installation. On interface configured to the external network, and one configured for the internal network. (}{\b\f1\cgrid0 Note: }{\f1\cgrid0 
When configuring your TCP/IP settings, DO NOT configure a default gateway entry for your internal network interface.)
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Be sure that "Enable IP Forwarding" }{\b\f1\cgrid0 is not
}{\f1\cgrid0  checked in your TCP/IP settings. This could seriously compromise your internal security.
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\b\f1\cgrid0 
\par What is the LAT?
\par }{\f1\cgrid0 
\par This is probably one of the most common questions I am asked as a security professional. The LAT, or Local Address Table, is a series of IP address pairs that define your internal network. Each pair defines a range of IP addresses or a single pair.
\par 
\par That LAT is generated upon installation of Proxy Server. It defines the internal IP addresses. Proxy Server uses the Windows NT Rou
ting Table to auto-generate the LAT. It is possible that the when the LAT is auto-generated, that errors in the LATs construction will be found. You should always manually comb through the LAT and check for errors. It is not uncommon to find external IP a
ddresses in the LAT, or entire subnets of your internal IP addresses will not appear on the LAT. It is generally a good idea to have }{\b\f1\cgrid0 all}{\f1\cgrid0  of your internal IP addresses in the LAT.
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 NO EXTERNAL IP ADDRESSES SHOULD APPEAR IN YOUR LAT.

\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par Upon installing the Proxy Server client software, it adds a file named msplat.txt into the \\Mspclnt directory. The msplat.txt file contains the LAT. This file is regularly updated from the server to ensure that the LAT the client is using is current.

\par 
\par }{\b\f1\cgrid0 What is the LAT used for?
\par }{\f1\cgrid0 
\par E
very time a client attempts to use a Winsock application to establish a connection, the LAT is referenced to determine if the IP address the client is attempting to reach is internal or external. If the IP address is internal, Proxy Server is bypassed and
 
the connection is made directly. If the IP address the client is attempting to connect to DOES NOT appear in the LAT, it is determined that the IP address is remote and the connection is made through Proxy Server. By knowing this information, someone on y
our internal network could easily edit his or her LAT table to bypass Proxy Server. 
\par 
\par Some Administrators may not see this as a problem because the LAT is regularly updated from the server, so any changes the user made to his or her LAT will be overwritten.
 However, if the user saves their LAT with the filename Locallat.txt, the client machine will reference both the msplat.txt and the locallat.txt to determine if an IP address is local or remote. So, by using the locallat.txt method, a user can, in theory,
 permanently bypass Proxy Server. The locallat.txt file is never overwritten unless the user does so manually.
\par 
\par }{\b\f1\cgrid0 What changes are made when Proxy Server is installed?
\par 
\par }{\f1\cgrid0 Server side changes:
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
The Web Proxy, Winsock Proxy, and SOCKS Proxy services are installed and management items are added into the Internet Service Manager.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
An HTML version of the documentation is added into the %systemroot%\\help\\proxy\\ directory.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 A cache area is created on an NTFS volume.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 The LAT table is constructed.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Proxy Server Performance Monitor counters are added.

\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Client installation and config files are added to the Msp
\\Clients folder. This folder is shared as Mspclnt and by default has the permissions set to Read for Everyone.
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par Client side changes:
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 The LAT (msplat.txt) file is copied to
 the clients local hard drive.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
A WSP Client icon is added to control panel on Win3.X, Win95 and WinNT clients.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 A Microsoft Proxy Client Program Group is added
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 
The winsock.dll file is replace with Remote WinSock for Proxy. The old winsock file is renamed winsock.dlx.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\f1\cgrid0 Mspclnt.ini file is copied to the client machine.
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par }{\b\f1\fs24\cgrid0 Proxy Server Architecture
\par }{\f1\cgrid0 
\par To understand the architecture of Microsoft Proxy Server, you must first have a basic grasp of how Proxy works for outbound client requests. Here is a simple example:
\par 
\par Joe opens his browser to visit his favorite news site on the net. He types in the sites IP address which he has memorized because his visits often, instead of doing his job. The client compares the IP address Joe entered to the LAT table. Because the IP a
ddress is not found on the LAT, it is considered external. Since the client has determined that the IP address is external, it knows it must process the request through Proxy Server. The client hands Joe's request to Proxy Server. Proxy Server then checks
 
the IP address against the access control applied by the Administrator. The Administrator has the ability to stop internal employees from visiting certain sites. Since Joe's request is not on the forbidden list applied by the Administrator, Proxy Server e
x
ecutes the request. Proxy contacts the website and requests the document Joe wanted. After Proxy server has received the information it requested, it stored a copy in its cache for later use and hands the request to the client machine. The website pops-up
 on Joe's browser.
