Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Wednesday, February 25, 2009

Other Proxy Types

I've talked about forward and reverse proxies in this blog, and commented on anonymous proxies as well as how proxies are deployed. I came across a list of other proxy types (or terminology used to describe proxies, and thought I'd share this information).

You may see references to four different types of proxy servers that are available on the Internet (as opposed to the forward or reverse proxies that enterprises use):

Transparent Proxy - This type of proxy server identifies itself as a proxy server and also makes the original IP address available through the http headers. These are generally used for their ability to cache websites and do not effectively provide any anonymity to those who use them. However, the use of a transparent proxy typically allow end-user to get around simple IP bans. They are transparent in the terms that the end-user's IP address is exposed, not transparent in the terms that the end-user is unaware of using it.

Anonymous Proxy - This type of proxy server indentifies itself as a proxy server, but does not make the original IP address available. This type of proxy server is detectable, but provides reasonable anonymity for most end-users.

Distorting Proxy - This type of proxy server identifies itself as a proxy server, but make an incorrect original IP address available through the http headers.

High Anonymity Proxy - This type of proxy server does not identify itself as a proxy server and does not make available the original IP address.

There are risks to using proxies freely available on the Internet. In using a proxy server (for example, anonymizing HTTP proxy), all data sent to the service being used (for example, HTTP server in a website) must pass through the proxy server before being sent to the service, mostly in unencrypted form. It is therefore possible, and has been demonstrated, for a malicious proxy server to record everything sent to the proxy: including unencrypted logins and passwords. By chaining proxies which do not reveal data about the original requester, it is possible to obfuscate activities from the eyes of the user's destination. However, more traces will be left on the intermediate hops, which could be used or offered up to trace the user's activities. If the policies and administrators of these other proxies are unknown, the user may fall victim to a false sense of security just because those details are out of sight and mind.

The bottom line of this is to be wary when using free Internet proxy servers, and only use proxy servers of known integrity (e.g., the owner is known and trusted, has a clear privacy policy, etc.), and never use proxy servers of unknown integrity. If there is no choice but to use unknown proxy servers, do not pass any private information (unless it is properly encrypted) through the proxy.

It's a good idea to keep your end-users educated about the corporate proxy as well as the dangers of free proxies that they may be attempting to use to bypass your corporate proxy.

No comments: