From the course: CompTIA Network+ (N10-009) Cert Prep

Proxy servers

From the course: CompTIA Network+ (N10-009) Cert Prep

Start my 1-month free trial Buy for my team

Proxy servers

- If there's one piece of technology that I feel is very confusing today, and that is proxy servers. Proxy servers has been around for decades, and they've developed into so many different things that they can become a massive IT security headache. So, I want to take a few moments and make sure we understand, conceptually, what is a proxy server, what types of proxy servers are out there and what do we do with them? Be ready for questions on the exam where you might need to add proxy servers to particular situations. Don't worry, I've got you covered in this episode right here. First of all, there's two kinds of proxy servers. There's forward proxy servers and reverse proxies. So, what I'd like to do is start off with the older school, a forward proxy. Alright, now, if you take a look at this picture, a proxy by definition is a device, a box, a piece of software running on a computer, which acts as an intermediary between two different devices having a session. So you're going to have a client, you're going to have a server, and a proxy in the middle. So, if you take a look at this, this is a forward proxy. With a forward proxy. The client is aware of the proxy, so the client speaks to the proxy, and then the proxy actually does whatever it does to the request, and forwards it as a representative of the client. So this is a forward proxy. Now, forward proxies have been around, like, forever. A traditional forward proxy is usually going to be a dedicated box, or it could be a piece of software running on a server that is in an organization. A great example would be schools. Just about every school on Earth that has an internet connection runs a traditional forward proxy server. The idea behind a proxy server like this, is it will provide caching, it provides content filtering. It acts very much like a firewall, in that it will look at the different things that people are doing, and block based on URL, or all kinds of stuff like that. Proxy servers are amazing. They can take ads out, they can block certain parts of websites. So there's a lot of power in it that takes them way beyond a simple firewall. The reason we see them in schools, obviously, is we don't want kids going to inappropriate sites, and proxies are very, very common in schools. So the important thing that you're going to have to understand about a proxy, first of all, is that proxies, by definition, are going to be application-specific. So, I'm going to set up a web proxy, or an FTP proxy, or a voiceover IP proxy. So, depending on what type of application I have, there is a specific proxy server for it. In fact, now remember what we said with a traditional forward proxy server, the clients are aware of the proxies. So, let's come up with a situation where we have a web proxy. In order to use this web proxy, every single system that wants to use the web proxy has to go through a configuration. So, what I have up here is my internet options, and this is from Windows 10. Now, what I want to do, is let me... I'm under Connections already. So, let's click on LAN settings, and you'll see right here where it says Proxy server. So, I'm going to say Use a proxy server for your LAN, and then I have to actually type in (keyboard clicking) the IP address, and it's going to be Port 80. So, in this particular situation, in order to use a traditional forward web proxy, I actually have to set up all of my individual browsers to use that. Now, if this proxy is designed to filter and prevent people from doing what they want to do, why wouldn't people just go in here and delete this information and say, "I don't want to use the proxy?" The answer's simple, because a well-set-up system is going to go, "If you don't go through the proxy, "we're not even going to let you out in the first place." So, that is a very traditional one. Now, we have a improvement on that, in what we call a transparent proxy. Transparent proxies don't have to go through all this configuration stuff, but a transparent proxy has to be literally in the line. It has to be in line between you and the internet, so that it can grab everything that nobody has a choice but to go through it. And a transparent proxy can work that way. They are out there, just as common as a more traditional proxy. The nice part is, is I don't have to go through this type of configuration information. So, a traditional forward is going to invariably be a box. In the Windows world, there are famous programs with names like WinGate and things like that, that provide these forward proxy services. The other type of forward proxy that we run into, what I'm going to call a modern forward proxy, is used by people who want to do nefarious things. Now, I'm not going to say they always do bad things, but sometimes they want to hide themselves. So, if we take a look at a diagram like this. So, what we're doing now is we're going to move the proxy out of our local in-house, and we're going to move it out to the internet. But it's still going to work the same way. In this situation, you can see I can connect my client system, and instead of going directly to a web server, I can go to this proxy, and then the proxy will take care of it. So, I love Canadian television, for example, and it's impossible for some of these Canadian websites to be played in the United States. Now, if I were a nefarious person, I could easily find a Canadian proxy. I could go through that proxy and then dial in, and watch shows like "Letterkenny" and "Corner Gas," and all these great shows that you Americans probably never heard of. All you Canadians out there going, "Well, sure." Anyway, so this is the type of thing that we do with it. Now, I want to look at this