Pervasive Internet access and the relative ease of installing Web-based applications have empowered users to quickly load browser-based e-mail, instant messaging, peer-to-peer file-sharing clients and more, on enterprise networks.

As the use of these Web-based applications and the traffic they generate continues to accelerate, IT staff are deploying proxy appliances to safeguard against the liability, productivity and security risks introduced when unsanctioned Internet applications are randomly installed on the corporate network.

A proxy appliance is positioned between network users and the Internet, and serves as a central point of control over employee Internet use. As a termination point for Web communications on the network, the proxy appliance can apply numerous policy-based controls to Web traffic and requests, before delivering content to end users.

Setting up a proxy appliance requires only a network connection and an IP address. The appliance is installed behind, or in parallel with, the network firewall to intercept Web protocol traffic such as HTTP, HTTPS, FTP, IM and SOCKS.

When a user first attempts to access the Internet or launch a Web-based application, the proxy appliance goes to work by prompting the user to present their network credentials. This is done in concert with the organisation's existing authentication service, such as LDAP, Windows domain and RADIUS. After the initial logon, the proxy appliance recognises the user's credentials and transparently applies policy controls to all subsequent Web requests.

Policy controls
From this point forward, policy controls are enforced for everything a user does on the Web. This control is based on a set of comprehensive triggers, such as time of day, location, protocol, user agent and content type. Any one of these triggers prompts the proxy appliance to enforce any number of actions established by an administrator, such as allow, deny, notify, transform content, rewrite header and remove-and-replace. These fine-tuned controls can be applied across an organisation or to one user, regardless of where the user logs on.

After policy is applied to a user's request, Web communication is sent to the Web server. Web servers respond and send Web content back to the proxy appliance, where additional policy controls, if configured, can be enforced on the incoming content.

As an example, an outbound request might contain a peer-to-peer user agent type that corporate policy does not permit. The peer-to-peer request can be blocked, and the user can be notified that the request has been denied. Other requests not subject to the policy are forwarded to the external destination server, where the server then responds to the proxy's request for content.

Because a proxy appliance sits in the middle of all Web communications, it can also be an ideal platform on which to run multiple security functions, including URL filtering, IM control, content security and Web virus scanning. URL filtering installed on the appliance, for example, achieves dramatic performance gains through the combination of integrated caching and dedicated hardware. Content security lets an administrator configure policy to block Multi-purpose Internet Mail Extensions types and file extensions, strip and replace active content, restrict uploads or downloads, rewrite or suppress headers, and apply method-level protocol controls.

For additional performance gains, administrators can purchase proxy appliances with multiple processors and extensible hardware options such as multiple disk drives, interfaces, memory, bridging and Secure Sockets Layer accelerator cards.

Pumping up performance
In the past, software-based proxy servers provided sufficient levels of Web control. However, administrators are feeling the pain as they attempt to patch and maintain software-based proxies in the face of relentless security threats and more highly saturated Web environments that demand increased performance. A proxy appliance provides abundant policy controls wrapped in performance-based hardware to give organizations a viable option for gaining visibility and control over their employees' Web communications.

Jeff Hughes is director of technical marketing for Blue Coat Systems.