Proxy Servers: Neanderthal or Dinosaur?
Proxy servers are a bit like Swiss Army Knives: Just as the capabilities of a Swiss Army Knife extend beyond simple cutting, today's proxy servers act as traditional proxies, but they also have a huge variety of security features. In fact, it would probably be more accurate to call most proxy server software security servers with proxy capabilities.Can the proxy server evolve, or is it a product type soon to be extinct? Does your organization need one?
So what, exactly, is a proxy server? In the general sense, a proxy is a stand in; in network architecture, it's an entity that sits between corporate client machines and the Internet. A forward proxy stands in the way of the Internet and receives data from client machines bound for the Internet and forwards it on on their behalf. A reverse proxy stands in the way of servers within the corporate network and receives data bound for them, and distributes it on.
A forward proxy stands in the way of the Internet and receives data from client machines bound for the Internet and forwards it on on their behalf. A reverse proxy stands in the way of servers within the corporate network and receives data bound for them, and distributes it on.
"Receives" is the key word here, as there is more than one way in which a proxy can operate. Traditional forward proxies rely on client machines being configured to send their Internet requests to them, while transparent proxies "hijack" Internet-bound data and handle it themselves.
The original reason for having a forward proxy server was to be able to share an Internet connection between multiple client machines while reducing the amount of Internet traffic and speeding up browsing by caching Internet content locally on the proxy server. Whenever content was required from the Internet, the client would establish a connection with the proxy server, which would provide the content from its cache, if it could (otherwise it would establish its own connection with the content server), retrieve the content, and then forward it to the requesting client.
When you think about it, there is not much difference between a proxy server and a NAT router assuming the caching function is left to one side. Both enable multiple machines on one side to share an Internet connection, and both do so by receiving packets from those machines and sending them on. A proxy sever initiates another TCP connection while a NAT router simply modifies packet headers, but the end result is pretty much the same.
That's why proxy servers have evolved from being the equivalent of a NAT router (albeit with the bandwidth saving caching functionality) to security suites that use rules to accept or reject requests, log Internet activity, and scan incoming and outgoing data for viruses and other malware. Microsoft's Proxy Server, for example, was replaced by ISA Server, which is a Web cache, security system, and firewall in one.
Reverse proxies are also all about security now, preventing clients on the Internet from having direct access to content servers within the corporate network. As well as forwarding or rejecting requests for information without "bothering" the content servers themselves, they also prevent Internet clients from being aware of the actual content servers. A reverse proxy can cache content from content servers, shield them from DDoS attacks, and load balance to a number of content servers transparently.
Are Proxy Servers Right for You?
So should your organization be using a proxy server? To answer the question, it really needs to be rephrased. Perhaps a more relevant question is, should your organization be using some sort of security measures? The answer is obviously "yes." Such security measures will almost certainly include malware scanning, activity logging, intrusion detection, URL blocking, not to mention a corporate firewall. Content caching to reduce bandwidth usage and even increase performance is also useful but not necessarily essential.
Microsoft's ISA Server, as mentioned, is a hybrid proxy and firewall. It can perform content caching as well as deep content inspection and other security services. There are many other security solutions, such as the Linux-based Astaro Security Gateway, and Novell's BorderManager, as well as Squid probably the world's best known, open source proxy and security solution.
To a greater or lesser extent, whether you use a product like ISA Server or Astaro, and how you build your network defenses, depends on whether you are looking for a point solution or prefer to go best-of-breed. If you want simplicity, then a modern proxy server/security suite can help provide it. If you prefer to build up your security using best-of-breed products and caching is unimportant, then a proxy server is almost certainly not for you.