What If You Can't Proxy?
You might find yourself unable to proxy a service for one of three reasons:- No proxy server is available.
- Proxying doesn't secure the service sufficiently.
- You can't modify the client, and the protocol doesn't allow you to use proxy-aware procedures.
No Proxy Server Is Available
If the service is proxyable, but you can't find a proxy-aware-procedure server or proxy-aware clients for your platform, you can always do the work yourself. In many cases, you can simply use the dynamic libraries to wrap existing binaries.If you can't use dynamic libraries, modifying a normal TCP client program to use SOCKS is relatively trivial. As long as the SOCKS libraries are available for the platform you're interested in, it's usually a matter of changing a few library calls and recompiling. You do have to have the source for the client.
Writing your own proxy-aware-procedure server is considerably more difficult because it means writing the server from scratch.
Proxying Won't Secure the Service
If you need to use a service that's inherently insecure, proxying can't do much for you. You're going to need to set up a victim machine, as described in "Bastion Hosts", and let people run the service there. This may be difficult if you're using a dual-homed nonrouting host to make a firewall where all connections must be proxied; the victim machine is going to need to be on the Internet side of the dual-homed host.Using an intelligent application-level server that filters out insecure commands may help but requires extreme caution in implementing the server and may make important parts of the service nonfunctional.