Skip to main content

The Concise Guide to Proxies

In legal term doing proxy is a crime but in IT space it is a security measure, there are various usage and types of proxies.
Proxies are hardware or software solutions that sit between the client and the server and act like a mediator intercepting the requests and responses. The most often heard use of the term proxy is in conjunction with anonym zing Web surfing. That's because proxies sit between your browser and your desired destination and proxy the connections; that is you talk to the proxy while the proxy talks to the web server and neither you nor the web server know about each other.

Proxies are not all the same. Some are half proxies, some are full proxies; some are forward and some are reverse. let see different types of proxies

FORWARD PROXIES 

Forward proxies are probably the most well known of all proxies, primarily because most folks have dealt with them either directly or indirectly. Forward proxies are those proxies that sit between two networks, a private internal network and the public Internet. Forward proxies usually these sits in front of the client and deployed in DMZ zone handling outbound requests
  
Forward proxies are generally HTTP (Web) proxies that provide a number of services but primarily focus is on web content filtering and caching services. These forward proxies often include authentication and authorization as a part of their product to provide more control over access to public content. If you ever got a web page saying "Your request has been denied" or "URL Blocked" If you think this is an error please contact the help desk/your administrator" then you've probably used a forward proxy.

REVERSE PROXIES

A reverse proxy is less well known, generally because we don't use the term anymore to describe products used as such. Load balancers and caches are good examples of reverse proxies. Reverse proxies sit in front of web and application servers and process requests for applications and content coming in from the public Internet to the internal, private network.

Reverse proxies are usually deployed in trusted zone.

Reverse proxies are also generally focused on HTTP but in recent years have expanded to include a number of other protocols commonly used on the web such as streaming audio (RTSP), file transfers (FTP), and generally any application protocol capable of being delivered via UDP or TCP. 

HALF PROXIES 

Half-proxy is a description of the way in which a proxy, reverse or forward, handles connections. There are two uses of the term half-proxy: one describing a deployment configuration that affects the way connections are handled and one that describes simply the difference between a first and subsequent connections.

The deployment focused definition of half-proxy is associated with a direct server return (DSR) configuration. Requests are proxied by the device, but the responses do not return through the device, but rather are sent directly to the client. For some types of data - particularly streaming protocols - this configuration results in improved performance. This configuration is known as a half-proxy because only half the connection (incoming) is proxied while the other half, the response, is not.

The second use of the term "half-proxy" describes a solution in which the proxy performs what is known as delayed binding in order to provide additional functionality. This allows the proxy to examine the request before determining where to send it. Once the proxy determines where to route the request, the connection between the client and the server are "stitched" together. This is referred to as a half-proxy because the initial TCP handshaking and first requests are proxied by the solution, but subsequently forwarded without interception.
 

Half proxies can look at incoming requests in order to determine where the connection should be sent and can even use techniques to perform layer 7 inspection, but they are rarely capable of examining the responses. Almost all half-proxies fall into the category of reverse proxies.



FULL PROXIES

Full proxy is also a description of the way in which a proxy, reverse or forward, handles connections. A full proxy maintains two separate connections - one between itself and the client and one between itself and the destination server. A full proxy completely understands the protocols, and is itself an endpoint and an originator for the protocols. Full proxies are named because they completely proxy connections - incoming and outgoing.

Because the full proxy is an actual protocol endpoint, it must fully implement the protocols as both a client and a server (a packet-based design does not). This also means the full proxy can have its own TCP connection behavior, such as buffering, retransmits, and TCP options. With a full proxy, each connection is unique; each can have its own TCP connection behavior. This means that a client connecting to the full proxy device would likely have different connection behavior than the full proxy might use for communicating with servers. Full proxies can look at incoming requests and outbound responses and can manipulate both if the solution allows it.

Many reverse and forward proxies use a full proxy model today. There is no guarantee that a given solution is a full proxy, so you should always ask your solution provider if it is important to you that the solution is a full proxy.
Labels:

Comments

Post a Comment

Popular posts from this blog

MTBF MTTR MTTD

Post a Comment
Read more

Cisco ASA on GNS3

My struggle for installing Cisco ASA on GNS3 lead me to write this procedure which is already floating around in various versions around the internet but this attempt was to write a concise and still informative  procedure to configure Cisco ASA successfully on GNS3. The relevant snapshots will be updated shortly  :-)
Post a Comment
Read more