\par 
\par }{\b\f1\cgrid0 Proxy Server Services: An Introduction
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\b\f1\cgrid0 WebProxy:}{\f1\cgrid0 
 Web Proxy normally functions with both clients and servers. As a server, it receives HTTP requests from internal network clients. As a client, it responds to internal network clients' req
uests by issuing their requests to a server on the Internet. The interface between the client and server components of the Web Proxy service provides chances to add value to the connections it services. By performing advanced security checks, the Web Prox
y
 does more than relay requests between an internal client and a server on the Internet. The WebProxy service is an extensions of Internet Information Server 3.0. It consists of two following components: The Proxy Server ISAPI Filter and the Proxy Server I
S
API Application. The Web Proxy service is implemented as a DLL (dynamic link library) that uses ISAPI (Internet Server Application Programming Interface) and therefore runs within the IIS WWW process. The WWW Service must installed and running in order fo
r proxy requests to be processed.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\b\f1\cgrid0 WinSock Proxy:}{\f1\cgrid0 
 WinSock Proxy provides proxy services for windows sockets applications. WinSock Proxy allows winsock applications to function on a LAN and to operate as if it is directly connected to the Internet. The client
 app uses Windows Sockets APIs to communicate with another application running on an Internet computer. WinSock Proxy intercepts the windows sockets call and establishes a communication path from the internal application to the Internet application throug
h
 the proxy server. The process is totally transparent to the client. The WinSock Proxy consists of a service running on Proxy Server and a DLL installed on each client. The DLL it relies on is the Remote Winsock DLL that replaced the normal winsock.dll. W
i
nSock Proxy uses a control channel between the client and the server to manage the ability of Windows Sockets messages to be used remotely. The control channel is set up when the WinSock Proxy client DLL is first loaded, and it uses the connectionless UDP
 protocol. The Winsock Proxy client and the WinSock Proxy service use a simple ack protocol to add reliability to the control channel. The control channel uses UDP port 1745 on the proxy server and client computers.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\b\f1\cgrid0 SOCKS Proxy:}{\f1\cgrid0  Proxy Server supports SOCKS 
Version 4.3a. Almost all SOCKS V4.0 client applications can run remotely through SOCKS Proxy. SOCKS is a protocol that functions as a proxy. It enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of a SOCKS server, w
ithout requiring direct IP access.  (To learn more about SOCKS, visit }{\ul\cf2\cgrid0 http://www.socks.nec.com/index.html)}{\f1\cgrid0 .
\par }\pard \nowidctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1\cgrid0 
\par }{\b\f1\fs24\cgrid0 Understanding components
\par }{\f1\cgrid0 
\par This area will attempt to better define to the components of the architecture that we have used, but may not have defined.
\par 
\par }{\b\f1\cgrid0 ISAPI Filter
\par }{\f1\cgrid0 
\par The ISAPI Filter interface is one of the components of the web proxy service. The interface provides an extension that the Web server calls whenever it receives an HTTP request.
\par 
\par An ISAPI Filter is called for every request, regardless of th
e identity of the resource requested in the URL. An ISAPI filter can monitor, log, modify, redirect and authenticate all requests that are received by the Web server. The Web service can call an ISAPI filter DLL's entry point at various times in the proce
ssing of a request or response. The Proxy Server ISAPI filter is contained in the w3proxy.dll file. This filter examines each request to determine if the request is a standard HTTP request or not.
\par 
\par }{\b\f1\cgrid0 ISAPI Application
\par }{\f1\cgrid0 
\par The ISAPI Application is the second of the two web proxy components.  ISAPI applications can create dynamic HTML and integrate the web with other service applications like databases.
\par 
\par Unlike ISAPI Filters, an ISAPI Application is invoked for a request only if the request references that specific
 application. An ISAPI Application does not initiate a new process for every request. The ISAPI Application is also contained in the w3proxy.dll file.
\par 
\par }{\b\f1\cgrid0 Proxy Servers Caching Mechanism
\par }{\f1\cgrid0 
\par Microsoft Proxy Server handles caching in two different ways, Passive and Active caching.