diagram one more time. The problem with this diagram is that the proxy works fine, but notice that there's a connection from my system to the proxy server that's out on the internet. So, the downside to this is that anybody who wants to, can easily figure out, for example, if the police sent your internet service provider a warrant, it's fairly easy for them to figure out, ah, this goes back to Mike Meyers' machine there in Houston, Texas. So, what we do with a lot of these proxies, is we create an encrypted tunnel, a connection called a virtual private network, or VPN. And we have other episodes that go into VPN in detail. But for right now, I want you to understand that if we encrypt everything, I mean everything, that way nobody can tell exactly what we're doing. So we create a VPN connection from our system to the proxy, and then the proxy goes out and acts as our representative and does whatever it wants to do. There are lots and lots of tools out there that do stuff like this. So, what I'd like to do is show you one tool in particular. So, let's open up a browser. Get a new one up, and I'm going to type in a website. This is called hide.me. And what I'd like to do, is we are going to use this as a proxy. So, keep in mind this isn't unique. There are thousands of these different types of proxy servers out there. This is a public proxy server. Anybody can go to it. And what I can do is actually go to a website. Now if you look here at the bottom, it says, I will look as though I'm coming from the Netherlands. This one, it's just a demo, so it only gives a few options. (keyboard clicking) So, I'm going to go to my totalsem.com site, and I'm going to click on this, and I want you to watch what happens here. Now, one of the things you got to worry about is that all of these types of proxy tools are slow, and that's okay. So what's happening, first of all, you'll notice that I'm not actually totalsem.com. I'm actually connecting to a proxy server at the hide.me website. But hide.me puts this little overlay on top to remind me that I'm not actually directly on www.totalsem.com. And if there was something important that only people in the Netherlands could do, this would work just fine. Now, that works out pretty good, with a couple of little exceptions. First of all, when you make a connection like this, there's not just one connection to a website. You're probably launching Java connections and all kinds of different stuff. If you open up one webpage and type a netstat, you usually see that that one webpage is actually making five or six different connections. And the problem is, is a lot of these, once they make the connection, they will try to phone home directly back to you, and that can make some problems. So, the VPN certainly helps. But the VPN doesn't let anybody know what you're doing, but the VPN still points back to you. And there's a situation where we run into a bit of a problem. So, what we do is there are certain types of forward, modern forward VPNs, that do cool stuff like, for example, the Tor network. With Tor, what it's going to do, is you're going to have lots and lots, now I only have a few computers here, but there could be hundreds or thousands of these computers, which all work together to hide you really well. So, when you make a connection, you arbitrarily pick one of these Tor nodes as they're called, and then the nodes will make a random group of connections to a bunch of other computers. These are all VPN connections, and then randomly pick one guy to act as the outward bound proxy server. So, you can see what's happened here, is not only is everything now very much encrypted through the VPN, but it is really hard, not impossible, but practically impossible to get back to you. And that's why people use these Tor proxies, not just because it's a good proxy server, but because it makes this very complicated backward trail that's almost impossible for anybody to get out of. So, law enforcement and people like that are often frustrated by Tor networks, because bad guys often use them to hide themselves really, really well. Now that's forward proxy server. So what I want to do is spin this around a little bit and talk about a reverse proxy server. With a reverse proxy server, what we do instead is that we have servers, let's say web servers, where the proxy server represents the web server, not the client. It's a complete reverse of a forward. Now, these types of proxy servers do very, very specific jobs. Number one, their job is to protect the server from evil people like us. So, there's lots of security in these. For example, these are often designed to handle denial of service attacks, all kinds of different nefarious attacks like that. It's used for load balancing. So, if I have three or four servers, that proxy server can select whatever server has got the least load on it, and goes ahead and it passes jobs to that. It can be used for caching, just like a forward does. A lot of times web pages will have a certain set of images that it's always passing out. Those images don't sit on the... Well, they're on the servers, but the reverse proxy server keeps a copy of any static images. No matter what page you go to that website, boom, they send it really, really quick. It also handles encryption acceleration. So, if you've got a bunch of HTTPS servers, most of the time it's the proxy server that handles all of the HTTPS encryption and decryption. A lot of times you'll see that these have different types of modules on board that are designed to help with the encryption, and they sit in front, and they take a lot of work off of the web servers. When you're thinking about proxy servers, especially for the exam, make sure you're comfortable with the concept of a forward versus a reverse proxy server. Remember, forward hides the clients, and reverse hides the servers.

Contents