On 7/24/08, Rich Schumacher <rich.schu@xxxxxxxxx> wrote:> On Wed, Jul 23, 2008 at 8:50 AM, André Warnier <aw@xxxxxxxxxx> wrote:> > Hi. Me again butting in, because I am confused again.> > When users workstations within a company's local network have browsers> configured to use an internal "http proxy" in order to access Internet HTTP> servers, is this internal proxy system a "forward" or a "reverse" proxy ?> > I am not talking here about a generic IP Internet router doing NAT, I am> talking specifically about a "web proxy". This HTTP proxy may also do NAT> of course, but its main function I believe is to cache pages from external> servers for the benefit of internal workstations, no ?> > If this is a forward proxy, then I do not understand the comment of> Solprovider that seems to indicate that such things are obsolete and/or> dangerous. At any rate, they are in use in most corporate networks I am> aware of.> > André>> What you are talking about is a forward proxy and most of the time they are> transparent to the users behind them. Things do get a little blurry,> though, as sometimes they handle routing and NATing as well. SafeSquid> (http://en.wikipedia.org/wiki/SafeSquid) of this in terms> of software. They are also hardware based solutions, such as Barracuda> networks web filter, but I do not believe this does caching. Forward proxies are considered dangerous because the client is hiddenfrom Internet servers -- the Internet servers see the proxy server'sIP Address instead of the client's IP address creating a shield forthe client. A malicious attacker can daisy-chain several open forwardproxies making tracking the client very difficult for administratorsand law enforcement. I stated forward proxies were obsolete because they requireconfiguring the client to integrate with the forward proxy while mostof the beneficial legitimate functions can be gained without requiringclient configuration. A gateway server can handle- NAT between internal corporate clients and the Internet,- Firewalling blacklisted IP Addresses and websites,- Logging all traffic, and- Saving and serving static pages from cacheWithout the definitive feature of a forward proxy -- requiring everyclient be configured to use the gateway server as a forward proxy. Agateway is protected by the NAT functionality -- only internal clientscan use the proxy function. A forward proxy requires additionalsecurity to prevent external clients from using the proxy function. Any NAT protects the IP Addresses of internal clients, but integrationis handled at the network routing level rather than the applicationlevel. A NAT can be called a "proxy" because it hides the internal IPAddresses or a "gateway" because it connects networks. "Proxy"requires disambiguation: "forward", "reverse", or "network." I prefer"gateway" rather than "network proxy" and "front-end Web server"rather than the technically accurate "reverse proxy" becausenon-technical people understand better. SafeSquid is described as a "proxy" in Wikipedia and as a "gateway" inNovell's marketing material: http://www.novell.com/partnerguide/product/206554.htmlThis page also states SafeSquid can "deliver user-benefits withzero-software deployment at user-level systems" so SafeSquid does notmeet the definition of a forward proxy while providing the benefits ofcache, firewalling, blacklisting, logging, etc.. Definitions:- Proxy: Something or someone hiding the clients' information. Alawyer may be a "proxy" bidding on property without identifying theclient.- Gateway (or "Network Proxy"): Server connecting networks. Called a"router" if dedicated hardware. Called a "gateway server" whenhandling functions beyond network routing.- Forward Proxy: A proxy requiring clients be configured to use theforward proxy. Clients' information is hidden even on same network.- Reverse Proxy: A front-end server able to parse requests todistribute to multiple applications.- NAT (Network Address Translation): A function of a gateway whendifferent networks use different address schemes. The address istranslated to the gateway's address on the new network; the gatewaytranslates responses to return to the requesting client. The functionwas once important to integrate different network types (IP, NetBIOS,AppleTalk, etc.). With the demise of most network protocols, thisterm is currently almost-exclusively associated with "IP masquerading"for connecting local networks to the Internet. As SafeSquid proves, the many functions required to implement"Corporate Internet Access Policies" can be handled by a gatewayserver without requiring a forward proxy. The only function specificto a forward proxy is hiding client information from other computerson the same network; I am still wondering if this function has alegitimate use. [As Rich's other posts indicate, his use of forward proxies waslaziness/productivity (using a forward proxy to avoid extra workremotely accessing different computers during testing) or illegitimate(bypassing corporate security.) I find his stories interesting andinformative.] To answer André's last concern:Yes, many companies use forward proxies because that was once therecommended method to implement Corporate Internet Access Policies.No, they do not need to use forward proxies to gain the same benefitstoday. Yes, most companies change very slowly. solprovider
|