Behavior of requests to the Localhost Address in Explicit and Transparent environments.

book

Article ID: 170087

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The localhost address is often used by clients to access a specific service via the browser. These services come in the form of applications installed on the client machines and run on a specific port.

Some malware use the localhost address to access a specific resource or to open a new listening port that can later be used for gaining unauthorized access into the system.

Depending on the deployment of the ProxySG, some measures can be implemented to prevent this from happening.

Resolution

Explicit deployments:

In this deployment, clients are forced to go through the proxy via the browser settings. This includes localhost address requests. These requests should be bypassed in the browser settings as exceptions, otherwise, it will result in a network error. 

When a localhost destination address is seen in the Access Logs or a Policy trace, it is strongly encouraged to verify that the applications that are making those requests are safe to use.

If clients use a local IP address instead, the proxy will see that request and process it in respect to the client local IP. Under this scenario, the content is then served to the same client.

Note: It is important to check the application performing the request in question because it's possible the request will not fail unless blocked properly by policy.

 

Transparent deployments:

As no browser settings are required for transparent deployments, the client performs the request internally instead of going through the proxy. For this reason, there is no control over the requests as they never reach the proxy due to how localhost requests function per design.
 
This applies to the follwoing addresses:
  • localhost,
  • 127.0.0.1, and
  • the local IP addresses that the client has.