How can I tell if my Muse Proxy is secure?
This FAQ has been created for partners to check the Muse Proxy configuration
($MUSE_HOME/proxy/hosts.xml file) to make sure they are not open proxies, and therefore prone to illegal usage.
RULES TO MODIFY:
1.) In the hosts.xml under the default user, there should be no <ALLOW>*</ALLOW> rule:
The default user allows the ICE Servers to access Muse Proxy. If the <ALLOW>*</ALLOW> rule is entered, the wildcard character, or *, will allow any IP to access the proxy via the default user. This could cause abuse of the proxy from remote IPs. It is recommended that the IPs, or IP ranges, that will access the proxy via ICE are put in.
2.) In the hosts.xml under the administrator user, there should be no <ALLOW>*</ALLOW> rule:
Like the default user above, if the <ALLOW>*</ALLOW> statement is put in under this <USER_RULE>, it could potentially allow remote users to abuse muse proxy via the administrator user. It is recommended to only allow the IP (or IP ranges) of computers that you expect to use to administrate the proxy.
RULES TO KEEP IN PLACE:
1.) For Muse Proxies above the 188.8.131.52 version, there is the following rule for the default.mnm user:
This must be kept in place, so that end users will able to navigate to links rewritten via Muse Navigation Manager.
2.)Under the <REMOTE_PORTS> section for every user, there is a <ALLOW>*</ALLOW> rule:
This must be kept in place. The REMOTE_PORTS section specifies the outgoing access port rules of the Muse proxy, i.e. to what remote ports the Muse Proxy is allowed to connect to. By default, we block access to the following remote ports:
20,21: File Transfer Protocol (FTP)
22: Secure Shell (SSH)
25: Simple Mail Transfer Protocol (SMTP)
and allow access to the rest of the ports. Meaning that the Muse Proxy can connect to data services on any other ports except the ones listed above.
The <ALLOW>*</ALLOW> was set to cover all possible ports used by service providers such as 80, 8080, 443, 210,etc.
3.) It is also recommended that if an <ALLOW> rule is entered for Muse Global support (secure.museglobal.com or secure.museglobal.ro) that these are not taken out. These are in so that Muse support can properly troubleshoot the proxy.?