Gartner Blog Network

Security Thought for Thursday: The Proxy Purists Were Right

by Neil MacDonald  |  September 16, 2009  |  4 Comments

A proxy-based model for externalizing and enforcing security policy is the right approach and becoming more, not less, relevant.

To be clear, I’m not just talking about network traffic proxies. I mean everywhere up and down the IT stack. For example, when web users talked to web applications, we use load controllers, web access management gateways and web applications firewalls to apply network and operational policy. All of these technologies allow us to inject our policy as traffic goes back and forth.

Ditto for web proxies, URL filtering and web security gateways enabling us to interpose policy between users and the web as they surf.

Ditto for SOA gateways (e.g. Amberpoint, Layer7, SOA Software, DataPower and so on) between services.

Conceptually, its the same with virtualization and APIs that enable the enforcement of security policy for virtual machines. If you think about it, the hypervisor / virtual machine monitor layer is like a proxy. This layer mediates all of the requests for memory, network and storage requests and so on. Introspection techniques and VMM-level APIs such as VMsafe let us inject policy here as well – both for server *and* desktop workloads.

Increasingly we don’t own or control all of the pieces of IT (the users, the devices, the components, the services, etc) that composite together to build a system. Are proxy-based models the best way ensure the application of security policy moving forward? I believe in most cases they will be.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: next-generation-security-infrastructure  virtualization-security  

Tags: vmsafe  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Security Thought for Thursday: The Proxy Purists Were Right

  1. Neil,

    I have a minor issue with the use of the word “proxy”:

    On one hand, one can use the literal meaning in context of security “devices” (regardless if a “device” is made of software, hardware, network or is host based). In this context I second your conclusion: over the past 15 years we are witnessing how security “devices” are used between users and applications (inbound, outbound and eitherbound directions) to enforce a security policy, allowing the organization to take an active action.

    On the other hand, in a security-networking context, the word “proxy” also represents a specific implementation architecture and deployment option where connections are terminated, inspected, action can be taken and then connections will be recreated.

    Representing security solutions vendor, I believe that a security “device” should be able to take action to enforce a policy. In that sense it can be called a proxy. But I also believe that a good solution should be deployment agnostic as much as possible, providing maximum flexibility for an organization to deploy it. As you wrote “we don’t own or control all of the pieces of IT” hence deployment options are very important. There are different methods: network proxies, transparent proxies or transparent bridges.

    History tells us that customers prefer the transparent options: Looking at the most deployable security solution, the firewall first: We saw how in the early days only network proxies were used, later to be replaced by transparent proxies and now the most preferred deployment option is a transparent bridge. Same for IPS.

    We saw similar evolution with content filters moving from network proxies to transparent bridges, DLP w/ MTA integration (application proxy) to transparent inspection and even ADC solutions now include transparent proxy capabilities.

    I am passionate about this topic since in the past I saw how wrong use of the word proxy can lead to misunderstanding.

    For the record the company I work for offer security solutions that can be deployed in all the networking modes that I mentioned.

    Sharon Besser

  2. […] The rest is here:  Security Thought for Thursday: The Proxy Purists Were Right […]

  3. Neil MacDonald says:


    Agree. I thought about “security policy enforcement points” but that sounds so generic. But, the thought is the same – whether its a piece of software, physical appliance, virtual appliance, etc that it is able to impose policy. I didn’t mean to blur the lines with deployment modes but I did want to get across the point that it gets between these two entities and enforces policy and that without its presence we could block the exchange from taking place.

  4. Deborah Volk says:

    I am all for proxies but I think a key detail is the inter-connectedness (is that a word) of these proxies. If each proxy functions as a more or less independent, isolated unit, then each proxy-fronted application can be breached without letting the rest of the proxies (and apps behind it) be compromised. My thoughts on this are here:

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.