Home| Products| Services| Support| Affiliates| Store| Company
TRILENT MAIL PROXY


 

Valid XHTML 1.0 Transitional

 
Home > Products > Software > Mail Proxy > Application Note

APPLICATION NOTE

Why would I need the Trilent™  Mail Proxy? When would I use one? What are the network configurations that require or benefit from the use of it? This document addresses such questions by describing its application environment,  the Internet. What follows is a short bird’s eye view of the Internet as it is today, and the role the Mail Proxy plays in the big picture.


Example Network

The majority of networks connected to the Internet use the layout shown below. These are small, single-subnet networks connected to the Internet at a single point called a gateway.


example network


The gateway may have different physical forms (a dedicated computer, a router, DSL modem, etc.) The feature common to all gateways is that they have at least two interfaces. One interface is connected to the internal network (we will call it inside interface), while the other (the ouside interface) is connected to the Internet, typically through an Internet Service Provider (ISP.) The Trilent Mail Proxy is usually installed on the gateway computer.

Network Addresses

The IP (Internet Protocol) is the "language" of the Internet. Every computer (interface) on an IP network is identified by a unique IP address which facilitates the routing of information. An IP address looks like this: 172.16.94.97. Each of the dot-separated numbers can range from 0 to 255, for a total of over 4 billion possible addresses. Using our example network: Each of the four computers on the inside network has an IP address. The gateway host has two addresses, one for each interface.

The growth of the Internet has created an IP address shortage because there are only so many unique addresses. This is a big problem. The solution to this problem is found in the common use of RFC1918 addresses. These are three ranges of private IP addresses originally set aside for testing purposes, namely, 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. The routers on the Internet are prohibited from forwarding information to any of these addresses making them unreachable, and therefore "invisible."

How does the use of the private IP addresses help relieve the address shortage? Consider our example network. All computers on the internal network, including the inside interface of the gateway host, have been assigned the private addresses. Only the outside interface of the gateway, connected to the outside world, has a "real" (i.e. publicly known and globally unique) IP address. The whole network now uses only a single "real", or public, IP address. The private IP addresses of the internal computers are invisible from the Internet. They can be reused in another network without causing problems, such as addressing ambiguity.

The inside computers can still communicate with the Internet through the gateway, provided that it can translate between private and public IP addresses. For each connection (exchange of information) the gateway must transparently substitute internal private IP addresses with its own public address. To the outside world it appears that all connections originate from the gateway host. The two technologies used to perform this substitution are Network Address Translation (NAT) and the use of Application Proxies. Both will be described in this document.

Firewalls

The isolation of the inside network resulting from the use of private addresses gives it a measure of security. In the real world this security proved inadequate. Non-compliant routers can forward to private addresses, and address "spoofing" technique (substituting false addresses for correct ones) can be used to confuse computers. For example, a malicious outside connection can masquerade as an innocent one originating from the inside network, and therefore to be trusted.

Enter the use of firewalls. A firewall is a program installed on the gateway host. It analyzes and filters the information traffic flowing between the inside network and the outside world. The function of the firewall is to block all traffic deemed harmful from entering the inside network. The "block/no block" decision is based on a set of criteria or rules of what constitute harmful traffic.

A simple rule for our example network would be to block all connections from private IP addresses (e.g. 168.0.0.7) arriving on the outside interface (i.e. from the Internet.) In an ideal world, this would never happen. Remember - routers are prohibited from forwarding to/from such addresses. However, non-compliant routers and address spoofing make it possible.

Creating firewall filtering rules is a whole science, but obviously the more the firewall knows about the nature of the connection the better filtering job it can do. More about that later.

Network Address Translation (NAT)

As its name implies, Network Address Translation (NAT) is a technology in which the gateway substitutes internal private IP addresses with its own public address. This substitution is performed on every connection to and from the Internet. The great advantage of NAT is its transparency to users and easy configuration, the primary reasons for its widespread popularity. For example, Microsoft ICS (Internet Connection Sharing) for Windows is based on NAT technology.

The generic nature of NAT makes building truly secure firewalls difficult. Since all types of connections are indiscriminately translated, their variety makes it difficult to develop effective filtering rules to detect and block all harmful traffic.

Another drawback of NAT is that is does not scale well. While it is not immediately obvious, the address translator (also known as a circuit-level proxy) must keep track of all its connections so it can return information from a server to the specific client that requested it. As the network size grows, this database of connections quickly becomes unwieldy.

Application Proxies

In this model, the firewall blocks all traffic with the exception of a few, well-defined holes in its wall. Each hole allows a single application to access the Internet. The gateway must still translate private IP addresses to/from its public address. This is done separately for each application by an application-specific program called a proxy.

The most popular Internet application is the World Wide Web (the Web.) The firewall is configured to specifically pass Web traffic, while the application proxy, in this case the Web proxy, is responsible for address translation for Web connections. The Apache Server is an example of a popular Web proxy for Windows.

Electronic mail is another very popular application. Another hole in the firewall accepts e-mail traffic, and an e-mail proxy translates addresses. The Trilent Mail Proxy was developed for this purpose.

Application proxies contribute to security of firewalls. Application-level proxies "understand" the nature of connections their respective applications require. For example, the Trilent Mail Proxy uses mail transfer protocols to pass mail. During its operation, this proxy enforces the mail protocol rules on the traffic sequence. This has the effect of blocking unwanted non-mail traffic, which is unlikely to follow these rules, from accessing the protected network.

Some proxy servers support proxying at the transport layer. They are called circuit-level proxies or transparent proxies, as they do not require configuration. These proxies operate on the same principle as the NAT, described in the previous section, and share its strengths and weaknesses.

There are also intelligent circuit-level proxies, based on SOCKS protocol. These proxies are transparent to the user, but require support for SOCKS to be built into client applications for proxying to work. SOCKS proxies are beyond the scope of this document.

Internet Mail

There are two ways of distributing Internet mail in a small network. One is to use its own dedicated mail server, the other is to use the ISP’s mail server. The latter (shown below) is by far more popular.

network

Dedicated mail server is typically installed on the gateway host where it does not require a separate mail proxy. However, the mail server setup is quite complex. Its configuration is not trivial. The mail server usually requires a host running 24-hour a day and a permanent connection to the Internet. These requirements are not practical for many small networks (e.g. those with dial-up access to ISP.) That is why a dedicated mail server is rarely seen in very small networks of two to ten computers. However, as the network grows, the performance and utility of a dedicated mail server begin to outweigh its disadvantages.

Utilizing the ISP’s mail server to distribute Internet mail to/from a small network is convenient, simple, making it a very common solution. In order for a mail client on an internal computer to connect to the ISP’s mail server, a mail proxy must be installed on the gateway.


Legal| Privacy| Contact Us
 © 2003-2008 TRILENT LLC. All rights reserved.