Web proxies are no longer needed
Tim Lloyd talks up one way to avoid productivity issues associated with proxy use
Many organisations use VPN these days to connect different locations to the corporate network. VPN is seen as essential for the security of remote end points. However, there is a hidden price to pay for this flexibility if the customer's web security relies on proxies – as many do.
Every web page request is sent from the remote machine, via the VPN, to the corporate proxy. Then it is sent on to the internet, and the page sent back along the same route.
This traffic means more bandwidth is consumed by head office, and it could be used for more useful services, such as file transfers, VoIP or videoconferencing. Also, it incurs packet latency – potentially reducing productivity.
Most companies accept the data delays involved and extra bandwidth costs as a side effect of securing the end points. Yet there are other issues as well.
Users connecting via 3G routed via VPN can find their service hopelessly slow and expensive, especially if connecting while on a trip abroad. And the launch of capped 4G contracts will increase the cost even further.
Proxying allows administrators to control internet traffic – allowing or disallowing different sites for example, or restricting the times of day that sites can be accessed – and it is at the core of almost every web security product available today.
But now that networks are being extended across many locations, connection types and devices, a proxy is not scaleable or flexible enough.
Cloud-based internet security products can alleviate bandwidth and processing issues but they do not entirely solve the problem.
Cloud-based proxies can mask the IP address and hence the identity of the user. The user will always be identified with the proxy server IP address, causing problems with location-aware websites.
For example, the user will be redirected to the search page nearest the proxy server, not the location of the actual user. Also, a huge number of attempts to access the web that appear to be from just one IP can result in site access shut-down. All this can hinder productivity.
Cloud proxies also do not solve the latency issue. There is still a delay when you click a web link, as the page is requested by the cloud proxy, scanned and then forwarded to the end point. On 3G this can make using day-to-day web applications a real slog.
Few developers consider the issues with proxying when creating mobile apps. This can lead to users not being able to use specific mobile apps at all.
I see the answer in adoption of the Internet Content Adaptation Protocol (ICAP). This can speed up web access in a cloud environment using client/server architecture with compatible end-point software.
Rather than sending each web page and all its content to a centralised web proxy, either directly or over VPN, the ICAP client generates a small packet of data containing a snapshot of the web request, and the ICAP server responds with yes or no, depending on the time of day and the filtering policy assigned to the user.
The ICAP protocol can be used to implement virus scanning and content scanning to extend the security services available in the cloud, reducing bandwidth costs and hardware requirements at the customer premises.
Tim Lloyd is founder and chief executive of CensorNet