Does Your Network Need a Proxy Server?
By Gerry Blackwell
To network administrators for large networks, the need for proxy servers--intermediaries that stand sentinel between an internal network and the open Internet--is so basic, it goes almost without saying. But in smaller organizations that lack dedicated IT resources, the need may not be quite so self-evident.
How they work
Proxies intercept requests for Internet pages from users within a company's network and perform a number of chores related to protecting the network, improving performance and enforcing company Web use policies. This is sometimes referred to as a forward proxy server. It's the kind that virtually all organizations need.
If your company also hosts its own Web servers on its premises, you additionally need a reverse proxy to perform a complementary, but somewhat different, set of security- and performance-related tasks around requests coming from the Internet into your servers.
We're going to focus in this article on the first kind of proxy--and a service-based variant of interest to consumers and mobile business users.
Proxy that forward
When an internal user requests a Web page, the request goes through the proxy server so that it appears to the Internet to be coming from the server - from its IP address (or one of them) - and not the user's device. This anonymity provides an important measure of security by reducing the amount of information about a network and its users easily accessible to hackers on the Internet.
The proxy server may, in addition, perform caching.
If your users frequently need to access certain pages on the Internet, the server can download and store copies on its hard drive, in cache and also continuously monitor the page for changes and download them when they appear, so the cached page is always up to date.
Consultant James Quin, a lead analyst at research and consulting firm Info-Tech Research Inc., says caching speeds things up for everybody:
"So now when someone requests that page or resource, the proxy server says, 'Wait, I've got it right here,' and furnishes it back to the end user without having to go out to the Internet," Quin explains.
This speeds display of cached pages for users, and cuts traffic going out over the company's Internet gateway, thus potentially reducing bandwidth requirements and congestion that can degrade overall performance.
Controlling Web surfing
A third important set of proxy server chores relates to enforcement of company policies and restrictions around Web use.
In organizations that allow employees unrestricted access to the Internet but publish policies limiting personal use--no gambling, porn or hate literature sites, for example, or only during lunch and breaks--network administrators can monitor proxy server logs to spot users habitually breaching policies.
But monitoring proxy logs can be a tricky business, cautions consultant Steve Armstrong, technical security director at UK-based consultancy LogicallySecure.
Some companies make the mistake of installing a proxy and then never looking at it again, thus wasting much of its potential utility, Armstrong says. But others spend too much time poring over logs. "It can be almost like stalking or harassment of users by proxy."
If employees are allowed to use the Web for personal surfing, too-close monitoring could result in privacy and labor law infringements by the company--if an employee is researching a medical problem on his lunch hour, for example.
In addition, if administrators closely monitor the activity of an employee for no very good reason--especially in the absence of clearly stated policies--and later try to bring disciplinary action for violations, unions or lawyers may be able to claim the company was victimizing the employee.
But if policy restrictions and monitoring practices are clearly stated and signed off on by employees, these kinds of problems shouldn't arise, Armstrong says.
The alternative is to use the basic filtering capabilities of proxy server software to block users going to certain sites. It works similarly to parental filtering on home networks.
At the simplest level, if a restricted site is added to a list in the server software, when a user tries to surf to that site, the server denies the request and returns an error message.
Adding enhanced capabilities with integrated filtering software, or using advanced products such as Microsoft's Internet Security and Acceleration (ISA) Server make it possible to restrict sites or surfing in general by time of day, or even by job function or department.
If you've read this far and see the need for a proxy server, you'll likely need the services of a consultant to help select products and implement them. You could be purchasing software to install on a standard server. Many such products are open source, some of them free.
It could be a proxy server appliance, purpose-built hardware with software pre-installed. Or it could be a virtual proxy server appliance, a server that is logically separate but shares space on a physical server with other servers in a VMware or other virtualized server environment.
Some proxy servers stand alone, others integrate other functionality. One of the functions most commonly combined with basic proxying is advanced filtering, Quin notes. He argues that stand-alone proxy servers--like any single-purpose or 'point' solution - necessarily entail more management overhead, so arguably make less sense for most organizations.
Choosing a proxy
The type and quality of proxy server product you choose will depend on a number of factors, including perceived risk to resources behind the proxy, level of risk tolerance, and budget.
Info-Tech itself uses open source proxy server software because it has reasonably high risk tolerance - being well stocked with IT and security skills - and relatively light caching and filtering requirements, Quin says.
Larger organizations with hundreds or thousands of users, less risk tolerance and needs for more granular filtering or heavier-duty caching, may require a more robust solution, and may also be better off with one that tightly integrates with an existing Cisco, Microsoft or other network environment, Quin suggests.
One thing to keep in mind, he says, is that the proxy server is exposed to the Internet. "It's a very easy target to attack, and it's a trusted part of your internal network infrastructure. So you have to be very rigorous about security, you have to keep patches up to date and maintain it religiously."
Proxying for consumers
You can also get proxying as a service, often for free. Page requests go from the client device out over the Internet to a server, and from there to the site requested. This is mainly of interest to consumers but may also have applications for mobile users.
Why would consumers want to use proxy services?
Privacy and security were the primary reasons originally. Online proxy services provide the same kind of anonymity as internal corporate proxies, which enhances security, but also appeals to Web surfers who object to advertisers and others being able to track where they go on the Net.
Proxy services also theoretically do a better job of filtering Web-borne malware. Whether all do is another matter. And some provide VPN-like encryption between the client and their server to protect against data being intercepted when using public Wi-Fi hotspots. A few may provide caching but it's unlikely to be as effective as in an corporate networking environment.
An increasingly popular reason to use a proxy service today is to get around regional restrictions on access to online media.
For licensing reasons, video sites such as Netflix, Hulu and others can only serve content to users in the country of origin. They block requests from IP addresses known to be outside the country.
By using a proxy service with servers in the country, a user outside can get around these restrictions. Your correspondent, for example, is currently living and working in Spain and using proxy services to stream TV programming from UK and U.S. sites.
How they work
Proxy services work in one of three ways. With many free services, you simply surf to the service provider's website and type the URL of the site you want into an address field on the page. Others require users to download a small application. Still others require subscribers to set up a VPN connection in Windows and key in a user ID and password.
Choosing a proxy service
Many proxy services are free. Some are offered by companies to promote other paid Internet services. Most are ad supported in one way or another. There are also many aggregators, such as Proxy 4 Free, providing constantly updated lists of free proxy servers. Some even charge a subscription fee to provide easy access to the services listed. Few free services, however, are as reliable, fast or secure as paid services. And many of the free services we tried did not support Flash in our testing.
Your correspondent is using two free ad-supported services from Anchorfree, a Silicon Valley company. They require an app download. ExpatShield and Hotspot Shield feature particularly obtrusive video advertising and page redirections, as well as banner ads inserted at the tops of browser pages. But the ads can be stopped, the Anchorfree services work reasonably well, and they're free.
With many free services, reduced throughput because of the additional router hops involved in getting to and from the server, means streaming quality is poor to the point of making video unwatchable.
The Anchorfree services, however, stream video from the BBC and ITV sites in the UK (ExpatShield) and Hulu in the U.S. (Hotspot Shield) to Spain more or less flawlessly - at least over a fast (12 Mbps) Internet connection.
For road warriors who must connect to the Net in coffee shops and other public hotspots, proxy services with integrated VPN functionality can be a quick-and-dirty way to add some protection against wireless snooping. That said, a VPN tunnel through and controlled by company servers would be more reliably secure.
On the downside, network administrators might want to be on the look-out for employees using public proxy services at the office. It's a likely indication of unofficial browsing, at best, and possibly Web use that contravenes company policies.
For more help, check out the PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|