When I entered the security market nearly 20 years ago, the philosophical and almost religious debate was whether proxy was a better technology than stateful inspection. Back then stateful firewalls were all about access control and proxy servers were interrupting a web connection to prevent direct internet exposure, and the “smart” ones were able to do some additional traffic verification. Times have changed though. Stateful inspection won the war against proxies back in the 2000’s, but people have not stopped discussing the topic.
Just as the times have changed, so have the proxies. The proxies of today do not compare to the proxies of yesterday – and ditto for security gateways. Today a proxy is deployed for web traffic, because it’s invaluable to be able to look inside web traffic to identify potential issues and prevent them from happening. Another upside is that it enables you to not have a direct internet connection. After all, you don’t need a default gateway anymore do you?
Today’s web traffic also significantly differs from back then. The browser is used as a vehicle for so much more than reading plain webpages. Who would have thought we would be simultaneously blocking gaming, while allowing reading from the very same Facebook page?
That brings us to the question what do we want to achieve? Do we need proxies because we always have and this is perceived as a best practice? I’m willing to be bold and answer “No” and here is why:
Yes, a dedicated commercial proxy will bring you a lot of functionality to protect web traffic, in addition to being a dedicated appliance with many nice features; however it also comes with downsides. For starters, due to the nature of a full proxy, the connection is broken and built again – making them slow. This increases the required investment to achieve a targeted performance goal.
Attacks today are multi-layered and they do not just happen over web traffic. An entire host of things are happening: applications are being exploited; infected machines enter the network; proper URL’s are being infected by malware and 15 minutes later it’s fixed; and users use all kinds of applications and anonymizers to escape existing security measures in place. Users don’t even think twice when they download a document. Internet speeds are so fast – they simply click. Proxy servers will not validate such a document. This is the playground of sandbox technologies.
Due to the fact traffic is not just on the web, organizations find themselves creating all sorts of workarounds to provide users full functionality. This is another factor that led to changing policies in enterprises in recent years. Before, the IT department used to set the security policy, today this is user-driven. Additionally, new operating systems, the BYOD movement, mobile devices, and applications that cannot work via a proxy have permanently changed the network environment.
The answer to “should I use a proxy server or not?” requires a more complex answer than a simple “yes” or “no”. The certainty is that not all security challenges will be solved by a proxy server alone. There are simply too many components within a network to protect. We can inspect traffic while streaming, and where it’s not possible, we can use proxy-type technologies. An example of this is https inspection. In this way, we offer an all-in-one solution rather than a collection of devices.
Check Point, recognized as a leader in the industry1, is one of the few vendors that for 23 years has focused on security and nothing but security. Even with shifts in the market, Check Point has always been there to support and proactively protect its customers.