This post is also available in: English Português Español
Proxies provide an important layer in an information security architecture. Broadly speaking, these solutions offer more specialized and fine-grained controls over a particular protocol, and therefore are fundamental in an in-depth defense strategy.
Unlike packet filters, proxies are not multipurpose. They are always limited to a small set of applications, or in many cases only to one application or protocol itself.
With the accelerated growth of the internet and web applications, HTTP proxies have become very important in a security architecture. Through a web proxy, a company can control, on several aspects, the use of navigation of its users.
There are various ways to use a web proxyin a security topology, and knowing the possibilities can become a big step towards proper deployment of the service.
In this article, we will cover the main ways of using web proxysolutions allowing you to properly evaluate the one that is best suited to your business need.
Web proxy with transparent authentication
A transparent proxy acts without the need for intervention on the user’s device, be it a computer, notebook, smartphone or tablet. When a user requests a site, their traffic is automatically redirected to the web proxy, which then processes the request in accordance with the current access policies.
If traffic is allowed, the site is presented to the user. If it is blocked, the proxy can interact with the user through the browser itself, with appropriate guidance, such as informing that address is not allowed by company policy, among other relevant information.
Deployment of the transparent proxy is only possible if the solution supports such operation, and this is not a rule for all market solutions. If supported, automatic traffic redirection is usually accomplished by a firewall rule or similar device that will cause connections going to port 80/TCP to be redirected internally to the proxy service port.
Although transparent proxy is an interesting solution on the ease and speed of deployment, it offers some negative points that in many cases make it unfeasible in corporate environments. The first is related to web applications that do not work with proxies, in these cases the traffic must be excepted in the firewall, since the user has no control over this operation. The diagnosis to create the rule can generate discomfort for the teams involved.
Another negative aspect to using transparent proxy is when the company wants to work with access policies based on authentication. The operation of authentication in this mode of use brings a series of technical problems that make it unfeasible to use. As more and more it is necessary to offer controls based on groups, users or profiles and access levels, transparent proxy is not the best option in these scenarios.
In addition, because a traffic redirection rule is created, it must necessarily be associated with a port or set of ports. Usually, only 80/TCP port is associated with the transparent proxy, because it is not possible to ensure that HTTP traffic will pass through other ports. This ends up causing inconveniences, because if the user wants to visit http://application:81 it will not go through the transparent proxy.
This scenario, depending on the usage policy for other ports and services, may provide a false sense of security, since not all HTTP traffic will actually be passed through the proxy, only those in which the ports are redirected. Redirecting a larger set of ports, especially non-standard ones, may hamper the operation of applications that do not support the HTTP protocol.
However, despite several negative aspects, the transparent proxy model ends up being widely used in companies that are beginning to understand the importance of security. In these cases, adding this small layer of security is important.
Still, in enterprise scenarios that want to offer wireless access to visitors, vendors or the like, using this type of proxy is a highly interesting feature. These accesses are offered in parallel and generally isolated from the major networks, registration is important as long as you do not check basic security requirements.
In a same web proxyinstance, depending on the manufacturer, it is possible to act in hybrid mode, where one part of the network can be served transparently, while another part uses other modes. Everything will depend on the complexity and need of the scenario.
Web proxy with manual authentication
Manual proxy is an alternative, and in many cases an add-in, to the transparent proxy structure. As suggested by the nomenclature itself, this is a manual configuration on the perspective of the application (the browser for example). It is not necessarily manual by the user, because depending on the infrastructure, deploying the configuration can be done in an automated way by a centralized command.
The use of web proxyis more conditioned on browsers or applications based on the HTTP protocol. All of these offer the proxy configuration feature, where you can put an address and a port. Once configured, everything generated by that application will be forwarded to the proxy.
The proxy therefore becomes an intermediary in every connection made by that application, and because of this, it has full control over the connections, deciding what can be trafficked. Any connection generated by the application, regardless of whether it is on port 80, 81, or 9090, will be forwarded to the proxy.
This model offers much more accurate control, including https connections by the CONNECT method, because all the ports accessed within that application (browser) will be automatically passed to the proxy, which can regulate access according to the defined policy.
Therefore, with manual proxy there is much more accurate control over the use of HTTP services. In addition, for authentication purposes, it is the appropriate template to be used, which maintains complete compatibility with web proxy solutions. Those needs of accepting proxy applications can be managed directly by the user. It is common for applications to have an area to register addresses whose access should not be routed to the proxy, but directly to the internet.
In structures with a domain controller, it is common that this type of configuration is not available to users. This part is properly blocked from changes, and all configuration is performed centrally and distributed across all the company’s computers.
Therefore, even if the name is manual proxy, often the configuration ends up being automated, without you having to generate some kind of intervention in the application for configuration. This usage model is widely used and recommended for any size and company maturity.
Web proxy with automatic authentication
In order to complete the 3 basic types of configuration widely used for web proxies, the automatic proxy format searches the network, or through a URL, the configuration file where are all the parameters necessary to perform the web proxyconfiguration.
This feature is called WPAD (Web Proxy Auto-Discovery Protocol), and is responsible for finding the proxy configuration URL through DNS or DHCP. Once it is found (wpad.dat), the download is performed and executed so that the settings are properly applied.
The format of the wpad.dat file is the Proxy Auto Config (PAC), standardized in 1996 by Netscape, offering a simple and flexible language that allows multiple configurations based on, for example, information from the requesting network. In addition, it is through this file that are established addresses and URLs that should not pass through the proxy, all this being managed from a single file.
Most browsers offer the ability to configure proxy automatically. This feature is nothing more than flagging for the application that should use WPAD to fetch the settings and run. Once proxy is configured, the operating model is the same as the manual proxy.
Therefore, this usage model consists of automating the configuration process, from the discovery to the management of the settings that will be defined in the application.
And what about you? Did you already know the possibilities, advantages and disadvantages of each of the models? Share your experiences with us.
This post is also available in: English Português Español