Network Proxies: The Different Types Explained
The word proxy means different things to different people. In a computer network context, the World Wide Web Consortium (W3C) define a proxy as:
An agent that relays a message between a requester agent and a provider agent, appearing to the Web service to be the requester.
Even within that definition, there are many different types of network proxy enabled by various technologies and protocols that operate at different OSI model layers. We will look at three main uses of network proxies:
Forward proxies are commonly used within enterprise network architectures. Reverse proxies can be used to deliver performant, secure and scalable web services. The use of proxies to obscure the source or destination of communications to bypass network restrictions or achieve increased anonymity.
Forward Proxies for Enterprises
Forward proxies are focused on securing the client / requesting organisation. As before, the proxy sits between the user and the services they are requesting. Typically it will be located on the network boundary of an organisation so that all requests made by local users to external networks go via the proxy. This architecture gives the enterprise additional control and visibility. These types of proxy operate at the application layer - they understand the requests (such as HTTP requests) being made by the client.
The proxy will receive the requests from the users, potentially do some inspection (for example, to check that the resource being requested isn't on a block list) and then send the request to the external service on the user's behalf. When the proxy receives the response, it might do some logging and further inspection before forwarding the response to the user.
Some proxies support just one protocol (such as HTTP); others may support multiple protocols (such as FTP, SSH etc. Too. The proxy may be implemented as an application on a server (e.g. Squid Proxy or HAProxy) or as part of a dedicated device, potentially combined with other security features in a unified threat management gateway.
- User makes a request
- Request is received by the proxy
- Proxy examines and logs the request
- Proxy sends the request to the destination server on the user's behalf
- The provider/server returns a response to the proxy
- The proxy examines and logs the response
- The proxy returns the response to the user
Explicit vs Transparent Proxies
In enterprise networks, there are two main implementations used for forward proxies: explicit and transparent.
Explicit proxies need to be configured explicitly on each client device to tell them about the proxy server to use. Although this can be more complex to set up initially, there are benefits, such as better handling of HTTPS traffic. HTTPS traffic can either be configured to get tunnelled directly to the destination or intercepted for inspection.
Transparent proxies don't need to be configured on individual operating systems or browsers. Therefore, transparent proxies can be much easier to implement on a large scale. To set up a transparent proxy, it is necessary to intercept traffic at a network boundary and forward it to the proxy. This implementation can be relatively easy to set up for unencrypted traffic (such as HTTP) but more complex for encrypted protocols (such as HTTPS).
- Caching common resources at the proxy can increase speed for users.
- Administrators can keep logs of requests.
- Cybersecurity tools and analysts can identify and block security threats.
Many commercial proxies are available from various vendors, either as standalone products or as part of an integrated security solution.
Squid is one popular open-source proxy, from their website:
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
While forward proxies are implemented by the requesting party, service providers use reverse proxies in front of web services. Reverse proxies can improve scalability and increase the security of the web services which sit behind them. Like forward proxies, these operate at the application layer.
A reverse proxy can handle some of the 'heavy lifting' involved in delivering web services - they can manage things like terminating SSL connections from clients (for HTTPS connections), caching content for faster delivery and load balancing. Therefore, the services being protected by a proxy (such as a web app) don't need to implement that functionality. Now, the web app talks directly to the reverse proxy in front of it. This model can make a web developers life easier and reduce the resources needed by application servers.
- A client makes a request to a website - their browser will direct this to the IP address of the reverse proxy.
- The reverse proxy will establish a TCP connection with the client, including terminating the SSL connection for HTTPS connections.
- The reverse proxy can perform security checks to help mitigate attacks such as Distributed Denial of Service attacks.
- The reverse proxy can check for the requested content in a cache and serve this directly to the user if possible.
- If the traffic is genuine and isn't cached, the reverse proxy will forward the request to the application server.
- The application server sends the response back to the reverse proxy.
- The reverse proxy returns the response to the client.
Using this approach means the client never knows the IP address of the actual application server.
Performance - using a reverse proxy lets the web application (and its developers) focus on providing a good web service rather than also having to provide a highly performant server. Reverse proxies are designed to efficiently handle heavy-duty tasks such as SSL encryption, caching and data compression. Consequently, the load placed on the web applications that sit behind the proxy is significantly reduced.
Load balancing - a reverse proxy can provide a single IP address for clients to talk to and then balance requests across multiple backend web servers. Therefore, it becomes easy to scale services 'horizontally' by adding additional web servers. This kind of architecture is commonly used with 'Infrastructure as a Service' (IaaS) and 'Platform as a Service' (PaaS) architectures.
Security - clients only know the IP address of the reverse proxy, not the individual web servers which ultimately service requests. This behaviour can reduce the ability of attackers to target web servers with Distributed Denial of Service attacks which seek to overwhelm servers with a high number of connections concurrently. Reverse proxy service may also provide dedicated security features to detect and block security threats before they can reach the servers which sit behind them.
A reverse proxy may be implemented by installing and configuring it yourself, or it may be a service provided by a third party. Services such as Cloudflare, Amazon Web Services (AWS) and Heroku all have solutions that provide reverse proxy functionality in front of your web services.
NGINX is an open-source reverse proxy option that is widely used, including by organisations such as Dropbox, Netflix and WordPress. From their website:
nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev.
Open Proxies and Anonymisation
Proxies can also be used to obscure either a client's identity (IP address) from the server that they are visiting or to conceal the destination IP address from their network provider. An example of obscuring the client IP address from the server is a viewer seeking to access streaming services as if they are resident in a different country. Examples of concealing the destination from a network owner include employees who don't want their employer to know what sites they are visiting or students trying to visit websites blocked by their educational institution. Some technologies used for these purposes operate at the application layer, whilst others will operate at lower layers in the OSI model, such as the session layer.
Like the other proxies we have discussed, proxies for anonymisation sit between the requestor and the provider, forwarding requests to the provider on behalf of the requestor. Therefore, anyone observing traffic from the client can only see traffic between the client and the proxy. Anyone watching traffic to the server can only see traffic between the proxy and the server.
Open proxies are proxy services available on the internet without needing authentication by the client or using publicly available credentials. Consequently, they could be used by anyone. Although these proxies may provide a level of privacy to the client, they also carry privacy and security risks. Users generally don't know who is operating the open proxy, and by definition, the proxy provider has information about both the client and the destination they are visiting. Furthermore, the proxy provider potentially has the opportunity to intercept, inspect and inject into user traffic. This access can enable them to inject advertising, tracking and potentially malware into traffic destined for the user. They may also be able to capture private information and credentials from user sessions.
Alternative anonymisation options which can be less susceptible to interception include Tor and virtual private networks (VPNs).
Other uses for proxies
Finally, proxies may be used by system administrators, cybersecurity penetration testers and red teams, or attackers to tunnel traffic across a network and traverse network boundaries.
Good network design places a focus on having distinct, segregated networks. Proxies can be configured on appropriate boundary devices to allow traffic to cross from one segment to another.
This architecture can provide a controlled way for legitimate users to access content on different parts of the network.
However, proxies may also be used by attackers (or red teams simulating attackers) to tunnel their command and control traffic around a network or to bypass firewalls. Here, proxies can enable them to maintain access to devices deep inside a victim's network, even if the compromised machine isn't directly connected to the internet. They may achieve this using standard system administration tools such as SSH or using capabilities built into potentially malicious software such as Metasploit/Meterpreter and CobaltStrike/Beacon.