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\b\f1\cgrid0 Passive Caching: }{\f1\cgrid0 
Passive caching is the basic mode of caching. Proxy Server interposes itself between a client and an internal or external Web site and then intercepts client requests. Before forwarding the request on to the Web server,
 Proxy Server checks to see if it can satisfy the request from its cache. Normally, in passive caching, Proxy Server places a copy of retrieved objects in the cache and associates a TTL (time-to-live) with that object. During this TTL, all requests for th
a
t object are satisfied from the cache. When the TTL is expired, the next client request for that object will prompt Proxy Server to retrieve a fresh copy from the web. If the disk space for the cache is too full to hold new data, Proxy Server removes olde
r objects from the cache using a formula based on age, popularity, and size.
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\tx360{\*\pn \pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnindent360 {\pntxtb \'b7}}\ls1\adjustright {\b\f1\cgrid0 Active Caching:}{\f1\cgrid0 
 Active Caching works with passive caching to optimize the client performance by increasing the likelihood that a popular will be available in cache, and up to date.
 Active caching changes the passive caching mechanism by having the Proxy Server automatically generate requests for a set of objects. The objects that are chosen are based on popularity, TTL, and Server Load.
\par }\pard \nowidctlpar\adjustright {\b\f1\cgrid0 
\par Windows Sockets
\par }{\f1\cgrid0 
\par Windows Sockets is the mecha
nism for communication between applications running on the same computer or those running on different computers which are connected to a LAN or WAN. Windows Sockets defines a set of standard API's that an application uses to communicate with one or more 
other applications, usually across a network. Windows Sockets supports initiating an outbound connection, accepting inbound connections, sending and receiving data on those connections, and terminating a session.
\par 
\par Windows socket is a port of the Berkeley Sockets API that existed on Unix, with extensions for integration into the Win16 and Win32 application environments. Windows Sockets also includes support for other transports such as IPX/SPX and NetBEUI.
\par 
\par Windows Sockets supports point-to-point connection-o
riented communications and point-to-point or multipoint connectionless communications when using TCP/IP. Windows Socket communication channels are represented by data structures called sockets. A socket is identified by an address and a port, for example;

\par 
\par 131.107.2.200:80
\par 
\par }{\b\f1\fs24\cgrid0 Access Control Using Proxy Server
\par }{\f1\cgrid0 
\par }{\b\f1\cgrid0 Controlling Access by Internet Service
\par }{\f1\cgrid0 
\par Proxy Server can be configured to provide or restrict access based on Service type. FTP, HTTP, Gopher, and Secure (SSL) are all individually configurable.
\par 
\par }{\b\f1\cgrid0 Controlling Access by IP, Subnet, or Domain
\par 
\par }{\f1\cgrid0 Proxy allows an administrator to control access based on IP Address, Subnet or Domain. This is done by enabling filtering and specifying the appropriate parameters. When configuring this security, you need to decide i
f you want to grant or deny access to an IP address, subnet, or domain.  By configuring Proxy Server correctly, you can also set it up to use the internet as your corporate WAN.
\par 
\par }{\b\f1\cgrid0 Controlling Access by Port
\par 
\par }{\f1\cgrid0 If you are using the WinSock Proxy service, you can control access to the internet by specifying which port is used by TCP and UDP. You can also grant or deny, activate or disable certain ports based on your needs.
\par 
\par }{\b\f1\cgrid0 Controlling Access by Packet Type
\par 
\par }{\f1\cgrid0 Proxy Server can control access of external packets in
to the internal network by enabling packet filtering on the external interface. Packet filtering intercepts and evaluates packets from the Internet before they reach the proxy server. You can configure packet filtering to accept or deny specific packet ty
pes, datagrams, or packet fragments that can pass through Proxy Server. In addition, you can block packets originating from a specific Internet host.
\par 
\par The packet filtering provided by Proxy Server is available in two forms, Dynamic and Static.
\par 
\par Dynamic pack
et filtering allows for designed ports to automatically open for transmission, receive, or both. Ports are then closed immediately after connection has been terminated, thereby minimizing the number of open ports and the duration of time that a port is op
en.
\par 
\par Static packet filtering allows manual configuration of which packets are and are not allowed.
\par 
\par By default, the following Packet settings are enabled on Proxy Server (by default, ALL packet types are blocked except the ones listed below, known as Exceptions):
\par 
\par Inbound\tab \tab  ICMP ECHO (Ping)
\par Inbound \tab  ICMP RESPONSE (Ping)
\par Inbound \tab  ICMP SOURCE QUENCH
\par Inbound \tab  ICMP TIMEOUT
\par Inbound \tab  ICMP UNREACHABLE
\par Outbound \tab  ICMP ANY
\par Inbound \tab  TCP HTTP
\par In/Outbound       UDP ANY (dns)
\par 
\par }{\b\f1\cgrid0 Logging and Event Alerts}{\f1\cgrid0 
\par 
\par Events that could affect your system may be monitored, and, if they occur, alerts can be generated. The items listed below are events that will generate alerts:
\par 
\par Rejected Packets: Watches external adapter for dropped IP packets.
