A packet filter is a type of firewall: only certain packets may pass, and only certain hosts may establish connections. The effectiveness of packet filters is limited by users’ stubborn desire to do work. For instance, a packet filter must allow access to port 25, or email will not work; to port 80, or the Web will not work; to port 135, or DCE/DFS will not work across the firewall; to port 443, or people on the wrong side of the firewall will not be able to buy books from Amazon.com; and to port 119, or no one on the wrong side of the firewall will get any news. This Swiss cheese effect leads to an additional layer of security, to proxy some of these tunneled protocols.
A proxy server accepts requests from clients and forwards them to another server, moderating the response. A proxy is familiar with the protocol being relayed, so it can perform fine-grained access control, traffic monitoring, audit logging, and performance enhancement functions that are beyond the scope and means of a packet filter. Thus responses can be filtered for malicious mobile code, such as viruses and bad applets, or other harmful content. There is a growing industry that rates sites based on content and publishes lists of “acceptable” URLs. In concert, another industry is evolving to provide proxy service to the home desktop, filtering unacceptable URLs.
Both delay in Web response and the bandwidth required for requests and responses are significantly reduced by proxy caching. The risk of receiving stale cached data is marginal, since http data change very slowly. The Internet Cache Protocol is used by proxies to query the caches of other proxies. The protocol works up a tree of proxies from the client, keeping timing information from each proxy it queries, to find the most efficient path to a proxy that caches the data, or to the server via a chain of proxies. Hot spot Web sites contribute data with a high hit rate, but the majority of Web sites are dry holes that reduce the effectiveness of proxy caches. As the implementer of two proxy servers, the author is a master of proxy cache architecture. There are three choices: mapping into the file system (reverse mapping of data to URLs is intrinsic, but hot spot directories are expensive to search); use of a database or a simple database technique, such as hashing (which requires the software to explicitly maintain the reverse mapping as part of the database); and the use of virtual memory to store the cache (to me, the most satisfying solution).
A chapter describes the fascinating interaction between advertisers and proxy caching. The Web is increasingly being funded by advertisers, who hate proxy caching because they want to track hit counts per ad to measure effectiveness and govern billing (and they want your cookies). The author interpolates telegraphic discussions of other messy real-world imbroglios, such as how proxy caching may violate copyright; how access pattern tracking via cookies is an invasion of privacy (by the way, did you know the Web tracks the sites you visit?); and how URL filtering in ISP proxy servers turns out to be censorship.
Another chapter walks the reader through the analysis of an interesting set of sample proxy logs, showing how to calculate cache hit rate and dataflow rates through the proxy. The author clearly explains the complex interaction between client and proxy caches and shows that the proxy cache improves response time by about 30 percent. A chapter describing the security risks of proxy servers should be studied closely by anyone who has to set up a proxy server. The proxy logs must be securely stored because they contain URLs, and a URL might contain a credit card number, a social security number, or a user name and password. Finally, the author provides a chapter of instructive case studies and a welcome chapter on troubleshooting.
