A proxy server pretty much does what the name implies - it serves as a proxy for network connections. A client computer that wants to establish a connection to server through a proxy connects to the proxy, rather than to the actual server. The proxy then connects to the server. When the client wants to request something from the server, it sends this request to the proxy, which then requests it from the server. Responses from the server are sent to the proxy, which then sends them on to the client. The client does not have a direct connection to the server. The proxy maintains two connections  one to the client and one to the server. All packets traveling in either direction are received by the proxy. These packets can be sent back out on the other connection, dropped, or modified, depending upon the type of proxy and the rule set with which it is configured.

Application proxies have intimate knowledge of specific protocols  typically web protocols like http, ftp, and smtp. They have the ability to analyze the structure of the data in these packets for proper syntax of requests, queries, and commands, as well as the ability to analyze for specific errors or malicious content. Since they actually maintain the connections, rather than just inspect the contents of packets, track application behavio(u)r more closely than any firewall that simply uses deep packet inspection to analyze packets. Application proxies operate at the application layer of the OSI model.

Other proxies operate at lower layers of the OSI model and focus on the behavio(u)r of protocols at these layers. SOCKS (short of sockets) proxies are a good example. They can monitor a wider variety of protocols, but some protocols have to be SOCKS-aware (sometimes referred to as socksified) in order to pass properly.

Most proxy servers actually provide a number of proxy services at different layers. The most widely known examples of proxy servers are the Microsoft ISA (Internet Security and Acceleration) server and SQUID (Linux / open source)

Proxy servers are the most effective type of firewall, especially for web applications. They can be used to provide NAT (network address translation), web filtering (blocking out unwanted sites, such as porn, gambling, and job search sites), logging (a detailed record of who goes where), and many other security services.

Proxy servers can be hardened to be resistant to attacks. Since computers on the internal network never connect directly to computer on the outside, they cannot be attacked or compromised directly. However, if the proxy server becomes compromised, it then serves as a beachhead for further intrusion.

Proxy servers provide non-security benefits as well. They can speed internet connections by caching commonly-requested pages, thus eliminating the need to repeatedly download the same page over the WAN connection. This also conserves internet bandwidth.

The disadvantages are fairly obvious. There is a substantial overhead cost to setting up and maintaining proxy servers. These servers need a lot of horsepower in order to keep up with the tasks expected of them. Even with the fastest servers, internet connection speeds are likely to take a hit when multiple users are being routed through the server.

Of course, proxy servers cannot analyze SSL packets, since these are encrypted. This represents a HUGE hole, since it would be neither practical nor desirable to block SSL traffic. Any application, including malicious ones, can tunnel undesirable traffic over SSL connections to avoid analysis by the proxy server. That is, of course, unless the proxy server has the ability to decrypt the packets, analyze them, re-encrypt them, and then send them on to their destination. This is can be done by using an SSL proxy. That will be the subject of Part 6 of this series.

Dennis H in West Virginia, US

January 11, 2009