The "No Network is 100% Secure" series
- Proxy Servers -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What is a proxy server?: A proxy server is a computer system or an application
program that acts as a go-between for requests from clients seeking resources from
other servers. A proxy server has two primary purposes. First, to keep machines
behind it anonymous mainly for security reasons. And second, to speed up access to a
resource via caching and other methods. Proxy servers are commonly used to cache web
pages from a web server and to provide a safer web surfing experience.
Caching proxy servers: A caching proxy server accelerates service requests by retrieving content saved from a previous request made by the same or other clients. Caching proxies keep local copies of frequently requested resources, allowing large organizations to significantly reduce their upstream bandwidth usage and cost, while significantly increasing performance. Another important use of the proxy server is to reduce the hardware cost. An organization may have many workstations on the same network prohibiting the possibility of an individual connection to the Internet for each system. In such a case, the individual workstations can be connected to one proxy server, with the proxy server making all of the Internet web page requests. A caching proxy server that focuses on WWW traffic is called a "web proxy". Most proxy programs provide a means to deny access to certain URLs in a blacklist, thus providing content filtering.
Content filtering proxy servers: A content-filtering web proxy server provides administrative control over the content that may be relayed through the proxy. It is commonly used in commercial and non-commercial organizations (especially schools) to ensure that Internet usage conforms to acceptable use policy. A content filtering proxy will often support user authentication, to control web access. It also usually produces logs, either to give detailed information about the URLs accessed by specific users, or to monitor bandwidth usage statistics. It may also provide security against viruses and other malware by scanning incoming content in real time before it enters the network.
Anonymous proxy servers: An anonymous proxy server is used to anonymize web surfing. There are different types of anonymizers. One of the more common variations is the open proxy. Because they are typically difficult to track, open proxies are especially useful to those seeking online anonymity such as political dissidents and computer criminals. Firefox has an anonymous surfing plug-in that is readily available. There are also commercially hosted proxy servers.
Hostile and intercepting proxy servers: Proxies exist that can eavesdrop on data communications between client machines and the web. All accessed pages, as well as all forms submitted, can be captured and analyzed by the proxy operator. For this reason, passwords to online services such as webmail and banking should always be exchanged over a cryptographically secured connection, such as SSL. An intercepting proxy (aka "transparent proxy") redirects client browser requests through the proxy without client-side configuration or knowledge. Intercepting proxies are commonly used in businesses to prevent avoidance of acceptable use policy, and to ease administrative burden, since no client browser configuration is required. The term "transparent proxy" is most often used incorrectly to mean "intercepting proxy" because the client does not need to configure a proxy and cannot directly detect that its requests are being proxied. Transparent proxies can be implemented using Cisco's WCCP (Web Cache Control Protocol). This proprietary protocol resides on the router and is configured from the cache, allowing the cache to determine what ports and traffic is sent to it via transparent redirection from the router. This redirection can occur in one of two ways: GRE Tunneling (OSI Layer 3) or MAC rewrites (OSI Layer 2).
Circumventors: A circumventor is a method of defeating blocking policies implemented using proxy servers which have policy bypass capabilities. A circumventor is a web-based page that takes a site that is blocked and "circumvents" it through to an unblocked web site, allowing the user to view blocked pages. A famous example is elgooG, which allowed users in China to use Google after it had been blocked there. elgooG differs from most circumventors in that it circumvents only one block.
Content filtering: Many businesses and schools restrict the web sites and online services that are made available in their buildings. This is done either with a specialized proxy, called a content filter (both commercial and free products are available), or by using a cache-extension protocol such as ICAP, that allows plug-in extensions to an open caching architecture. Requests made to the internet must first pass through an outbound proxy filter. The web-filtering company provides a database of URL patterns (regular expressions) with associated content attributes. This database is updated frequently much like virus definitions are. The administrator instructs the web filter to ban broad classes of content such as sports, pornography, online shopping, gambling, or social networking. Requests that match a banned URL pattern are rejected. Assuming the requested URL is acceptable, the content is then fetched by the proxy. At this point a dynamic filter may be applied on the return path. For example, JPEG files could be blocked based on fleshtone matches, or language filters could dynamically detect unwanted language. If the content is rejected then an HTTP fetch error is returned and nothing is cached. Most web filtering companies use an internet crawling robot that assesses the likelihood that a content is a certain type (i.e. "This content is 70% chance of porn, 40% chance of sports, and 30% chance of news" could be the outcome for one web page). The resultant database is then corrected manually based on complaints or known flaws in the content-matching algorithms. Web filtering proxies are not able to peer inside secure sockets HTTP transactions. As a result, users wanting to bypass web filtering will typically search the internet for an open and anonymous HTTPS transparent proxy. They will then program their browser to proxy all requests through the web filter to this anonymous proxy. Those requests will be encrypted with https. The web filter cannot distinguish these transactions from legitimate access to an acceptable website. Thus, content filters are only effective against unsophisticated users. A special case of web proxies is "CGI proxies". These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality. These types of proxies are frequently used to gain access to web sites blocked by corporate or school proxies. Since they also hide the user's own IP address from the web sites they access through the proxy, they are sometimes also used to gain a degree of anonymity, called "Proxy Avoidance".
Anonymous proxy server use risks: In using a proxy server such as an anonymizing HTTP proxy, all sent data must pass through the proxy server before being sent to the actual web site, mostly in unencrypted form. It is therefore a feasible risk that a malicious proxy server may record everything sent including unencrypted logins and passwords. Therefore, be wary when using anonymising proxy servers and only use proxy servers of known integrity. If there is no choice but to use unknown proxy servers, do not pass any private information unless it is over an encrypted connection. In what is more of an inconvenience than a risk, proxy users may find themselves being blocked from certain Web sites, as numerous forums and Web sites block IP addresses from proxies known to have spammed or trolled the site.
Free and open source proxy software:
- The Apache HTTP Server can be configured to act as a proxy server.
- Delegate is a proxy server which runs on multiple platforms.
- I2P is a proxy-like decentralized network for anonymizing Internet data transfers.
- Nginx Web and Reverse proxy server can also act as POP3 proxy server.
- PHProxy is one of the oldest proxy scripts in use on the Internet.
- Pound is a reverse proxy, load balancer and HTTPS front-end for Web server(s).
- Privoxy is a web proxy with privacy and ad-blocking features.
- Squid is a popular UNIX/Linux HTTP proxy server.
- Tor is a proxy-based anonymizing Internet communication system.
- Varnish is designed to be a high-performance caching reverse proxy.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro