Proxy server

A proxy ( proxy representative of English, standin ', from Latin proximus, the next ') is a communication interface on a network. He works as a mediator who receives on one side requests, then connect to the other side on its own address.

If the proxy used as a network component, on the one hand the actual address of a communication partner remains hidden from the other communication partner, which creates a certain anonymity. As ( potential ) connection link between different networks, it can on the other hand even to realize a connection between communication partners, if the addresses are incompatible with each other, and a direct connection is not possible.

In contrast to a simple address translation (NAT), a proxy server, also dedicated proxy is called, instead of the packets while percolating in a position to lead the communication itself and influence, unseen. Specializing in a particular communication protocol, such as HTTP or FTP, it can analyze the data contiguous, filter requests and make, if necessary, any adjustments, but also decide whether and in what form the response of the target is passed to the actual client. Sometimes it serves to cache certain answers so they are faster available for recurring requests without having to request it again from the target. On a single device, often several Dedicated proxies are used in parallel in order to serve different protocols can.

A generic proxy, also called circuit level proxy that is used as a protocol- independent filter on a firewall application. He realized there is a port and address -based filter module, which also supports a (possible) authentication for connection establishment. In addition, it can be used for simple routing by listening on a port of a network adapter and passes the data to another network adapter and port. He is not able to view the communication to lead themselves and influence, since he does not know the communication protocol.

2.1 visibilities
2.2 Location
2.3 Possible functions of a proxy

4.1 On the source system
4.2 On the target system

5.1 dedicated proxy ( proxy server)
5.2 Circuit Level Proxy ( generic proxy )
5.3 proxy firewall 5.3.1 Dedicated proxies on a stateful inspection firewall

7.1 hazards
7.2 Statistics for accesses
7.3 Proxy as anonymizer

Operation and demarcation

Explanation based on an analogy

Friends come to visit. You want to eat pizza. The host initially takes up a list of the orders. Then he calls the pizza service, are the orders by which receives packets at the door and then hands it to his friends. The host has it behave like a proxy: He has taken on behalf of his friends in touch with the pizza service. Before the host the goods passes on the basis of the list, he can check for correct delivery now and he can, if he wants to garnish the pizzas in addition to or remove unwanted plaque ( the packets change ).

The pizza guy likes to think though, that his client will eat all the pizzas not alone, but he has never seen the people, for the pizzas were actually determined. For him, one and only point of contact was the host of ( a deputy).

The difference to a NAT device

Superficially a NAT device behaves similarly and works but unlike a typical proxy: In relation to the previous example, the NAT device can better compare with an ingenious rail system behind the door slot, which is directly to the the pizza delivery through pushed pizzas real can slide receiver. Although NAT also conceals the identity of the actual recipient, there is not a manipulation and analysis of the packet content.

Technically speaking, a typical proxy works as an engaging on the market communication partner on the OSI layer 7, wherein the connections are terminated on both sides ( it thus involves two separate connections), instead of the packages as a NAT device just percolating. Such a dedicated proxy is therefore a utility for computer networks, which mediates in traffic, and is therefore a proxy server called: As an active agent, it behaves the requesting client to such a server, the other side, the target system, compared to how a client.

Overlaps with NAT however, there is at the generic, the OSI layers 3 and 4 operating circuit level proxy that accesses multiple reports of the technique of simple address translation. Nonetheless, NAT takes a little-noticed role among the proxies. It is therefore considered in the following of the first-described variant, if a ( typical ) Proxy speech generally.

Overview

Visibilities

A conventional proxy occurs both sides even to a communication partner. He is so aware of them addressed (addressed). Here, the client asks the proxy, representative for him to communicate with the target system to take over. For example, the web browser is configured such that it does not send all inquiries directly to the destination address, but as a requirement formulated to the proxy sends.

In addition, there is the transparent proxy as specific network component, one of the two sides behaves toward transparent ( almost invisible). This page has directly addressed the goal and not the proxy. An appropriately configured network infrastructure of the request in question is there automatically routed through the proxy, without the sender can notice this, or even influence. For the other side, however, the proxy continues to be addressed is the communication partner, which is representative addressed for the actual communication partner.

Thus, a proxy in appearance generally occurs for at least one of the two sides even as the alleged communication partner.

