Key Features of Proxy Servers Proxy servers provide three main functions:

1. Firewalling and filtering 2. Connection sharing 3. Caching

The features of proxy servers are especially important on larger networks like corporate intranets and ISP networks. The more users on a LAN and the more critical the need for data privacy, the greater the need for proxy server functionality.

6.2.1 Proxy Servers, Firewalling and Filtering

Proxy servers work at the Application layer, layer 7 of the OSI model. They aren't as popular as ordinary firewalls that work at lower layers and support application- independent filtering. Proxy servers are also more difficult to install and maintain than firewalls, as proxy functionality for each application protocol like HTTP, SMTP, or SOCKS must be configured individually. However, a properly configured proxy server improves network security and performance. Proxies have capability that ordinary firewalls simply cannot provide.

Some network administrators deploy both firewalls and proxy servers to work in tandem. To do this, they install both firewall and proxy server software on a server gateway. Because they function at the OSI Application layer, the filtering capability of proxy servers is relatively intelligent compared to that of ordinary routers. For example, proxy Web servers can check the URL of outgoing requests for Web pages by inspecting HTTP GET and POST messages. Using this feature, network administrators can bar access to illegal domains but allow access to other sites. Ordinary firewalls, in contrast, cannot see Web domain names inside those messages. Likewise for incoming data traffic, ordinary routers can filter by port number or network address, but proxy servers can also filter based on application content inside the messages.

6.2.2 Connection Sharing with Proxy Servers

Various software products for connection sharing on small home networks have appeared in recent years. In medium- and large-sized networks, however, actual proxy servers offer a more scalable and cost-effective alternative for shared Internet access. Rather than give each client computer a direct Internet connection, all internal connections can be funneled through one or more proxies that in turn connect to the outside.

6.2.3 Proxy Servers and Caching

The caching of Web pages by proxy servers can improve a network's "quality of service" in three ways. First, caching may conserve bandwidth on the network, increasing scalability. Next, caching can improve response time experienced by clients. With an HTTP proxy cache, for example, Web pages can load more quickly into the browser. Finally, proxy server caches increase availability. Web pages or other files in the cache remain accessible even if the original source or an intermediate network link goes offline.

Figure 6.1

6.2.3.1 Proxy caching

Imagine two people at a office -- let's call them Ram and Latha -- surfing the Net for business research. Suppose Ram has an interest in computer networking books, visits www.oreillynet.com in an attempt to learn more about them.

Now it's Latha's turn. Latha is very interested in computer programming. She navigates to www.oreillynet.com and, because this page was cached during Ram's very recent visit, she is surprised at how quickly this content-rich page pops into her browser window. With a great first impression, Latha is now ready to immerse herself in the wonderful world of computer programming.

The potential benefits of proxy server caching loom even larger if Ram and Latha have a few hundred coworkers that share the same proxied Internet access and similar interests

or Net surfing patterns. Yet proxy caching is not a silver bullet. Limitations exist that can render this technology much less useful.

6.2.3.2 Drawbacks of Proxy Caching

It's reasonable to expect that proxy servers handling hundreds or thousands of Web clients can become a network bottleneck. In addition to using servers with power processors and large amounts of memory, administrators may also choose to deploy multiple proxies to help avoid potential bottlenecks.

A proxy hierarchy creates multiple layers of caching support. Clients connect directly to a first-level caching, and if a Web page is unavailable there locally, the request "misses" and automatically gets passed to a second-level caching server, and so on.

As with many caching systems, the effectiveness of a multi-proxy server hierarchy is very dependent on the pattern of traffic. In the worst case, all clients will be visiting Web pages completely unrelated to each other, and proxies (the hardware and the additional network traffic they generate) become pure overhead. One would expect that normal traffic patterns will usually not be worst-case, but every network's use pattern will be different.

Proxy caching differs from browser caching. Browsers automatically cache pages on the client computer, whereas proxies can also cache pages on a remote Web server. Because browsers already perform their own caching, introducing proxy caching into a network will have only a second-order effect.

Proxy caches don't help much with refreshed pages. On some sites, Web pages are set with HTML META tags to expire quickly; expired pages force the proxy cache to reload that page. Similarly, caching is rendered ineffective by pages that change content frequently, such as those on news sites, or weblogs.

Proxy caches also introduce measurement uncertainty into the Internet. Normally, a Web server log will record identifying information of visiting clients such as their IP addresses and domain names. For clients with proxy servers, all public requests are made on behalf of the server, using its IP address and identity. Web sites that carefully track the patterns of use of their visitors have much more difficulty in distinguishing unique client visits through proxies.