Transparent proxy, know its benefits and limitations

Post disponível em / disponible en / available in: Português Español English

Tempo de leitura: 5 minutos

The proxy feature is an essential security tool whose purpose is to manage accesses devices do, from the internal network, to other networks and to the Internet.

The web proxy service can be configured in different formats, one of which known as transparent proxy. The basic premise for transparent proxy deployment is that the user, or device, does not need to perform any configuration for navigation, both assigned to the security architecture.

Although the model can be quite attractive and easy to deploy, there are several points to understand in order to ensure success in its use. In this post, we will cover some of the key positives and negatives associated with using transparent proxy.

Transparent proxy, positive points

The ease of deployment is, without a doubt, the main point considered when defining the topology, however, it is important to understand the application and the environment to ensure this model is the most appropriate.

This is because the operation of the transparent proxy structure occurs by redirecting the traffic on port 80 to the internal proxy service, and there are many other ports that can use the HTTP protocol, or the CONNECT method, that will not go through this rule.

Redirecting traffic from all ports to the proxy, on the other hand, is not an option because it does not know the operation of other protocols, which will cause other non-HTTP applications to stop working.

In addition, most web applications currently use HTTPS connections (port 443), so it is also necessary for the proxy to have the interaction feature with this type of traffic, which may not be a trivial activity.

Another interesting aspect in the transparent proxy deployment is the caching feature that many have in an integrated way. This feature allows bandwidth savings since Internet objects are stored in memory or secondary storage and downloaded locally (no using internet) for the users who request it.

With the cache feature, you can configure the space used for storage, the minimum and maximum size of items that will go to cache, as well as the policy that used to replace objects, generally keeping only those frequently accessed.

In practice, in a network without a proxy or caching, an internet request that requires a 5Mb update performed by 10 devices, will generate an internet consumption of 50Mb, since all of them will need to go to the internet to copy the updates.

With cache feature, the first device performing the update will query the internet and the file will be stored in the local cache. Other computers or devices that request the same item will download it locally, generating in this case considerable bandwidth savings (45Mb).

Proxy technologies often work with access lists or similar features that allow access rules created according to the company’s need, such as limiting certain websites based on schedules, creating global black and white lists, among other facilities.

This is important, even if applied only on port 80, as it offers a reduction in accessing websites inappropriate for the work environment, either through intentional or accidental access (generated by malware, for example). There are still possibilities to bypass the proxy, however if the policy is well adjusted the risks potentially minimize.

All accesses performed through the transparent proxy are registrable, and this is an interesting management tool to identify abuses or other accesses, allowing customizing the access policies according to the need of the company.

Transparent proxy, limitations

Although transparent proxy has a number of interesting benefits, in complex corporate environments, with authentication frameworks, large diversity of applications and mobile devices this model can generate some frustrations.

The use of HTTPS within a proxy structure, in general terms, depends on the service intercepting the connection and delivering its own certificate, which must be accepted by the client to continue the communication. This process, unless the device has the certificate imported, will generate an alert for the insecure connection user.

For environments with a domain controller, where bulk deploy of certificates is possible, this is not a problem; but in smaller structures, doing this manually can generate considerable work demands.

Another important alert regarding the use of transparent proxy is the ability to redirect ports to services, since not every application is based on the HTTP protocol. This means that thousands of other ports can pass through the proxy, making it even easier for the bypass structure.

In this case, it is important that the solution work in conjunction with traffic, filtering policies to regulate the use of these other ports, otherwise there is great possibility of bypass for use of proxies outside the company.

In this way, since only part of the traffic passes through the proxy, the access audit feature can be harmed or, in other cases, segmented into the proxy service’s own logs, such as nonconformity records in proxy access policies.

Now what?

There are other positive and negative points associated with the use of transparent proxy, and each environment can be read according to its purpose, because it is important to clearly understand the need to be solved, thus identifying which architecture is most suitable.

Still have doubts? Chat with one of our experts!

Cassio Brodbeck
conteudo@ostec.com.br
No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.