Thursday, September 20, 2007

What is the difference between Firewall server and Proxy server?

Reply 1)

Firewall server is primarily meant for protecting internal IT infrastructure from being attacked from the internet. These are generally standardized devices like Cisco PIX or software based solutions like Checkpoint and Microsoft ISA. Some of the devices can also function as enablers of internet sharing.

Proxy servers are meant for internet sharing and hiding the internal users information like (IP Address) from the internet. Some proxies also function as firewalls. But that is not what they are designed for. A company which has a good firewall may not require a proxy. However, if a company is just sharing an internet connection on a server may want to use proxies, so that internal users can access the internet through the same connection using the proxy. Windows 2000 onwards provides an inbuilt feature called “Internet Connection Sharing” which can have the same functionality. Typically cyber cafes and similar sized / type setups use proxies.

Reply 2)

Does NAT performs the same stuff similar to proxy server?

Reply 3)

Not really.

The objective of NAT is to enable 2-way communication with the internet of a machine which is not internet facing. For example, if you want to access your desktop computer from your home via broadband, how will you do it? Although you are connected to the internet from home and your office desktop is also connected to the internet through the default gateway. However, your office desktop computer has a private IP range (172.18.x.x) which is not recognized on the internet. So, there are 2 ways in which you could access your office desktop from home:

1) Connect your office desktop outside the router and let it get the public IP from the service provider. This will mean that only your office desktop will be able to access the internet and no one else will be able to access it (unless your office desktop is configured as a proxy server and everyone’s Internet Explorer is configured to use your office desktop as a proxy). With this arrangement, both your home computer and office computer have public IPs from the internet and hence you can connect as if you were on a LAN (not from the speed perspective).
2) The other option, is to let your office desktop continue using the intranet IP (172.18.x.x) and configure a NAT on the router / firewall. Basically, NAT will map an internet public IP to your office desktop’s internal IP. So let’s say, the public IP configured to NAT is 1.2.3.4 and your office desktop IP is 172.18.2.5. Now, you can connect to your office desktop from your home using the IP 1.2.3.4 (still not your internal IP 172.18.2.5). When this request hits the router / firewall, they will know that the IP requested (1.2.3.4) is meant from your office desktop (172.18.2.5) and it will route the packets accordingly.

Reply 4)

I would like to add something on the Proxy servers,
Proxy servers are used for internet sharing.
In other words , if we start looking at proxy servers from OSI model, these servers work in Application layer. When we talk about firewall, we are dealing with network layer and below.
That’s the main difference between Proxy servers and firewalls.
Proxy servers only deals with internet sharing, when we setup a proxy server we can have a excellent control on internet usage for internal users and that’s the reason why we see proxy servers in net cafes.
Proxy servers also cache internet contents and when any users requests same, it just picks from cache and shows to the user.
(this is another sign that Proxy servers work in Application layer)
Also in many environments we see that proxy is setup and Network admin configures group policies for Proxy servers ( under internet explorer settings.).