Symantec™ Security Gateways Reference Guide - Sawmill

Understanding accessProxies57The NTP proxyThe ping proxyThe RCMD proxyThe network time protocol (NTP) synchronizes the time of a computer client or server to another server orreference time source. The NTP proxy provides client accuracies typically within a millisecond on LANsand up to tens of milliseconds on WANs relative to a primary server synchronized to coordinated universaltime (CUT) by means of a global positioning service (GPS) receiver, or some similar mechanism.By default, ICMP packets hitting the security gateway are dropped, as the security stance of an unmodifiedsystem is to appear invisible on the network. However, it is often advantageous to have the securitygateway respond to ICMP requests, especially when testing or troubleshooting. The ping proxy provides amechanism for the security gateway to respond to ICMP requestsThe ping proxy does not pass the actual ICMP packets through the security gateway; like all other proxies,the security gateway pings the ultimate destination itself. The security gateway does not include theoriginal client data payload in the echo request to the real destination. Instead, the ping proxy constructs anew echo request with a new sequence number, time-to-live (affecting traceroute), and new optional data sothat other protocols cannot be tunneled on top of the ICMP echo. If the security gateway receives an ICMPecho request through a tunnel, and that tunnel is not forcing traffic through the proxies, the packets arepermitted to pass unmodified. If the security gateway is the target of the ICMP echo request, the ping proxyresponds to the client normally.Some ping clients (traceroute, for example) have an option to specify a source route or to record the routetaken. By default, the ping proxy has these features turned off for security reasons, since they couldcompromise information about your inside networks. A ping request using one of these features is droppedand logged. Support for this is re-enabled by adding the variable ping.preserve.ttl to the Advanced Servicestab.RCMD provides a greater level of security for the rsh, rlogin, and rexec protocols than is obtained by usinga GSP. Proxying these connections through RCMD, as opposed to a GSP, offers tighter port usage controland facilitates interactive strong authentication, which would not otherwise be available. For example, byusing the proxy, you can configure S/Key authentication for the connection.RCMD supports three services commonly used by UNIX users:rexecUse in a rule when you want to let a user execute commands on a UNIX system. The commands are entered froma remote machine, but executed on the UNIX system.rlogin Used to let a user remotely log on to another UNIX system. The logon credentials reside on and should beapplicable to the remote machine, not the machine from which the user is executing the command.rshLets a user open a remote shell on another machine from their host system, and interact with that remotemachine. All commands entered in the remote shell are executed on the remote machine.The RTSP proxyThe Real-Time Streaming Protocol (RTSP) proxy handles real-time data such as the audio and videoproduced by RealPlayer and QuickTime. Sources of data can include both live data feeds and stored clips.The RTSP specification (RFC 2326) establishes and controls either single or several time-synchronizedstreams of continuous media such as audio and video. It does not typically deliver the continuous streamsitself. Rather, RTSP acts as a network remote control for multimedia servers.There is no notion of an RTSP connection; instead, a server maintains a session labeled by an identifier. AnRTSP session is in no way tied to a transport-level connection such as a TCP connection. During an RTSPsession, an RTSP client may open and close many reliable transport connections to the server to issue RTSPrequests. Alternatively, it may use a connectionless transport protocol such as UDP.