Proxy Server Security Guidelines-Computing Services ISO - Carnegie Mellon University

Proxy Server Security Guidelines

This document contains the following sections:


Overview

Proxy servers configured to allow CONNECT command can be used as a port forwarder. This can be used to launch attacks, hidden by the proxy server, or to compromise the server itself depending on how the proxy server is configured.

Applies to

Any campus affiliate who runs or intends to run a Proxy Server.

Purpose of the Guideline

The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to Proxy Servers.

This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.

Definition/Clarification

Proxy Server - Proxy servers are systems which provide a method for storing Internet objects (web pages, ftp download programs and zip files, etc.) on a machine which is on a given subnet, and thus, closer to the client. By using a proxy server, users enjoy faster access to large files and the original distribution site sees less "heavy traffic", so everyone (potentially) wins.

Guideline Statement

Proxy servers should be configured to either completely disallow the CONNECT command or to only allow CONNECTs to specific ports as needed. Alternately, do not run a proxy server.

User Responsibilities and Procedures

Users should adhere to one of the following:

  • Disallow the CONNECT command (see your proxy server documentation for specific instructions).
  • Configure to only allow CONNECTs to specific ports as needed (e.g., a proxy server supporting SSL connections can allow connections to ports 443 and 563, with all other ports disabled for the CONNECT command).
  • Alternately, do not run a proxy server.

Revision History

Status:  Published 
Published:  10/28/2005 
Last Reviewed:  03/13/2014
Last Updated:  11/03/2005 

Support Contact

Help Center
412-268-HELP (4357)
it-help@cmu.edu