\par Protocol Violations: Watches for packets that do not follow the allowed protocol structure.
\par Disk Full: Watches for failures caused by a full disk.
\par 
\par When any of the events above occur, an alert is sent to the system log in the NT Event Viewer, or can be configured to e-mail a pre-defined person.
\par 
\par When the system logs information concerning Access Control, it does so to a log file stored in the %systemroot%/system32/msplogs/ directory. The log file itself is named Pfyymmdd.log (Where yy=Current year / mm= Current Month / dd= Current day).
\par 
\par The Packet log records information related to the following areas:
\par 
\par Service Information (Time of Service, Date and Time)
\par Remote Information (The Source IP Address of a possible Intruder, along with port and protocol used)
\par Local Information (Destination IP Address and port)
\par Filter Information (Action taken and what interface (network adapter) issued the action)
\par Packet Information (Raw IP Header in Hex and Raw IP Packet in Hex)
\par }{\b\f1\cgrid0 
\par Encryption Issues
\par }{\f1\cgrid0 
\par Proxy Server can take full advantage of the authentication and security features of Internet Information Server and SSL tunneling.
\par 
\par SSL supports data encryption and server authentication. All data sent to and from the client using SSL is encrypted. If HTTP basic authentication is used in conjunction with SSL, the user name a
nd password are transmitted after the client's SSL support encrypts them.
\par 
\par If your are wanting to take advantage of PPTP to provide additional flexibility and security for your clients, you can configure Proxy Server to allow these packets (GRE) to pass through.
\par 
\par }{\b\f1\fs24\cgrid0 Other Benefits of Proxy Server
\par 
\par }{\b\f1\cgrid0 RAS
\par }{\f1\cgrid0 
\par Proxy Server can take full advantage of Windows NT Remote Access Service (RAS).  Proxy can be configured to dial on demand when an internal client makes a request that must be satisfied from the external network
. The RAS feature can be configured to only allow connectivity during certain hours. The Dial-Up Network Scripting tool can aslo be used to automate certain process using Proxy Server and RAS. For company's who have a standard constant connection (ISDN, T
1, T3) to the Internet, the RAS ability provided by Proxy Server can be used as a back-up should your constant connection fail.
\par 
\par }{\b\f1\cgrid0 IPX/SPX
\par 
\par }{\f1\cgrid0 Microsoft Proxy Server was developed with support for Internet Packet Exchange/Sequenced Packet Exchange or IPX/SPX. IPX/SPX is a transport protocol group somewhat similar to TCP/IP. 
\par 
\par There are many situations when a client computer may have both IPX/SPX and TCP/IP protocols installed although the company's internal network may only use IPX/SPX. Simply disabling aTCP/IP w
hile on the LAN will not get the IPX/SPX component of the Proxy client software working. You will need to go into Control Panel, open the Wsp Client icon and check the box that reads "Force IPX/SPX protocol". This must be done because even though the TCP/
IP protocol was disabled, the WinSock Proxy Client still detects its presence and will attempt to create a standard IP socket. By enabling the "Force IPX/SPX Protocol" option, this problem should disappear.
\par 
\par }{\b\f1\fs24\cgrid0 Firewall Strategies
\par 
\par }{\f1\cgrid0 A firewall is a system that enforces access control policies. The enforcement is done between an internal, or \ldblquote trusted\rdblquote  network and an external, or \ldblquote untrusted\rdblquote 
 network. The firewall can be as advanced as your standards require. Firewalls are commonly used to shield internal networks from unauthorized access via the Internet or other external network.
\par 
\par }\pard\plain \s1\keepn\nowidctlpar\outlinelevel0\adjustright \b\f1\fs20 Logical Construction
\par \pard\plain \nowidctlpar\adjustright \fs20\cgrid {\f1\cgrid0 
\par The single basic function of a firewall is to block unauthorized traffic between a trusted system and an untrusted system. This process is normally referred to as F
iltering. Filtering can be viewed as either permitting or denying traffic access to a network.
