On 7/24/08, Rich Schumacher <[EMAIL PROTECTED]> wrote: > On Wed, Jul 23, 2008 at 8:50 AM, André Warnier <[EMAIL PROTECTED]> wrote: > > Hi. Me again butting in, because I am confused again. > > When users workstations within a company's local network have browsers > configured to use an internal "http proxy" in order to access Internet HTTP > servers, is this internal proxy system a "forward" or a "reverse" proxy ? > > I am not talking here about a generic IP Internet router doing NAT, I am > talking specifically about a "web proxy". This HTTP proxy may also do NAT > of course, but its main function I believe is to cache pages from external > servers for the benefit of internal workstations, no ? > > If this is a forward proxy, then I do not understand the comment of > Solprovider that seems to indicate that such things are obsolete and/or > dangerous. At any rate, they are in use in most corporate networks I am > aware of. > > André > > What you are talking about is a forward proxy and most of the time they are > transparent to the users behind them. Things do get a little blurry, > though, as sometimes they handle routing and NATing as well. SafeSquid > (http://en.wikipedia.org/wiki/SafeSquid) of this in terms > of software. They are also hardware based solutions, such as Barracuda > networks web filter, but I do not believe this does caching.
Forward proxies are considered dangerous because the client is hidden from Internet servers -- the Internet servers see the proxy server's IP Address instead of the client's IP address creating a shield for the client. A malicious attacker can daisy-chain several open forward proxies making tracking the client very difficult for administrators and law enforcement. I stated forward proxies were obsolete because they require configuring the client to integrate with the forward proxy while most of the beneficial legitimate functions can be gained without requiring client configuration. A gateway server can handle - NAT between internal corporate clients and the Internet, - Firewalling blacklisted IP Addresses and websites, - Logging all traffic, and - Saving and serving static pages from cache Without the definitive feature of a forward proxy -- requiring every client be configured to use the gateway server as a forward proxy. A gateway is protected by the NAT functionality -- only internal clients can use the proxy function. A forward proxy requires additional security to prevent external clients from using the proxy function. Any NAT protects the IP Addresses of internal clients, but integration is handled at the network routing level rather than the application level. A NAT can be called a "proxy" because it hides the internal IP Addresses or a "gateway" because it connects networks. "Proxy" requires disambiguation: "forward", "reverse", or "network." I prefer "gateway" rather than "network proxy" and "front-end Web server" rather than the technically accurate "reverse proxy" because non-technical people understand better. SafeSquid is described as a "proxy" in Wikipedia and as a "gateway" in Novell's marketing material: http://www.novell.com/partnerguide/product/206554.html This page also states SafeSquid can "deliver user-benefits with zero-software deployment at user-level systems" so SafeSquid does not meet the definition of a forward proxy while providing the benefits of cache, firewalling, blacklisting, logging, etc.. Definitions: - Proxy: Something or someone hiding the clients' information. A lawyer may be a "proxy" bidding on property without identifying the client. - Gateway (or "Network Proxy"): Server connecting networks. Called a "router" if dedicated hardware. Called a "gateway server" when handling functions beyond network routing. - Forward Proxy: A proxy requiring clients be configured to use the forward proxy. Clients' information is hidden even on same network. - Reverse Proxy: A front-end server able to parse requests to distribute to multiple applications. - NAT (Network Address Translation): A function of a gateway when different networks use different address schemes. The address is translated to the gateway's address on the new network; the gateway translates responses to return to the requesting client. The function was once important to integrate different network types (IP, NetBIOS, AppleTalk, etc.). With the demise of most network protocols, this term is currently almost-exclusively associated with "IP masquerading" for connecting local networks to the Internet. As SafeSquid proves, the many functions required to implement "Corporate Internet Access Policies" can be handled by a gateway server without requiring a forward proxy. The only function specific to a forward proxy is hiding client information from other computers on the same network; I am still wondering if this function has a legitimate use. [As Rich's other posts indicate, his use of forward proxies was laziness/productivity (using a forward proxy to avoid extra work remotely accessing different computers during testing) or illegitimate (bypassing corporate security.) I find his stories interesting and informative.] To answer André's last concern: Yes, many companies use forward proxies because that was once the recommended method to implement Corporate Internet Access Policies. No, they do not need to use forward proxies to gain the same benefits today. Yes, most companies change very slowly. solprovider
