Reverend Andrew Ward's doing IT by Proxy

Many IT managers who are considering adding an Internet link to their internal LAN will quite understandably have a number of serious concerns. In terms of security they'll want to be able to control user access to the Internet and know who's doing what, where, and when. In financial terms, they'll be very concerned about the bandwidth demands of surfing users.

An extremely useful tool in these circumstances is a rather sophisticated and heavyweight piece of software: a Proxy Server. As well as the inevitable public domain products, commercial firewall products are available with a number of configurable options. One of the best Web resources describing the basic principles of the proxy scheme can be found at:

The Netscape Proxy Server, whose somewhat prosaic name belies a host of features which will make it attractive to virtually any organisation with a LAN and an Internet connection, is now available for the first time outside the USA. Its features include improved performance, a host of security benefits, user control and access control and reporting.

However, the most important benefit to most Internet users will be the ability to cache Web documents locally. The Netscape Proxy Server will usually gateway all Internet access requests generated on a LAN (except for mail). When a user accesses a Web page for example, then if that page has been accessed recently it is provided from the hard drive local to the Proxy Server, rather than from across the Internet connection. The Netscape Proxy Server thereby provides a very cost-effective bandwidth increase. Indeed, this feature can provide a dramatic increase in the effective bandwidth of the organisation's Internet connection -Internet traffic reduces by as much as 40%-60%, and some users of the product have reported cache hit rates of 65% and more. Hit rates could be even higher in certain environments: for example in academic institutions, where many students may be working on a similar project.

It's not only Web browsing that benefits from the caching features: other Internet protocols, apart from the HTTP, are also cached by the Proxy Server. These cached protocols include FTP (file transfers), Gopher, NTP (news), and the secure protocols HTTPS, SHTTP and SSL.

Caching Web documents naturally poses problems as well as solves them. The most obvious concern will be: will this document be up-to-date? In fact, the Netscape Proxy Server sports a very sophisticated cache refresh management scheme which is entirely user-configurable. For example, an HTTP document which has been modified within the last day or so would be marked to be refreshed from source every time; whereas a document last modified over a week ago would normally be kept for a day before being expired.

In addition to the bandwidth benefits, the caching feature of the Proxy Server also brings about substantial performance improvements: it is many times quicker to fetch pages cached by the Proxy Server than pages which have to be dragged across the Internet. The Proxy Server uses dynamic process management with the result that, overall, it achieves unmatched performance at serving Web documents.

A variety of security features are part and parcel of the Proxy Server. First and foremost, the nature of the caching activity of the Proxy Server conceals the number of users within an organisation, their IP addresses, and the true extent of their Internet activity. Furthermore, for an organisation which is only a client of the Internet, the only IP addresses which need to be visible to the outside world are the Proxy Server and the router: in some circumstances this arrangement can obviate the requirement for a dedicated firewall.

Another security feature is the ability of the Proxy Server to convert HTTP and other insecure protocols into HTTPS. This allows users within the organisation who have insecure browsers access to secure pages and sites which require HTTPS.

Since all Internet accesses must take place via the Proxy Server, it's in a position to exert user control: and it does. Internet accesses require the entry of a user ID and password. Furthermore, some degree of control over which external sites are visited is also possible via a flexible access control mechanism which supports regular expressions and wildcards: as an example, access to all *.gov sites could be disabled.

Even the user and access control mechanisms built into the Netscape Proxy Server can't prevent all types of Internet abuse so the Proxy Server provides another management tool which will be an absolute boon to many: all Internet transactions are logged (by internal network node) thus enabling thorough tracking of all activities.

The Netscape Proxy Server has other applications in addition to interfacing between a LAN and the Internet. For example, if an organisation has several sites, interconnected by links where the bandwidth is limited (as it always is), then the Proxy Server can also be used between sites to substantially reduce the Internet traffic carried over these links.

Netscape Proxy Server would typically be implemented on a fairly well-specified UNIX workstation (a wide range of platforms is supported) - although a 486-based PC with BSD would be perfectly suitable - and is available from Unipalm PIPEX. A standard configuration would have 32MB RAM and between 1 and 6GB disk storage.

The proxy server is available from Unipalm PIPEX, call 0500 474739 for details.