Isolating Proxy Concept
To my knowledge, using a physically isolated Isolating Proxy is currently the safest ^2^ Tor setup...
An Isolating Proxy is much different from a Transparent Proxy. A pure Transparent Proxy suffers from Transparent Proxy Leaks. While a Transparent Proxy routes all ^1^ traffic through Tor and blocks the rest ^1^, an Isolating Proxy solves the Transparent Proxy Leaks problem and is about security by isolation.
An Isolating Proxy requires at least two machines. Those machines can be either virtual machines or two physically isolated machines. Both machines are connected through an isolated LAN. One machine is called Gateway. The other one is called Workstation.
The Gateway is solely used to run Tor and has two network interfaces. The Gateways first network interface (for example, eth0) must have access to the clearnet. The Gateways second network interface (for example, eth1) is only connected to the Workstation by a LAN cable and must disable IP forwarding. The LAN cable can be either a virtual internal network or a hardware LAN cable.
Tor on the Gateway must be configured to open (a) SocksPort(s) on the second network interface (for example, eth1). Tor is also allowed to use first network interface (for example, eth0) to connect the the Tor network.
The Workstation is used to run all client applications (such as Tor Browser, XChat, etc.). Because the Workstation is on an isolated network without clearnet access, it is unaware of the clearnet IP, which is a big security gain. Client applications must be configured to use (the) SocksPort(s), otherwise they will be unable to connect.
DNS leaks clear are impossible, because the Workstation does not have a working system DNS resolver. The Workstation could install a system DNS resolver, but it also would have to be configured to use Tor's SocksPort.
IP leaks are also impossible. Client applications which suffer from proxy bypass bugs will be unable to connect. They can only connect through Tor's SocksPort. Client applications can also not leak the clearnet IP through the protocol (like BitTorrent), where the protocol leaks the clearnet IP somewhere.
IP/DNS leaks would require an adversary to break into the Gateway (when using physical isolation) or to break the Virtual Machine (when using Virtual Machines). The Whonix project, which is very close to an Isolating Proxy (see below), documented how much effort is required and which attacks can break such a setup, see Attacks on Whonix.
Isolating Proxy is a newly coined term by adrelanos.
,,^1^ Depending on type and implementation.,,
,,^2^ Safe from clearnet IP discovery.,,
What is the benefit of an Isolating Proxy over a Transparent Proxy?
- The user is more in control, which traffic gets routed over Tor. While a Transparent Proxy Anonymizing Middlebox routes all traffic over Tor, an Isolating Proxy routes only traffic over Tor, where the applications are using socks proxy settings or a socksifier. Various "misc" traffic is blocked.
- Software not classified as malware, but still phoning home without the user being aware of it and without knowing the exact contents of the phone home message, will be unable to connect.
- Examples: popularity-contest, copyright protection software, anti-cheat software...
- This is important. Crash reporting software sometimes sends contents of RAM over unencrypted connections.
- For more examples, please see TransparentProxyLeaks.
- Off-the-shelf malware (adding the user to a botnet) will be unable to connect. Manual action is required to configure the malware to use the SocksPort. The malware authors have not yet adapted using the SocksPort. This is of course no help against targeted attacks.
- Windows users profit more from an Isolating Proxy than other operating systems, because Windows suffers more from "misc" traffic.
Isolating Proxy Example Implementation
To my knowledge, other than the description above, there are currently no pure Isolating Proxies available as instructions, source code or download.
Whonix is the closest example implementation available as source code and download. It uses an Isolating Proxy with an additional Transparent Proxy, which can be optionally disabled.
The Qubes OS + Tor blog post are instructions for a Transparent Proxy, but with could be with some effort transformed into an Isolating Proxy.
Isolating Proxy Graphical Illustrations
Illustration using Physical Isolation
None available yet.
Illustration using Virtual Machines
The Qubes OS + Tor blog post actually describes a Transparent Proxy, but it could be turned into an Isolating Proxy. The illustration is the same.