Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security Thought for Thursday: The Proxy Purists Were Right

by Neil MacDonald  |  September 16, 2009  |  4 Comments

A proxy-based model for externalizing and enforcing security policy is the right approach and becoming more, not less, relevant.

To be clear, I’m not just talking about network traffic proxies. I mean everywhere up and down the IT stack. For example, when web users talked to web applications, we use load controllers, web access management gateways and web applications firewalls to apply network and operational policy. All of these technologies allow us to inject our policy as traffic goes back and forth.

Ditto for web proxies, URL filtering and web security gateways enabling us to interpose policy between users and the web as they surf.

Ditto for SOA gateways (e.g. Amberpoint, Layer7, SOA Software, DataPower and so on) between services.

Conceptually, its the same with virtualization and APIs that enable the enforcement of security policy for virtual machines. If you think about it, the hypervisor / virtual machine monitor layer is like a proxy. This layer mediates all of the requests for memory, network and storage requests and so on. Introspection techniques and VMM-level APIs such as VMsafe let us inject policy here as well – both for server *and* desktop workloads.

Increasingly we don’t own or control all of the pieces of IT (the users, the devices, the components, the services, etc) that composite together to build a system. Are proxy-based models the best way ensure the application of security policy moving forward? I believe in most cases they will be.

4 Comments »

Category: Next-generation Security Infrastructure Virtualization Security     Tags:

4 responses so far ↓

  • 1 sharon Besser   September 17, 2009 at 1:23 am

    Neil,

    I have a minor issue with the use of the word “proxy”:

    On one hand, one can use the literal meaning in context of security “devices” (regardless if a “device” is made of software, hardware, network or is host based). In this context I second your conclusion: over the past 15 years we are witnessing how security “devices” are used between users and applications (inbound, outbound and eitherbound directions) to enforce a security policy, allowing the organization to take an active action.

    On the other hand, in a security-networking context, the word “proxy” also represents a specific implementation architecture and deployment option where connections are terminated, inspected, action can be taken and then connections will be recreated.

    Representing security solutions vendor, I believe that a security “device” should be able to take action to enforce a policy. In that sense it can be called a proxy. But I also believe that a good solution should be deployment agnostic as much as possible, providing maximum flexibility for an organization to deploy it. As you wrote “we don’t own or control all of the pieces of IT” hence deployment options are very important. There are different methods: network proxies, transparent proxies or transparent bridges.

    History tells us that customers prefer the transparent options: Looking at the most deployable security solution, the firewall first: We saw how in the early days only network proxies were used, later to be replaced by transparent proxies and now the most preferred deployment option is a transparent bridge. Same for IPS.

    We saw similar evolution with content filters moving from network proxies to transparent bridges, DLP w/ MTA integration (application proxy) to transparent inspection and even ADC solutions now include transparent proxy capabilities.

    I am passionate about this topic since in the past I saw how wrong use of the word proxy can lead to misunderstanding.

    For the record the company I work for offer security solutions that can be deployed in all the networking modes that I mentioned.

    Sharon Besser

  • 2 Security Thought for Thursday: The Proxy Purists Were Right « I-arcade Blog   September 17, 2009 at 2:27 am

    [...] The rest is here:  Security Thought for Thursday: The Proxy Purists Were Right [...]

  • 3 Neil MacDonald   September 17, 2009 at 3:53 pm

    @Sharon,

    Agree. I thought about “security policy enforcement points” but that sounds so generic. But, the thought is the same – whether its a piece of software, physical appliance, virtual appliance, etc that it is able to impose policy. I didn’t mean to blur the lines with deployment modes but I did want to get across the point that it gets between these two entities and enforces policy and that without its presence we could block the exchange from taking place.

  • 4 Deborah Volk   September 18, 2009 at 10:29 pm

    I am all for proxies but I think a key detail is the inter-connectedness (is that a word) of these proxies. If each proxy functions as a more or less independent, isolated unit, then each proxy-fronted application can be breached without letting the rest of the proxies (and apps behind it) be compromised. My thoughts on this are here: http://www.identigral.com/blog/2009/09/17/no-app-is-an-island