Proxy Server

In last article we have discussed what is a firewall. Let us discuss now proxy servers in detail.

Proxy servers are also commonly used in firewalls. A proxy server is server software that runs on a host in a firewall, such as a bastion host. Because only a single proxy server (instead on the many individual computers on the network) interacts with the Internet, security can be maintained. That single server can be kept more secure than hundreds of individual computers on a network.

When some one from the Intranet wants to access a server on the Internet, a request from the computer is sent to the proxy server. The proxy server contacts the server on the Internet and then the proxy server sends the information from the internet server to the computer inside the corporate network. By acting as a go-between, proxy servers can maintain security as well as log all traffic between the Internet and the network.

How Proxy Servers Work

System administrator can set up these proxy servers to be used for many services. System administrator decides which Internet services must go through a proxy server. Specific proxy server software is required for particular Internet service.
When a computer from Intranet makes a request to the Internet - such as to get a web page from a web server - it looks to that computer as if it connects directly to the web server on the Internet. In fact, the internal computer from Intranet contacts the proxy server with its request, which in turn contacts the Internet server. The Internet server sends the web page to the proxy server, which then forwards the pages to the internal computer.
Proxy servers can also be used as a way to log the Internet traffic. Proxy servers can log every IP address, date and time of access, URL, number of bytes downloaded and so on. This information can be used to analyze any attacks against the network.
Proxy servers can implement some other security schemes as well. It can put up lots of restrictions whether files can be received or sent etc.
Proxy servers can also be used to speed up performance of some internet services by cashing data. I.e. keeping copies of the requested data. E.g. a web proxy server could cache many web pages. E.g. if one person requests a page which is already existing in cashe, then internal computer gets that page from proxy server directly leading to a fairly high speed connection rather than connecting at a lower speed to internet.

There are many proxy servers available in the market. The most commonly used in pune especially in the net cafes is Ms Proxy Server. Let us understand the features of proxy server keeping Ms Proxy Server as an example.

Extensible Firewall security

Packet layer security with dynamic packet filtering: It supports inbound and outbound packet filtering. Proxy Server intelligently and dynamically determines which packets to allow passing through to the secured network's circuit and application-layer proxy services. Rather than force a network manager to manually predefine and permanently open a set of ports for different applications, this feature opens ports automatically only as needed, then closes the ports when the communication ends. This approach minimizes the number of exposed ports in either direction and provides a unique measure of hassle-free security.
Circuit layer security: Protect your Intranet via the Winsock proxy and the new SOCKS proxy. Circuit layer security works with dynamic packet filtering for enhanced security and ease of use.
Application layer security: Microsoft Proxy Server 2.0 understands and interprets commands within the application protocols (such as HTTP, FTP, and Gopher) from client PCs. Proxy Server acts on behalf of the client PC to interact with the Internet resource. The network topology and IP or IPX addresses are not revealed to the outside network.
Real-time security alerts: You can be notified immediately if your network is under attack so you can take action. Microsoft Proxy Server 2.0 supports several alerting thresholds and variables for great flexibility.
Reverse Proxy: You can place your Web server behind Proxy Server to publish to the World Wide Web without compromising the security of the Web server or its data. Proxy Server "impersonates" a Web server to the outside world, while your Web server maintains access to internal network services.
Reverse hosting: This extension of reverse proxy allows several Web servers sitting behind Microsoft Proxy Server to publish to the Internet, providing great flexibility and security in Web publishing. These additional Web servers can publish independently or appear as directories in a single, large virtual Web server.
Server proxying: Microsoft Proxy Server 2.0 has the ability to listen for inbound packets destined to a server computer that is connected behind the Proxy Server computer. Proxy Server then forwards the incoming requests. For example, incoming mail can be directed to your Microsoft Exchange Server computer.
Extensive logging support: Microsoft Proxy Server 2.0 logs through log files or to ODBC databases so network managers have a complete profile of inbound and outbound traffic moving through the Proxy Server computer. Logging has been expanded in Microsoft Proxy Server 2.0 to include alert information and other new firewall-related activity.
Virtual private networking with routing and remote access service update: You can use Microsoft Proxy Server 2.0 on the same server with Routing and Remote Access Service for Windows NT Server to connect branch offices to a corporate network via the Internet. Using the Internet as a Virtual Private Network provides big cost savings compared to traditional Wide Area Network (WAN) options. This provides all-in-one access and control for use with Internet and connectivity to a MultiMate intranet.
Secure sockets layer tunneling: Microsoft Proxy Server permits SSL tunneling, which provides an encrypted path between the client and remote server. This feature is useful for secure Internet transactions and other applications.
Full authentication/ logging: The built-in WinSock Proxy performs full access control and encrypted authentication, and logs all transactions.
Complementary Third-Party Applications - the Virtual Bundle

Performance and cost savings with distributed caching

Array-based content caching
New! Proxy Server now allows you to set up distributed caching among multiple Proxy Server computers. Arrays allow a group of Proxy Server computers to be treated and administered as a single, logical entity. Arrays provide load balancing, fault tolerance, scalability, and ease of administration.

Hierarchical content caching
New! Proxy Server now enables caching across a hierarchical connection of individual Proxy Server computers or arrays, enabling distributed deployment to branch offices and departments. Requests from clients are sent upstream through the hierarchy until the requested object is found.

