There are certain risks associated with allowing people from inside an intranet to directly contact Internet servers and resources. An intranet user might obtain a file from the Internet that could damage the files on their computer and the entire intranet. Additionally, when intranet users are allowed unfettered access to the Internet, it is difficult for intranet administrators to guard against intruders who attempt to take over an intranet computer or server.
A common way to block this kind of access is to use proxy servers. These servers sit inside a firewall, frequently on a bastion host (see Chapter 16 for more on how bastion hosts work). They balance the two functions of providing intranet users with easy access to the Internet and keeping the network secure. When someone inside the intranet wants to contact the Internet to get information or a resource-for example, to visit a Web page-they don't actually contact the Internet directly. Instead, they contact a proxy server inside an intranet firewall, and the proxy server contacts the Internet (in this instance, a Web server). The Web server sends the proxy server the page, and the proxy server then sends that page to the requester on the intranet.
Proxy servers can log all actions they take so that intranet administrators can check for attacks. Proxy servers offer other benefits as well. They can cache Internet Web pages in their memory, so that when someone on the intranet wants to get back to a Web page they've accessed before, the Web page will be delivered directly from the proxy server, and the requester won't have to go out across the Internet. Since intranet connections are often made at higher speeds than Internet connections, that means quicker response and faster viewing of Web pages and other Internet resources. However, this would not be an acceptable response for time-sensitive items like stock quotes, because the cached Web pages are not the most current version.
There may be multiple proxy servers on a single intranet. There may be separate proxy servers for the Web, Telnet, FTP, and other Internet services. Often on an intranet, some services will require a proxy server, while others will not. For example, this includes anything involving Telnet or FTP, because they involve file transferring, and they would be likely to be on a proxy server. When a new Internet resource is first made available, such as streaming multimedia files, proxy servers usually can't be used because proxy server technology has not yet been developed for it. The intranet administrator will have to decide whether to block those services completely or let them be used until proxy software catches up to the new technology.
Sometimes special proxy client software has to be used in concert with proxy services. This can be a problem because not all operating systems have proxy clients for all Internet services. Other possible problems include nonstandard client software, which can be difficult to use. A better approach is to use standard, off-the-shelf software such as Netscape Navigator, and use a configuration screen that tells the software where the proxy server can be found. The software and server will then take care of the rest.
An integral part of many intranet security systems is a proxy server. A proxy server is software and a server that sits in a firewall and acts as a go-between among computers on an intranet and the Internet. Proxy servers often run on bastion hosts. (See Chapter 16 for more information on bastion hosts.) Only the proxy server-instead of the many individual computers on the intranet-interact with the Internet, so security can be maintained because the server can be kept more secure than can hundreds of individual intranet computers. Intranet administrators can set up proxy servers to be used for many services, such as FTP, the Web, and Telnet. Intranet administrators decide which Internet services must go through a proxy server, and which do not have to. Specific proxy server software is required for each different kind of Internet service.