Location

A proxy as a separate network component is physically located between the source and target system. Within an IP network it will convert the IP address once the packets through the network on their way to target the proxy pass. Thus, the true IP address of the actual communication partner can hide, and individual nodes of a network, or even entire networks even connect with each other when they are addressing technically incompatible with each other. The latter is due to a specific Port Management (similar to the analogy mentioned in the "List of Orders" ), which for example allows a proxy to a full private with ( self-contained ) network via a single official IP address to connect to the Internet. Since the target system does not see the client, but the proxy, possible attacks from there directed to the predestined proxy and not directly meet the client.

The local proxy is running on the other hand directly on the source or target system and is located in the logical arrangement between the contact is to network service and the requesting client. It is usually used as a filter or converter. Since it occurs on site in action, that is, before the packets are routed in the network ( local proxy on the source system ), or after the packages have reached the target system ( local proxy on the target system ), this proxy is not able to to conceal the true IP address of the communication system. This distinguishes it from those of other proxies of an IP network. However, a local proxy on the source system quite this help, the network request to send automated via an external proxy, the local proxy this kind of redirection then managed and thus contributes its part to anonymize its own IP address.

Possible functions of a proxy

The proxy as a network component

To understand how it is possible such a device to conceal the identity of the true communication partner, it may be helpful to the proxy introduces himself as an automated mailbox: Used by the covert ( internal ) address of a packet through the proxy through sent to the external network, the proxy connects itself with the target system and so provides the outgoing packets automatically with its own sender address.

The target system sends its response packets now back to the mailbox (proxy), which is optionally analyzes the received packets, and then forwards them to the internal client. In this way, the proxy forwards all incoming response packets from the external network to the actual recipient from the internal network further, without the sender the actual ( internal ) address of the recipient knows.

The local proxy

Even with a proxy software installed locally on the source or target system, an address conversion is performed internally. This is part of their internal functioning and may be limited to a redirection of ports, but often refers to a conversion to localhost ( the so-called loopback interface 127.0.0.1).

On the source system

As an example, an application might no longer be sent directly to the target system, but on its own system to the port of the proxy software installed there their Internet requests. For this, the application must be configured accordingly. The proxy software then determines the address of the target system and passes the request on behalf of the application there. The address of the source system, together with return port of the proxy software specified so that the return packets reach the local proxy, which he can then extend to the original application as the sender. In this way, such a proxy to be able to analyze the same outbound requests (and possibly filtering ) as the responses of the target system. Polipo is a free proxy software for the Hypertext Transfer Protocol (HTTP ) enables caching and filtering functionality, eg for the laptop or netbook. Another example of a local proxy is Proxomitron, which prevents, among other things, that JavaScripts read the browser identity and its version number, resolution and operating system. Even the spam filter SpamPal is installed with a local proxy, at least for some mail clients such as Vivian mail.

On the target system

Here, the application sends on the source system their requests directly to the target system. Without that it must be aware of the source system, but is behind the addressed port of the target system is the desired network service but a proxy software.

The proxy software thus accepts requests from the network and then creates representative for the source system to connect to the actual network service of its own system here. This answers the request and sends the response back to the proxy software that can analyze it now and change any or evaluate a statistical method also before passing it to the actual client.

Proxy designations

Dedicated proxy ( proxy server)

A Dedicated Proxy is a utility that provides the data transport between the requesting client and the target system. It is dedicated to the communication protocol, which uses the service, and therefore analyze, and manipulate the content of the communication, if necessary. In addition, he is to independently send requests to the communication partner is able and sometimes to act as a buffer ( ie respond to a request by itself, without having to request it again from the actual target system must ).

Sometimes it is locally installed on the source or target system to implement the corresponding task on the spot there. In contrast, this can be also be an actively intervenes in the communication filter module that is placed on a proxy firewall. Among other things, Dedicated proxies are used as (eg SMTP ) virus scanner or ( eg FTP ) connection and command filters are used.

On a single device, multiple Dedicated proxies can run in parallel in order to serve different protocols can. Since he has to look into the packets, performs a Dedicated Proxy his work on the OSI layers 5 to 7

Frequently Dedicated proxies are used for the following protocols:

A circuit level proxy ( generic proxy )

As circuit level proxy (also called Generic Proxy ) is a packet filter module called, with which you can lock or unlock any IP addresses and ports on a firewall, but without having the possibility to analyze the packet contents with it.

