What are Proxy Servers
Proxy servers are a dedicated computer or a software system that sits between end user devices and a desired destination, such as a website, web application, or a cloud-based application.
A proxy server is a dedicated computer or software system that sits between end user devices, such as desktop computers or mobile devices, and a desired destination, such as a website, web application or cloud-based application.
Figure 1: Proxy server schema
The purpose of a proxy server is to:
Temporarily intercept traffic, inspect it, and decide whether to allow a user to access a requested destination
Connect traffic to its requested destination and facilitate the exchange of information
The Pitfalls of Using Proxies
Companies used to use proxies widely to manage and secure corporate networks. However, proxies were never designed to deal with modern security threats or new technologies, such as mobile devices and the internet of things. Today, proxies are no longer enough to ensure secure access to networks or clouds.
Proxies also have significant architectural weaknesses:
Limited visibility: Proxies are stand-alone, isolated products that only support a limited number of applications, so they don’t offer a complete view of all network traffic.
Lack of integration with other security products: Proxies can’t be integrated with, take policies from or learn from other network security functions. For example, they can’t factor in any malicious files a separate antivirus product sees or any threats an intrusion prevention system encounters.
Inability to inspect all traffic: Proxies are unable to inspect all traffic for malware or greenlight any data loss that’s legitimately allowed by a company. This can result in blind spots and potential inspection gaps, such as any internet traffic beyond web, DNS and FTP for Office 365®, or even any traffic that bypasses a proxy because an application is not “proxy aware.”
Protocol limitations: Proxies only support a limited number of network protocols, such as HTTP, HTTPS, FTP and DNS. Hence, they can’t identify or make policy decisions on all applications crossing all ports. They also can’t tell the difference between applications that run across different protocols or identify any applications that use nonstandard ports.
Security risks: End users can easily bypass proxy-based devices and traditional URL filtering methods.
Performance: Proxy-based devices require extensive computing resources, rapid throughput and high scalability to perform security functions, which limits their potential use cases.
All of this requires companies to take a different, far more advanced approach to security than they have in the past.
A Better Approach
Fortunately, next-generation firewall appliances and cloud-based, virtualized next-generation firewalls offer companies a better solution to keep up with today’s modern security demands.
Unlike proxies, next-generation firewalls:
Provide control over application functions
Apply threat inspection to each application
Offer application vulnerability exploit protection
Inspect traffic across all ports and protocols, as well as branch-to-branch/branch-to-data center
Scale without competing customer congestion
Provide both antivirus and spyware protection
Supply dedicated egress IP addresses for business-to-business companies
Can act as a primary firewall
Fit within a Zero Trust framework
More importantly, next-generation firewalls and other security cloud technologies inform one another, which dramatically increases the platform’s ability to prevent security threats. Next-generation firewalls also provide URL filtering, block inbound threats and command-and-control traffic callbacks, and recognize malicious domains and IP addresses. They even offer malware analysis to detect, address and prevent newfound zero-day threats on company networks.
In a world where protecting corporate networks from sophisticated attacks is paramount, using advanced technologies such as next-generation firewalls can often mean the difference between having a secure network and having a vulnerable one.
For more information about cloud-based next-generation firewalls, visit paloaltonetworks.com/cloud-security/prisma-access.
For more information about physical next-generation firewalls, visit paloaltonetworks.com/products/secure-the-network/next-generation-firewall.
More Next-Generation Firewall Articles