A proxy server usually serves multiple roles: it always acts as a security device, and its optional functions are as a network management tool and/or a performance enhancement subsystem. At its simplest, a proxy server accepts requests from one or more computers and relays those requests to other computers to screen and/or control the access of PCs on an internal network to services on the Internet.
By blocking or limiting inbound connections — technically termed IP forwarding — made from a WAN to a LAN and presenting the Internet with a single outbound IP address, a proxy server provides features similar to those of a firewall protecting the LAN from external intrusion.
Essentially, a proxy server acts as a router of application-level protocol exchanges, providing network address translation, which is useful as it hides the details of the internal network. This masking also potentially provides anonymity to the client (exactly how anonymous the client is depends on the client’s configuration).
Forward proxying, the protocol-level relaying of internal network requests to external hosts, can require the client application to specifically support proxy services or it can be transparent to the application.
Reverse proxying routes external requests from remote computers into the LAN rather than the internal requests from local computers out of the LAN. This provides a much more powerful DMZ solution than regular routers and firewalls can provide.
Because proxies handle data at the protocol level rather than the packet level, they can monitor and analyse entire protocol exchanges and thereby provide much more detailed filtering, monitoring, security and auditing capabilities than can security subsystems that aren’t aware of protocol-based transactions. This means undesirable content such as specific text and data types — such as executables, Flash content, and ActiveX controls — that you don’t approve of can be filtered out along with viruses and other malware.
Things get interesting when a proxy server is used as performance enhancement sub-system. Because a proxy server examines every protocol exchange and relays requests, it can keep copies of the data so that multiple requests for identical content can be satisfied from a cache rather than having to re-issue the request to the remote server. Not only does this reduce WAN connection loading, but retrieving content from the proxy cache instead of a remote server can be orders of magnitude faster.
Proxy servers can be simple add-on software such as the product we discussed a few weeks ago, or they can be complex, all-singing, all-dancing hardware-based offerings such as the Blue Coat ProxySG from Blue Coat Systems.
The ProxySG is an appliance-style device that handles Web, FTP and reverse proxy services, and content management and filtering, spyware prevention, Web virus scanning, instant-messaging control, peer-to-peer service control and bandwidth management. In other words, this isn’t just a proxy system but an entire suite of proxy-based content control, network security and performance management services.
The ProxySG appliances are not for the faint of heart. They have their own operating system, SGOS, which provides a complex Web-based management interface along with a more powerful command-line interface (CLI). Some features can’t be set up through the Web GUI — a pity because the CLI is hard work.
To see how complicated this system is, just take a look at the Configuration and Management Manual, which runs to 869 pages; the Command Line Interface Reference is a relative lightweight at 228 pages; and the Content Policy Language Guide weighs in at 390 pages. The SGOS 3.2.x Upgrade Guide, which wraps up the documentation, is a mere 32 pages.
We explored the ProxySG 400 quite deeply, but we will be the first to admit that we were overwhelmed by the scale of the product, and given the limited time available, there were features we simply didn’t have time to test. That said, the features we explored showed us that this is a first-class piece of engineering.
Basic setup is reasonably simple and configuration options abound. We particularly liked the Visual Policy Manager, a GUI that lets you define Web access and resource control policies without having to wrestle with Content Policy Language or having to manually edit policy files.
The ProxySG also can provide useful IT functions, such as forcing the display of a splash page (“We are watching where you go . . .” or “System maintenance from 2 to 3 p.m. today”) that is presented before users receive the contents of their HTTP requests. You even can configure the warning to appear only once a day for any given user.
Login Login | Register Follow us on Twitter Follow us on Facebook Newsletter Sign up to newsletters
Unfortunately, you can only set up this feature using the CLI so it involves lots of arcane commands, which means you’ll want to automate the process if you plan to do this routinely.
Another powerful feature of the ProxySG is its caching. Blue Coat says that up to 60 per cent of end-user requests for content are redundant, which means large organisations can reclaim a significant amount of Internet connectivity bandwidth. The ProxySG also supports policy-based bandwidth limits.
The bottom line is that the ProxySG architecture is powerful and, compared with products of similar technical heft, it looks like good value for money. When you move up to the big ProxySG models, such as the ProxySG 8000, you have a device capable of handling all these services for enterprise-sized operations at an excellent price/performance ratio.