Such a proxy, the 3 and 4 operates on the OSI layers, packets sometimes extends through simple without terminate the compounds themselves. The circuit level proxy implements the address translation then using NAT on OSI layer 3 While the address filtering is also located on the third OSI layer, he also realized a port filtering on the fourth OSI layer.

There are also circuit level proxies, which are due to a special protocol is able to realize an authentication at the OSI layer 5. The client gets as a connection permit, for example, by entering an ID and password are used. This particular authentication protocol, the client must know, however, why such a more capable circuit level proxy is less generic ( it works only with applications on the client that have been extended accordingly). As an example of such an authentication protocol SOCKS be mentioned. Such an extended circuit level proxy accesses not necessarily back to NAT. Some of them even make it dependent on the protocol. For example, the TCP connection is terminated during a UDP connection is passed simply.

A generic proxy can also be used for a simple forwarding. The simplest proxy is the Linux program Redir that listens on a port and a port and forwards the data to another interface and port. This is also possible with the iptables command on Linux and is used for example to direct the exit traffic from a gateway server using multiple proxies, so as to protect the gateway server.

Proxy firewall

A proxy firewall is a firewall that relies on Dedicated proxies and circuit level proxies as filter modules. These filter modules convert rules by deciding what data will be forwarded to the actual communication partner, and which are not. In this way, the proxy firewall with its own network (segment ) trying to protect against unauthorized access. But you may also make a conversion of the data cache certain content and exercise all other functions, which are a proxy own.

Dedicated proxies on a stateful inspection firewall

Some manufacturers offer for their Stateful Inspection Firewall ( SIF ) is also dedicated proxies. Definition Technically, the process is a bit problematic: Since this type of firewall is based only on the original concept of checkpoint on a generic packet filtering, and so exclusively focused on packet filter rules, a SIF is clearly classified as packet filter firewall. Is there, however, a dedicated proxy is enabled, the SIF is actually no packet filter firewall but more then belongs to the category proxy firewall, stateful packet inspection is carried out. This precise distinction in the professional world but rarely performed, so a firewall classified as SIF in practice is only just part of the definition of a packet filter firewall.

Transparent Proxy

A transparent proxy is basically composed of two components. First, be tapped (eg, via iptables using a redirect ) and then go to a proxy on the router the ports you want the logs. For the user, the connection via a transparent proxy in use can not be distinguished from a direct connection through the router. Therefore, the presence of a transparent proxies the benefits that configure the proxy settings may be omitted on the single PC (see visibilities ).

Reverse Proxy

A proxy acts as a putative target system in appearance, with the address conversion is then performed in the opposite direction, and so the client remains hidden the true address of the target system in the case of the reverse proxy. During a typical proxy can be used for multiple clients to an internal ( private - self-contained ) to grant access to an external power grid, a reverse proxy works the other way around.

Leading the Internet access between the browser through a proxy

There are several ways to route the requests of the browser through a proxy:

Possible problems when using a proxy

Hazards

A badly configured proxy can be dangerous because it allows third parties to act on the address of the proxy server in the Internet. As an example, the proxy for an attack or - similar to an open mail relay - be misused to send spam. When abuse is then determined as the source of the proxy, which can sometimes have unpleasant consequences for the operator.

Statistics for accesses

Proxy log files can be user-specific evaluated. Thus, statistics on users ( or IP addresses ) whose web sites visited and length of stay can be created on the websites.

As proxy anonymizer

Borne in mind is that the operator of an open proxies has almost full control over the session, also log data and can falsify any web content, including notices something without the user.

To limit the risk of abuse of the anonymization service by the operator of the proxy concepts such as F2F could offer a solution: In a F2F proxy the data is passed through a " friend "; This increases security because no unknown proxy servers are used. The friend-to -friend network guarantees that exclusively private and tested connections are used. Remedy can also offer common encryption and certification procedures, such as SSL / TLS with the target system behind the proxy, for example by the use of an HTTPS connection. Here, the proxy can not make any manipulation, at least as long as the implementation of the used method is not faulty and will not undermine the process itself.

Client (computing) Utility software Bastion Host Bandwidth throttling Trojan horse (computing) Pseudonymization Uniform Resource Locator Cache (computing) Network traffic measurement Access control Internet Relay Chat Network News Transfer Protocol Lynx (web browser) X-Forwarded-For Friend-to-friend Performance-enhancing proxy

614268