topic How firewall work with proxy in Network Security

How firewall work with proxy

suryakant.chavan — Tue, 12 Mar 2019 01:37:53 GMT

Hi Experts,

We have cisco ASA to filter traffic for internet. We are using websense as proxy server.

Pl's suggest which ip ( Internal user Ip's or only Websense proxy ip ) I should allow on fireall for internet access.

Thanks in advance

Regards,

Surya

How firewall work with proxy

mvsheik123 — Fri, 03 May 2013 16:36:04 GMT

Hi Surya,

You can integrate the websense with ASA. Check the below link from websense.

http://www.websense.com/support/article/t-kbarticle/Configure-PIX-Firewall-ASA-for-Websense-Integration

hth

How firewall work with proxy

sokakkar — Fri, 03 May 2013 19:42:32 GMT

Hi Suryakant,

If Websense is acting as proxy so all connections would be proxied from its IP. So, ASA interface acl should allow traffic from proxy server IP and not the clients IP. Because if you allow clients IP to go out through ASA and if client finds a way to disable proxy in its browser that would defeat the purpose of having a proxy as client can go directly to internet w/o proxy.

With only proxy IP in ASA acl would ensure that client gets denied on ASA even if it finds a way to disable proxy in browser.

Hope this answers your question.

Sourav

Re: How firewall work with proxy

mahesh18 — Sun, 05 May 2013 06:59:22 GMT

Hi Sourav,

Can you please explain me below line in more detail by giving an example ---

If Websense is acting as proxy so all connections would be proxied from its IP. So, ASA interface acl should allow traffic from proxy server IP and not the clients IP.

Also when you say ASA interface ACL what does this ACL mean which interface in ASA we apply this ACL?

Thanks

Mahesh

Message was edited by: mahesh parmar

Re: How firewall work with proxy

suryakant.chavan — Mon, 06 May 2013 09:31:18 GMT

Hi Mahesh,

We should apply acl on inside interface.

If traffic is udp base then we need to allow the traffic from both inside and outside interface, as there is no entry in state table for upd traffic.

Thanks

Surya.

Re: How firewall work with proxy

sokakkar — Mon, 06 May 2013 12:12:25 GMT

Hi Mahesh,

Sure. Now, generally there would be a proxy server which will be used by clients to get to internet. Whenever a client sends a request to internet, it actually gets to the proxy server which in turn uses its IP to get to internet and get the requested site and then it delivers that to inside client, thus, essentially not allowing the client to be in direct contact with internet.

Since all data flows through proxy now, wherein you can apply additional checks on data before delivering it to client.

With all that said, proxy server attemps connection to internet on client system's behalf so it makes sense to allow traffic from proxy server IP. Consider this simple diagram:

Inside users-->Proxy Server-->(ASA inside/internal subnet facing interface)ASA(outside/internet facing interface)-->Internet

Now, you can apply an access-list on inside interface of ASA to allow only specific traffic out from inside subnet. So, in this access-list you only need to allow proxy server IP to get to internet and deny the rest. If you allow the clients to access internet directly as well, it defeats the purpose of having a proxy coz clients will download content from internet which could be malicious.

In addition to that, proxy servers can also make your Internet access work more efficiently. If you access a page on a Web site, it is cached (stored) on the proxy server. This means that the next time you go back to that page, it normally doesn't have to load again from the Web site. Instead it loads instantaneously from the proxy server.

Let me know if that answers your question.

Sourav

Re: How firewall work with proxy

sokakkar — Mon, 06 May 2013 12:13:43 GMT

Also, we don't need to add access-list on outside even if traffic is UDP, ASA preserves state information for UDP as well so it allows replies by default. You need an access-list on outside only if you wish to allow some inbound service like you are hosting a web server or a terminal server etc.

Sourav

Re: How firewall work with proxy

mahesh18 — Wed, 08 May 2013 03:03:48 GMT

Hi Sourav,

Thanks for confirming that ASA is Statefull FW as its remember both tcp/udp traffic.

When on our internet browser we have specfied the location of PAC file.

also if we have websense in the environmnet.

Then if user opens the internet site then how does traffic flow?

If user go to goole.com then browser points to the location of PAC file first or ASA?

i remember when my pc browser has no pc file location specficied i was unable to access certain websites when i put

the pac file location it allow me access.

So do we have config some websites under pac file do those websites bypass the websense? or ASA?

Thanks

Mahesh

How firewall work with proxy

kcnajaf — Wed, 08 May 2013 05:28:20 GMT

Hi Mahesh,

PAC file define how your browser traffic is routed. There may be many entries in the pac file and you should be able to view your pac file by simply opening the path configured on you browser Internet setting using any browser.

A typical out of a PAC file will be as below.

if (shExpMatch(url, "http://group.cisco.com*"))

{ return "DIRECT"; }

else if(shExpMatch(url, "https://abc.org*"))

{ return "PROXY 192.168.10.10:8080"; }

else if(shExpMatch(url, "http://xyz.com/*"))

{ return "PROXY 192.168.100.100:80"; }

When some on tries to browse the url "http://group.cisco.com" the pac file shows this should be routed directly (by pass proxy which is refered as DIRECT on the pac file configuration)..

Likewise when user access "https://abc.org" the traffic would be send to proxy server 192.168.10.10 on port 8080. Please be aware that there may be multiple proxy servers in some organizations. Likewise when user access url "

http://xyz.com/" the traffic will be directed towards 192.168.100.100 on port 80.

To answer your question when user browse google.com (not only google any browser traffic) the traffic always goes to the PAC files. PAC file then determine where to forward this traffic depending on PAC file configuration. The PAC file determine where the traffic should be routed when a http or https request comes and that is the reason why few web sites will are not working with out the proxy pac.

Hope this helps.

Regards

Najaf

Please rate when applicable or helpful !!!

How firewall work with proxy

mahesh18 — Thu, 09 May 2013 03:33:26 GMT

Hi Najaf,

So How is PAC file linked to websense?

When traffic goes to PAC file does it also have configuration to redirect traffic to Websense or ASA?

Regards

Mahesh

How firewall work with proxy

kcnajaf — Thu, 09 May 2013 03:38:32 GMT

Hi Mahesh,

The PAC file will have the information of the proxy server. It looks like in your case your are using the websense as you proxy server. On the sample configuration which i have shared you can see "return "PROXY x.x.x.x " where x.x.x.x is the proxy server ip address.

You will have much understanding once you view your PAC file and co-relate with your proxy ip address.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

How firewall work with proxy

mahesh18 — Thu, 09 May 2013 03:47:14 GMT

Hi Najaf,

Many thanks for explanation and replying to all the questions.

Seems i can not give any rating as this question is already answered.

Regards

Mahesh

How firewall work with proxy

kcnajaf — Thu, 09 May 2013 03:54:36 GMT

No problem mate..

Regards

Najaf

Re: How firewall work with proxy

UgithaJayamanna3953 — Thu, 18 Jul 2019 11:24:24 GMT

How to make rule in Asa for Direct connection.if pac is not used, users can browse internet at ease.