Proxy Server 2.0

As the Internet's popularity soars, companies are searching for ways to manage and control employees' access to the Internet and external Internet users' access to resources on the corporate network. One tool that companies might consider is Microsoft's Proxy Server 2.0, a BackOffice software package that serves as a firewall and Web cache server. Proxy Server 2.0 acts as a gateway between your internal LAN and the external Internet network, helping you protect your network from unauthorized access by external Internet users, control employees' access to the Internet, and improve Internet access and network response time.

Microsoft significantly improved Proxy Server between versions 1.0 and 2.0. The most important difference is that Proxy Server 1.0 controls only outbound network traffic (i.e., traffic from your LAN to the Internet), whereas Proxy Server 2.0 controls outbound and inbound traffic (i.e., traffic from the Internet to your LAN). Proxy Server 1.0 also lacks several features--packet filtering, alerting, inbound connectivity, and support for Virtual Private Networks (VPNs)--that basic firewall packages typically include. Proxy Server 2.0 now includes those features and more.

However, Proxy Server 2.0 is not necessarily meant to replace your existing firewall. Although Proxy Server 2.0 can serve as the sole firewall solution for many companies, it doesn't include all the features that high-end firewall packages provide. So if you already have a firewall product, your best option is to use Proxy Server 2.0 to complement, not replace, your existing firewall. If you do not have a firewall, whether you use Proxy Server 2.0 exclusively depends on the level of security and performance that your business demands.

Looking at Proxy Server 2.0's features can help you decide whether it will meet your company's security needs as well as performance needs. The following focuses on two major areas of interest in Proxy Server 2.0: security and performance.

Security
Microsoft added many new security features to Proxy Server 2.0. The new and the original features work together to offer important security capabilities, such as server proxying, reverse proxying, reverse hosting, alerting and logging, dynamic packet filtering, multilayer security, and VPN support.

Server proxying. Proxy Server 2.0 monitors and forwards incoming packets to the appropriate server. For example, you can configure Proxy Server 2.0 to use Simple Mail Transfer Protocol (SMTP) to direct incoming mail packets to your mail server. However, setting up server proxying can require a lot of work. For example, to use Exchange in server proxying, you must configure static packet filters and set up authentication.

Reverse proxying. Proxy Server 2.0 impersonates the Web server when dealing with inbound traffic. In other words, Proxy Server 2.0 responds to Internet requests and forwards them to Internet Information Server (IIS) or another Web server. Internet users are unaware that Proxy Server 2.0, not IIS, is passing and monitoring their requests.

Reverse hosting. Reverse hosting takes reverse proxying one step further by letting the Web servers behind Proxy Server 2.0 publish to the Web. Proxy Server 2.0 listens and responds to requests on the Web servers' behalf. Thus, reverse hosting lets you publish to the Web without compromising security.

Alerting and logging. You can configure Proxy Server 2.0 to immediately alert you to suspicious activities (such as protocol violations) and certain attacks (such as SYN attacks) on your network. For example, in a normal message exchange between a client and server, the client sends a SYN message. The server responds with a SYN-ACK message and then waits for a return ACK message from the client. If an incorrect IP address is sending a SYN, the server will send a SYN-ACK and then wait for an ACK, which it will never receive. As the source sends more messages, the rejected packets can tie up the server's TCP ports, and legitimate users will not be able to use the services. This SYN attack can seriously affect Internet Service Providers (ISPs) and other companies that rely heavily on Internet access. You can configure Proxy Server 2.0 to alert you after the server rejects a specific number of packets. You can configure Proxy Server 2.0 to notify you of several alerting thresholds. When your system reaches these thresholds, Proxy Server 2.0 can notify you by email (via Simple Network Management Protocol--SNMP) or pager (if your email product supports paging).

After Proxy Server 2.0 alerts you to attacks and suspicious activities, it records alert information (and other inbound and outbound traffic data) in the System Log. Proxy Server 2.0 can log data to a text file, an Open Database Connectivity (ODBC) database, or a SQL server database. You need to think twice about logging to a SQL server database, however. Although you can take advantage of SQL Server's advanced querying and reporting features, logging events to a SQL server database is much slower than logging events to a text file. Furthermore, you need an ODBC-compliant database (such as Microsoft Access) to read the log files.