\par 
\par Firewalls know what traffic to block because they are configured with the proper information. This information is known as an Access Control Policy. The proper 
approach to an access control policy will depend on the goals of the network security policy and the network administrator.
\par 
\par }\pard\plain \s2\keepn\nowidctlpar\outlinelevel1\adjustright \b\f1\fs22 Exploring Firewall Types
\par \pard\plain \nowidctlpar\adjustright \fs20\cgrid {\b\f1\fs22\cgrid0 
\par }{\f1\cgrid0 In the origins of firewalls, there were two types. These two types have now grown and overlapped each oth
er to the point where distinction is hard. We will explore the differences between these two types and discuss Firewall building topologies.
\par 
\par }\pard\plain \s1\keepn\nowidctlpar\outlinelevel0\adjustright \b\f1\fs20 Network Level Firewalls
\par \pard\plain \nowidctlpar\adjustright \fs20\cgrid {\b\f1\cgrid0 
\par }{\f1\cgrid0 Network level firewalls operate at the IP packet level. Most of these have a network inte
rface to the trusted network and an interface to the untrusted network. They filter by examining and comparing  packets to their access control policies or ACL\rquote s.
\par 
\par Network level firewalls filter traffic based on any combination of Source and Destination IP
, TCP Port assignment and Packet Type. Network Level firewalls are normally specialized IP routers. They are fast and efficient and are transparent to network operations. Todays network level firewalls have become more and more complex. They can hold inte
rnal information about the packets passing through them, including the contents of some of the data. We will be discussing the following types of network level firewalls:
\par 
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls2\adjustright {\f1\cgrid0 Bastion Host
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls2\adjustright {\f1\cgrid0 Screened Host
\par {\pntext\pard\plain\f3\fs20 \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard \fi-360\li360\nowidctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls2\adjustright {\f1\cgrid0 Screened Subnet
\par }\pard \nowidctlpar\adjustright {\f1\cgrid0 
\par }\pard\plain \s1\keepn\nowidctlpar\outlinelevel0\adjustright \b\f1\fs20 Bastion Host Firewall
\par \pard\plain \nowidctlpar\widctlpar\adjustright \fs20\cgrid {\f1 
\par Bastion host are probably one of the most common types of firewalls. The term bastion refers to the old castle structures used in europe, mainly for draw bridges.
\par 
\par The Bastion host is a computer with atleast one interface to the trusted network and one to the untrusted network. When access is granted to a host from the untrusted network by the bastion host, all traffic from that host is allowed to pass unbothered.

\par In a physical layout, bastion hosts normally stand directly between the inside and outside networks, with no other intervention. They are normally used as part of a larger more sophisticated firewall. 
\par 
\par The disadvantages to a bastion host are:
\par 
\par {\pntext\pard\plain\fs20\cgrid \hich\af0\dbch\af0\loch\f0 -\tab}}\pard \fi-360\li360\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnindent360\pnhang{\pntxtb -}}\ls3\adjustright {\f1 
After an Intruder has gained access, he has direct access to the entire network.
\par {\pntext\pard\plain\fs20\cgrid \hich\af0\dbch\af0\loch\f0 -\tab}}\pard \fi-360\li360\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnindent360\pnhang{\pntxtb -}}\ls3\adjustright {\f1 Protection is not advanced enough for most
 network applications.
\par }\pard \nowidctlpar\widctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1 
\par }\pard\plain \s1\keepn\nowidctlpar\widctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\outlinelevel0\adjustright \b\f1\fs20 {\cgrid Screened Host Firewall
\par }\pard\plain \nowidctlpar\widctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright \fs20\cgrid {\b\f1 
\par }{\f1 A more sophisticated network level firewall is the screened host firewall. This firewall uses a router with at least on connection to trusted network and one connection to a bastion host. The router serves as
 a preliminary screen for the bastion host. The screening router sends all IP traffic to the bastion host after it filters the packets. The router is set up with filter rules. These rules dictate which IP addresses are allowed to connect, and which ones a
re denied access. All other packet scrutiny is done by the bastion host. The router decreases the amount of traffic sent to the bastion host and simplifies the bastions filtering algorithms.
\par 
\par The physical layout of a Screened Host is a router with one connection to the outside network, and the other connection with a bastion host. The bastion host has one connection with the router and one connection with the inside network.
