Evolution by Proxy Server

By Aaron Weiss (Send Email)
Posted Feb 23, 2005


Natural history museums often depict the evolution of various species. They illustrate how as a species evolves, one creature typically morphs into another to adapt to the changing environment. So too with software, though it changes at a significantly faster pace. As such, the creature known as a proxy server has been undergoing a rapid evolution that threatens its own identity.

Proxy servers have been around since the dawn of the Web but are now facing competition from NAT and firewalls. To prevent extinction, their role is evolving from providing guard-dog security and connection sharing to content caching and authentication.

Proxy Past

At its simplest, a proxy server is a layer sitting between a local-area network (LAN) and an external network such as the Internet. Proxy servers came about to meet several needs.

  1. They enabled several machines to share a single Internet connection by accepting and forwarding requests from client applications.
  2. They could regulate, allowing or disallowing certain communications with the outside world, such as through site filtering.
  3. They could conserve bandwidth and increase network efficiency by caching content for repeated local delivery.

Proxy servers share Internet access at the application level, which means every client program must be individually configured to talk to the proxy server. This is an effective way to allow extremely limited kinds of Internet access, but many organizations found the configuration requirements to be a burden. With the development of Network Address Translation (NAT), organizations could share an Internet connection at the network level, which greatly simplified the process.

The one-two punch of NAT and firewalls, which today are usually integrated into one product, took much of the wind out of proxy servers' original sails.

The flipside of this is greater exposure, and therefore greater vulnerability, of the local network. Firewalls quickly matured to regulate communications across the external network boundary. Now, firewalls can regulate traffic on a variety of levels, including low-level network protocols and high-level application content. The one-two punch of NAT and firewalls, which today are typically integrated into one product, took much of the wind out of proxy servers' original sails.

Thus, many of the vendors that previously marketed proxy products have evolved their line into firewalls. For example, WinRoute Firewall replaced Kerio WinRoute Pro proxy server, which is no longer supported. Sygate Firewall replaced Sygate's proxy server. The trend carries through to many vendors, as firewalls offer most of the same benefits of proxy servers, along with additional forms of security necessary in today's network environment.

Proxy Present

But proxy servers aren't completely dead. The role of the proxy server is shifting away from guard-dog security and connection sharing toward content caching and authentication.

Unlike firewalls and NAT, proxy servers can extend their reach beyond a physical LAN. There is increasing demand for portable authentication. An example of this is a university that allows students to access subscription-based third-party services. When students are not on campus, they might access the services through a university proxy server that passes their authentication to the third-party.

But proxy servers aren't completely dead. The role of the proxy server is shifting away from guard-dog security and connection sharing toward content caching and authentication.

Content caching remains a valuable tool for organizations wishing to conserve bandwidth and provide a speedier connection to local users. One of the more popular caching proxy servers is the venerable free and open source Squid, which still enjoys active development. Traditional firewalls don't usually include content caching. Instead, hybrid suites are emerging that pack both firewall features and proxy server features under a larger umbrella.

Microsoft ISA, Kerio WinRoute Firewall, Avirt Soho, and 602LAN Suite all represent this latest creature. These suites emphasize the NAT and firewall features that networks rely on today — while also retaining proxy features, including SOCKS support (the proxy protocol) — to support client-proxy connections for content caching and authentication.

Proxy Future

The proxy server as stand-alone product is an endangered species. Most of the products in the current marketplace that fit this description (e.g., Proxy-Pro, Trumpet FireSock, and eServ) are pitched at small network environments running older operating systems, like Windows 95 and 98.

In its place, we'll continue to see software firewalls expand their breadth to include the kind of content filtering, caching, and authentication that was traditionally the role of the proxy server.

The proxy has shape-shifted to prevent extinction, merging into suites that regulate the border between internal and external networks.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.