Cache array routing protocol
New! This is a new approach for performing scalable array-based and hierarchical-based caching that has been submitted to the IETF. The new protocol, developed by Microsoft, provides substantial advantages over alternative approaches in performance to enable linear scalability with cache arrays or hierarchies. Microsoft Proxy Server 2.0 is the first product to make use of this protocol.

Active Intelligent Caching
Microsoft Proxy Server 2.0 automatically determines which Web sites are most used and how frequently their content is refreshed. Proxy Server uses this information to proactively preload that Web content into its cache during periods of low network use. This provides a consistent, accelerated Internet experience for all users accessing these Web sites, without requiring network manager intervention.

FTP and HTTP cache support
New! Now you can cache not only HTTP 1.0 objects-you can also cache HTTP 1.1 and FTP objects. There is greater control over the Time-to-Live (TTL) setting as well, with Microsoft Proxy Server version 2.0.

Hypertext Transfer Protocol (HTTP) version 1.1
New! Implementation of HTTP 1.1 allows Proxy Server to use persistent client-to-proxy server connections, persistent proxy server-to-Internet server connections, read-range, and virtual hosts. Full support of HTTP 1.1 helps Microsoft Proxy Server deliver significant performance gains. (NOTE: Full HTTP 1.1 support requires use of the Internet Information Server 4.0 HTTP engine, which is not supported in the initial beta.)

Improved cache and Proxy performance
New! Microsoft Proxy Server 2.0 offers unbeaten performance to meet real-world requirements of fulfilling requests not only from the cache but also from across a live Internet connection-all while performing the full range of security and managed access. Microsoft Proxy Server 2.0 is up to 40 percent faster than Proxy Server 1.0.

Easy, comprehensive management support

Windows NT Server integration
Microsoft Proxy Server capitalizes on features that make Windows NT® Server a secure, scalable network operating system. This includes the best integration with the Windows NT Server directory service for easier manageability and reduced total cost of ownership. Microsoft Proxy Server supports a single user logon for network services and applications so user accounts do not have to be recreated for Proxy Server.

User access control
Network managers can use Microsoft Proxy Server to set detailed user and group permission lists by Internet protocol in the Web Proxy, WinSock Proxy, and SOCKS Proxy components.

Site filtering
Network managers can specify a list of Internet addresses (IP addresses, IP address ranges, or URLs) to be exclusively permitted or denied for access by users behind the Proxy Server.

GUI-based administration
Microsoft Proxy Server's Internet Service Manager provides an easy-to-understand way to administer a local or remote proxy server computer, proxy array, or proxy hierarchy.

Web administration
New! You can administer Microsoft Proxy Server locally or remotely via a Web browser for added management flexibility and ease-of-use. You can even create customized HTML error pages. (note: Web Administration Tool is currently available as a separate download.)

Command line administration
New! This tool lets you manage Microsoft Proxy Server through MS-DOS® operating system prompts if that is your preference. You can configure and manage one or more local or remote servers with this tool.

Array administration
New! Multiple proxy servers can be administered simultaneously via transparent array-based administration. This allows a change to be propagated to other proxy servers with a single mouse click.

Configuration backup & restore
New! You can now back up your server configuration to a file or roll back to a previous configuration.

Client auto-configuration
New! You can automatically configure Web Proxy clients by using predefined JavaScripts or by creating your own scripts for great ease-of-use and fast enterprise-wide deployment. You can also use the Internet Explorer Administration Kit or Microsoft Systems Management Server to automate the proxy client installation.

SNMP support
A network manager can monitor and examine the current status of any Microsoft Proxy Server on the network using an SNMP console such as HP OpenView for added flexibility and reduced cost of ownership.

Flexible networking and applications support

IPX-to-IP gateway
Unlike other proxy servers, Microsoft Proxy Server 2.0 does not require that network managers "rip and replace" existing legacy IPX network with IP networks. This built-in IPX-to-IP gateway can be much less expensive than other solutions. Windows 95 and Windows NT Workstation 4.0 clients are supported.

Auto-Dial connection
This unique feature dynamically connects your network to your ISP as needed, providing even more cost savings and user access control. This also includes a backup route to the Internet if the primary path is busy.

SOCKS support
New! You can now configure Microsoft Proxy Server as a SOCKS Server for easy access to rich Internet Services for Macintosh, UNIX or other client PCs.

Unbeaten LAN and WAN connectivity options
Microsoft Proxy Server 2.0 can be used with more than 2,000 LAN and WAN cards that have earned the Windows NT Compatible logo. This provides unbeaten customer choice and flexibility.

Great protocol support
Great variety of protocols are built in to Proxy Server plus more protocols can be added. The Web Proxy supports HTTP, HTTP-S, FTP, and Gopher. The WinSock Proxy includes: AlphaWorld, AOL, Archie, Echo, Enliven, IMAP4, IRC, Microsoft NetShow, MSN™ online service, NNTP, POP3, RealAudio, SMTP, Telnet, and VDOLive. Other protocols can be added with the WinSock Proxy service and with the SOCKS Proxy service.

The author Mrs. Vaishali Tapaswi, is Director, Fands Infotrainers and can be reached at vaishali@fandsindia.com.

Source - How the Internet works by Preston Grala and www.microsoft.com