<HTML><HEAD><TITLE>Chapter 15 -- How Proxy Servers Work</TITLE><META></HEAD><BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#CE2910"><H1><FONT SIZE=6 COLOR=#FF0000>Chapter&nbsp;15</FONT></H1><H1><FONT SIZE=6 COLOR=#FF0000>How Proxy Servers Work</FONT></H1><HR><P><CENTER><B><FONT SIZE=5><A NAME="CONTENTS">CONTENTS</A></FONT></B></CENTER><UL><LI><A HREF="#HowProxyServersWork">How Proxy Servers Work</A></UL><HR><P>There are certain risks associated with allowing people from insidean intranet to directly contact Internet servers and resources.An intranet user might obtain a file from the Internet that coulddamage the files on their computer and the entire intranet. Additionally,when intranet users are allowed unfettered access to the Internet,it is difficult for intranet administrators to guard against intruderswho attempt to take over an intranet computer or server.<P>A common way to block this kind of access is to use <I>proxy servers</I>.These servers sit inside a firewall, frequently on a <I>bastionhost</I> (see <A HREF="ch16.htm" >Chapter 16</A> for more on how bastion hosts work).They balance the two functions of providing intranet users witheasy access to the Internet and keeping the network secure. Whensomeone inside the intranet wants to contact the Internet to getinformation or a resource-for example, to visit a Web page-theydon't actually contact the Internet directly. Instead, they contacta proxy server inside an intranet firewall, and the proxy servercontacts the Internet (in this instance, a Web server). The Webserver sends the proxy server the page, and the proxy server thensends that page to the requester on the intranet. <P>Proxy servers can log all actions they take so that intranet administratorscan check for attacks. Proxy servers offer other benefits as well.They can cache Internet Web pages in their memory, so that whensomeone on the intranet wants to get back to a Web page they'veaccessed before, the Web page will be delivered directly fromthe proxy server, and the requester won't have to go out acrossthe Internet. Since intranet connections are often made at higherspeeds than Internet connections, that means quicker responseand faster viewing of Web pages and other Internet resources.However, this would not be an acceptable response for time-sensitiveitems like stock quotes, because the cached Web pages are notthe most current version.<P>There may be multiple proxy servers on a single intranet. Theremay be separate proxy servers for the Web, Telnet, FTP, and otherInternet services. Often on an intranet, some services will requirea proxy server, while others will not. For example, this includesanything involving Telnet or FTP, because they involve file transferring,and they would be likely to be on a proxy server. When a new Internetresource is first made available, such as streaming multimediafiles, proxy servers usually can't be used because proxy servertechnology has not yet been developed for it. The intranet administratorwill have to decide whether to block those services completelyor let them be used until proxy software catches up to the newtechnology.<P>Sometimes special proxy client software has to be used in concertwith proxy services. This can be a problem because not all operatingsystems have proxy clients for all Internet services. Other possibleproblems include nonstandard client software, which can be difficultto use. A better approach is to use standard, off-the-shelf softwaresuch as Netscape Navigator, and use a configuration screen thattells the software where the proxy server can be found. The softwareand server will then take care of the rest. <H2><A NAME="HowProxyServersWork"><FONT SIZE=5 COLOR=#FF0000>How Proxy Servers Work</FONT></A></H2><P>An integral part of many intranet security systems is a <I>proxyserver</I>. A proxy server is software and a server that sitsin a firewall and acts as a go-between among computers on an intranetand the Internet. Proxy servers often run on bastion hosts. (See<A HREF="ch16.htm" >Chapter 16</A> for more information on bastion hosts.) Only the proxyserver-instead of the many individual computers on the intranet-interactwith the Internet, so security can be maintained because the servercan be kept more secure than can hundreds of individual intranetcomputers. Intranet administrators can set up proxy servers tobe used for many services, such as FTP, the Web, and Telnet. Intranetadministrators decide which Internet services must go througha proxy server, and which do not have to. Specific proxy serversoftware is required for each different kind of Internet service.<OL><LI>When a computer on the intranet makes a request out to theInternet-such as to retrieve a Web page from a Web server-theinternal computer actually contacts the proxy server, which inturn contacts the Internet server. The Internet server sends theWeb page to the proxy server, which then forwards the page tothe computer on the intranet.<LI>Proxy servers log all traffic between the Internet and theintranet. For example, a Telnet proxy server could track everysingle keystroke hit in every Telnet session on the intranet-andcould also track how the external server on the Internet reactsto those keystrokes. Proxy servers can log every IP address, dateand time of access, URL, number of bytes downloaded, and so on.This information can be used to analyze any attacks launched againstthe network. It can also help intranet administrators build betteraccess and services for employees.<LI>Some proxy servers must work with special proxy clients. Amore popular approach is to use off-the-shelf clients such asNetscape with proxy servers. When such an off-the-shelf packageis used, it must be specially configured to work with proxy serversfrom a configuration menu. Then the intranet employee uses theclient software as usual. The client software knows to go outto a proxy server to get the data, instead of to the Internet.<LI>Proxy servers can do more than relay requests back and forthbetween an intranet and the Internet. They can also implementsecurity schemes. For example, an FTP proxy server could be setup to allow files to be sent from the Internet to a computer onthe intranet, but to block files from being sent from the corporatenetwork out to the Internet-or vice versa. In this way, intranetadministrators can block anyone outside the corporation from downloadingvital corporate data. Or they can stop intranet users from downloadingfiles which may contain viruses.<LI>Proxy servers can also be used to speed up the performanceof some Internet services by caching data-keeping copies of therequested data. For example, a Web proxy server could cache manyWeb pages, so that whenever someone from the intranet wanted toget one of those Web pages, they could get it directly from theproxy server across high-speed intranet lines, instead of havingto go out across the Internet and get the page at a lower speedfrom Internet lines.</OL><HR><CENTER><P><A HREF="ch14.htm"><IMG SRC="PC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="#CONTENTS"><IMG SRC="CC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="contents.htm"><IMG SRC="HB.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="ch16.htm"><IMG SRC="NC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><HR WIDTH="100%"></P></CENTER></BODY></HTML>