Many organisations use proxy servers to improve performance (through caching Web pages and graphics), to filter requests to certain sites, to make sure that only certain users can get to the Internet, or as a way of accounting for Web use (logging sites that users visit). Most proxy servers can perform all of these tasks. One of the popular examples would be Microsoft ISA Server, the new replacement for Microsoft Proxy Server 2.0. Cisco Systems recently added the ability for its IOS to run a proxy server. This feature is now built into the IOS and is dubbed "IOS HTTP Authentication Proxy" or "HTTP auth-proxy." The feature is available in the 12.0.5.T Firewall releases (and above) of the IOS software. The HTTP auth-proxy is an interesting idea, but it does have certain limitations that may affect its suitability for your network. How the IOS proxy server works
The IOS HTTP auth-proxy feature performs the typical tasks a proxy server is expected to do:
- Caching
- Authentication/authorisation
- Accounting
- Filtering
An additional feature, which isn't typically expected in a proxy server, is that auth-proxy is designed so that it works with a RADIUS or a TACACS+ authentication/authorisation/accounting (AAA) server to download your profile and allow you access only to the networks, sites, protocols, or ports listed in that profile. In the case of the Cisco IOS proxy server, this list is really a Cisco IOS access list. IOS access lists are designed to be very granular. Typically, "very granular" translates into "hard to configure," and that is the case here. If you're already familiar with access lists, this won't be a problem for you. If not, I'd suggest that you read a couple of good articles on the subject, such as "Understanding the basics of Cisco IP access control lists" and "Get secure with Cisco extended IP access control lists." The access list created for the user while he or she uses the proxy server is dynamic and stays in place on the router only while the user continues to utilise the opened connections. If the user stops using the proxy server, the access list will be removed after the "auth-cache-time" parameter expires on the router. Another important stipulation is that auth-proxy works with only a limited number of RADIUS and TACACS+ servers:
- CiscoSecure Access Control Server (ACS)
- Ascend RADIUS server
- Livingston RADIUS server
The limitation exists because the server isn't just authorising the username and password to allow or prevent access to a Web request -- it's actually providing the router with the IOS access list that is applied for the given username. That means that each user could have an access list of servers, ports, and/or protocols that he or she is allowed to access. If you want to evaluate an AAA server or use one for testing purposes, Cisco offers a free 90-day trial version of its Cisco Secure ACS server for Windows and UNIX. (This link requires a Cisco CCO login.) Also, it's important to note that the connection out of the firewall is created first by the end-user workstation making an HTTP request. After that, other ports can be opened based on the profile stored on the AAA server. Thus, since the initial request must be made by a Web browser, this solution is not a complete one-to-one substitute for the typical Microsoft ISA Server (or Proxy Server 2.0) solution, where you run a proxy/firewall client and can go through the proxy server to make the initial request with any application that needs to access the Internet. In other words, the Cisco HTTP proxy is primarily just that -- a proxy server for handling Web requests. As a result, using Cisco's authentication proxy is probably not for the small office or someone who is looking for a quick and easy proxy server, and it isn't the ideal replacement for Microsoft ISA or Proxy Server. The IOS authentication proxy fulfills a certain niche: managing and controlling Web browsing with security and precision. Of course, if you don't want your client machines to have other multiple applications (running multiple protocols) accessing the Internet, this is an excellent solution. While authentication proxy is compatible with Cisco's IOS Firewall, network address translation (NAT), content based access control (CBAC), and VPN features, the more of these features you combine on one router, the more complex the configuration and troubleshooting become. So for the purposes of this article, we'll stick to a basic configuration as an example. I'll base my Cisco IOS proxy server example on Cisco's article "Authentication Proxy Authentication Outbound -- no CBAC or NAT configuration."
