For those of you working with a computer at your workplace you probably already saw a page like the below one trying to surf to your favorite streaming site, accessing an online casino website or going to online auction sites like eBay on your work computer.
The reason behind this message is that your employer (and the IT team) wants to protect your company’s network against a wide range of threats that are out there on these types of sites. Also, and that could be a non negligible reason as well, they don’t want you to spent time on non work related sites or spending any of your valuable time at work buying things on eBay! This is one of the scenario’s where a proxy, in this case a forward proxy, is used. Don’t worry about the ‘forward’ thing, as it will all be explained in the coming sections.
Proxy types
Forward
In the world of proxies there are 2 main different types: a forward or a reverse proxy, either of them with their specific uses.
A forward proxy will be mainly used to allow users on the corporate network to access the internet (with restrictions). These restrictions can be:
- Client IP
- Username
- Time of day
- etc.
Reverse
The other type of proxy is a reverse proxy. As the name implies the direction of traffic that it handles is different than a forward proxy. A reverse proxy is mainly used to control traffic from the internet towards servers inside the corporate network. It can also handle load balancing, SSLVPN traffic, certificate offloading, and so much more.
Imagine that you have three servers hosting your website www.yourcompany.com. If you want to use these 3 servers simultaneously you will need a load-balancer that sends part of the traffic to your first server, another part to the second server and the rest to the third server. A reverse proxy can handle that.
If by now, you are still not using an SSL certificate on your site, you should be considering that and ASAP. But in a setup without a reverse proxy you need to install that certificate on those 3 servers separately. These means that your three web servers will be encrypting/decrypting data that gets sent to them all the time. This will cause the servers to be a bottle neck what performance is concerned. If you have a reverse proxy setup you can offload this process to the reverse proxy who will handle, the encrypted communication between the external user and itself to set up the SSL connection and it might even connect using HTTP to connect to the backend servers.
The fact that the SSL session only covers the section between the user and the reverse proxy and that the part between the reverse proxy and the backend server is in clear-text opens new possibilities to filter traffic.
Filtering reverse traffic
The reason why we want to filter traffic towards a web server is that although not all requests that are sent to the webs server are benign. Some attackers will try to modify the request in a way to either force entry into your network, bring down your website or take entire control over your website.
A reverse proxy will recognize this ‘invalid’ or ‘suspicious’ requests and prevent them to go to the web servers.
Some of the most known proxy solutions are Symantec (CAS), formerly known as Bluecoat ProxySG, and F5
