Chapter 15

How Proxy Servers Work


CONTENTS

There are certain risks associated with allowing people from inside an intranet to directly contact Internet servers and resources. An intranet user might obtain a file from the Internet that could damage the files on their computer and the entire intranet. Additionally, when intranet users are allowed unfettered access to the Internet, it is difficult for intranet administrators to guard against intruders who attempt to take over an intranet computer or server.

A common way to block this kind of access is to use proxy servers. These servers sit inside a firewall, frequently on a bastion host (see Chapter 16 for more on how bastion hosts work). They balance the two functions of providing intranet users with easy access to the Internet and keeping the network secure. When someone inside the intranet wants to contact the Internet to get information or a resource-for example, to visit a Web page-they don't actually contact the Internet directly. Instead, they contact a proxy server inside an intranet firewall, and the proxy server contacts the Internet (in this instance, a Web server). The Web server sends the proxy server the page, and the proxy server then sends that page to the requester on the intranet.

Proxy servers can log all actions they take so that intranet administrators can check for attacks. Proxy servers offer other benefits as well. They can cache Internet Web pages in their memory, so that when someone on the intranet wants to get back to a Web page they've accessed before, the Web page will be delivered directly from the proxy server, and the requester won't have to go out across the Internet. Since intranet connections are often made at higher speeds than Internet connections, that means quicker response and faster viewing of Web pages and other Internet resources. However, this would not be an acceptable response for time-sensitive items like stock quotes, because the cached Web pages are not the most current version.

There may be multiple proxy servers on a single intranet. There may be separate proxy servers for the Web, Telnet, FTP, and other Internet services. Often on an intranet, some services will require a proxy server, while others will not. For example, this includes anything involving Telnet or FTP, because they involve file transferring, and they would be likely to be on a proxy server. When a new Internet resource is first made available, such as streaming multimedia files, proxy servers usually can't be used because proxy server technology has not yet been developed for it. The intranet administrator will have to decide whether to block those services completely or let them be used until proxy software catches up to the new technology.

Sometimes special proxy client software has to be used in concert with proxy services. This can be a problem because not all operating systems have proxy clients for all Internet services. Other possible problems include nonstandard client software, which can be difficult to use. A better approach is to use standard, off-the-shelf software such as Netscape Navigator, and use a configuration screen that tells the software where the proxy server can be found. The software and server will then take care of the rest.

How Proxy Servers Work

An integral part of many intranet security systems is a proxy server. A proxy server is software and a server that sits in a firewall and acts as a go-between among computers on an intranet and the Internet. Proxy servers often run on bastion hosts. (See Chapter 16 for more information on bastion hosts.) Only the proxy server-instead of the many individual computers on the intranet-interact with the Internet, so security can be maintained because the server can be kept more secure than can hundreds of individual intranet computers. Intranet administrators can set up proxy servers to be used for many services, such as FTP, the Web, and Telnet. Intranet administrators decide which Internet services must go through a proxy server, and which do not have to. Specific proxy server software is required for each different kind of Internet service.

  1. When a computer on the intranet makes a request out to the Internet-such as to retrieve a Web page from a Web server-the internal computer actually contacts the proxy server, which in turn contacts the Internet server. The Internet server sends the Web page to the proxy server, which then forwards the page to the computer on the intranet.
  2. Proxy servers log all traffic between the Internet and the intranet. For example, a Telnet proxy server could track every single keystroke hit in every Telnet session on the intranet-and could also track how the external server on the Internet reacts to those keystrokes. Proxy servers can log every IP address, date and time of access, URL, number of bytes downloaded, and so on. This information can be used to analyze any attacks launched against the network. It can also help intranet administrators build better access and services for employees.
  3. Some proxy servers must work with special proxy clients. A more popular approach is to use off-the-shelf clients such as Netscape with proxy servers. When such an off-the-shelf package is used, it must be specially configured to work with proxy servers from a configuration menu. Then the intranet employee uses the client software as usual. The client software knows to go out to a proxy server to get the data, instead of to the Internet.
  4. Proxy servers can do more than relay requests back and forth between an intranet and the Internet. They can also implement security schemes. For example, an FTP proxy server could be set up to allow files to be sent from the Internet to a computer on the intranet, but to block files from being sent from the corporate network out to the Internet-or vice versa. In this way, intranet administrators can block anyone outside the corporation from downloading vital corporate data. Or they can stop intranet users from downloading files which may contain viruses.
  5. Proxy servers can also be used to speed up the performance of some Internet services by caching data-keeping copies of the requested data. For example, a Web proxy server could cache many Web pages, so that whenever someone from the intranet wanted to get one of those Web pages, they could get it directly from the proxy server across high-speed intranet lines, instead of having to go out across the Internet and get the page at a lower speed from Internet lines.