\par 
\par Disadvantages to the Screened Host are:
\par 
\par {\pntext\pard\plain\fs20\cgrid \hich\af0\dbch\af0\loch\f0 -\tab}}\pard \fi-360\li360\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnindent360\pnhang{\pntxtb -}}\ls3\adjustright {\f1 The single screen host can become a traffi
c bottleneck
\par {\pntext\pard\plain\fs20\cgrid \hich\af0\dbch\af0\loch\f0 -\tab}}\pard \fi-360\li360\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnindent360\pnhang{\pntxtb -}}\ls3\adjustright {\f1 
If the host system goes down, the entire gateway is down.
\par }\pard \nowidctlpar\widctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright {\f1 
\par }\pard\plain \s1\keepn\nowidctlpar\widctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\outlinelevel0\adjustright \b\f1\fs20 {\cgrid Screened Subnet Firewalls
\par }\pard\plain \nowidctlpar\widctlpar{\*\pn \pnlvlcont\ilvl0\ls0\pnrnot0\pndec }\adjustright \fs20\cgrid {\b\f1 
\par }{\f1 A screened subnet uses on or more addition routers and on more additional bastion hosts. In a screened subnet, access to and from the inside network is secur
ed by using a group of screened bastion host computers. Each of the bastion hosts acts as a drawbridge to the network.
\par 
\par The physical layout of a Screened subnet is somewhat more difficult, but the result is a more secure, robust environment. Normally, ther
e is a router with one connection to the outside network and the other connection to a bastion host. The bastion host has one connection to the outer most router and one connection to another bastion host, with an addressable network in the middle. The in
n
er most bastion host has one connection to the outer most bastion and another connection to an inside router. The inside router has one connection to the inner bastion host and the other connection to the inside network. The result of this configuration i
s the security components are normally never bogged down with traffic and all internal IP addresses are hidden from the outside, preventing someone from \ldblquote mapping\rdblquote  your internal network.
\par 
\par Disadvantages to using this type of firewall are:
\par 
\par {\pntext\pard\plain\fs20\cgrid \hich\af0\dbch\af0\loch\f0 -\tab}}\pard \fi-360\li360\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnindent360\pnhang{\pntxtb -}}\ls3\adjustright {\f1 The can be two or t
hree times more expensive than other types of firewalls
\par {\pntext\pard\plain\fs20\cgrid \hich\af0\dbch\af0\loch\f0 -\tab}}\pard \fi-360\li360\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn \pnlvlblt\ilvl0\ls3\pnrnot0\pnindent360\pnhang{\pntxtb -}}\ls3\adjustright {\f1 
Implementation must be done by some type of security professional, as these types of firewalls are not for the un-initiated.
\par }\pard \nowidctlpar\widctlpar\adjustright {\f1 
\par }\pard\plain \s1\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs20 {\cgrid Application Level Firewalls
\par }\pard\plain \nowidctlpar\widctlpar\adjustright \fs20\cgrid {\b\f1 
\par }{\f1  Application level firewalls are hosts runnin
g proxy server software located between the protected network and the outside network. Keep in mind that even though Microsofts product is called Proxy Server 2.0, it is actually a stand alone Bastion Host type of system. Microsoft Proxy Server can also, 
s
ingle-handedly, disguise your internal network to prevent mapping. Microsoft Proxy Server 1.0 did not have many of the advanced features presented in version 2.0. The 1.0 version can definitely be called a true proxy server, while the 2.0 version is more 
of a firewall.
\par 
\par Viewed from the client side, a proxy server is an application that services network resource requests by pretending to be the target source. Viewed from the network resource side, the proxy server is accessing network resources by pretending
 to be the client. Application level firewalls also do not allow traffic to pass directly between to the two networks. They are also able to use elaborate logging and auditing features. They tend to provide more detailed audit reports, but generally, a
s stand alone security unites, do not perform that well. Remember that an Application level firewall is software running on a machine, and if that machine can be attacked effective and crashed, in effect, youre crashing the firewall.
\par 
\par You may wish to use an application level firewall in conjunction with network level firewalls, as they provide the best all around security.
\par }\pard \nowidctlpar\widctlpar\brdrb\brdrs\brdrw15\brsp20 \adjustright {\f1 
\par }\pard \nowidctlpar\widctlpar\adjustright {\f1 That\rquote s it for now.
\par 
\par NeonSurge
\par The Rhino9 Team.
\par http://rhino9.abyss.com
\par }{
\par 
\par }\pard \nowidctlpar\adjustright {\b\f1\cgrid0 
\par }{\f1\cgrid0 
\par 
\par 
\par 
\par 
\par }{\b\f1\cgrid0 
\par 
\par 
\par }{\f1\cgrid0 
\par 
\par }}