What is a forward proxy?
As the name suggests, a forward proxy (often just called a proxy) acts as a broker that carries out a task for another entity. Specifically, such a proxy serves as an intermediary between a user device (or user devices) and the internet. Instead of a device connecting directly to a web destination, it connects to the proxy which then connects to the destination on its behalf, evaluating outbound requests and taking action on them before relaying them to the external destination. When the destination returns the communication, it sends it to the proxy, which then inspects it, takes action as needed, and forwards it to the originating device if appropriate.
A forward proxy is far more than a traffic controller; in fact, as an intermediary, the proxy’s value to security is in its ability to shield users from direct access to or from bad actors, as well as prevent them from compromising data and enterprise resources—whether it is done intentionally or unintentionally. It operates inline, meaning that it sits directly in the flow of traffic, allowing an enterprise to identify any challenges to security and enforce needed policies in real time. Proxies are buffers that help keep apps and data safe from harm, whether they’re the result of careless user errors or malicious data exfiltration and malware.
While many people are familiar with the firewall as a means of protecting systems from outside threats, a forward proxy differs from a firewall in important ways. Firewalls use a passthrough approach, which means traffic is forwarded to the intended recipient while its contents are being inspected. If the traffic is found to contain malware or other threats, the firewall sends an alert—but it can be received too late. A proxy, on the other hand, does not forward traffic until its contents have been analyzed and a “safe” verdict is rendered.
Another key difference is the proxy’s ability to inspect encrypted traffic (at least when such a proxy is deployed in the cloud rather than as an appliance). Most traffic today is encrypted, and it’s critical to have visibility into this traffic. However, the process of decrypting, inspecting, and re-encrypting traffic is compute-intensive, and appliance-based firewalls are unable to handle its demands.
Increasingly, as individuals discuss forward proxies, they are doing so in relation to cloud access security brokers (CASBs). CASBs are cloud security tools which can be deployed in forward-proxy mode, meaning that software installed on each user’s device forwards traffic to an inspection point in the cloud which applies real-time security policies as users interact with cloud-based resources such as SaaS applications and IaaS platforms. As the adoption of SaaS apps and remote work increases, using a CASB’s cloud-based forward proxy (as opposed to a firewall or a proxy appliance either on premises or deployed virtually) becomes increasingly important for both security and enterprise productivity.
Why a forward proxy is needed today
The legacy internet gateway used tools such as firewalls to create a barrier between the network and the internet and was designed to keep bad things from coming in. It was part of the secure “perimeter,” created to protect the network and everything on it—applications, data, servers, PCs, other devices, and users themselves. But applications have moved to the cloud and most users have moved off the network; they’re now connecting from home, remote sites, cafés—anywhere. As a result, the security perimeter model has become outdated.
How should an enterprise respond when it has employees connecting from everywhere to SaaS and private applications as well as to data in public clouds, such as AWS and Azure? If the enterprise sticks with the legacy model, the user connects through a virtual private network (VPN) to the data center, which then sends the traffic through the outbound gateway security stack to the cloud destination; after which, the return traffic makes the same trip in reverse. This approach creates a range of potential risks to the organization (see VPN, attack surface) and it creates a terrible online experience for the user.
Workers in branch offices have a similarly poor experience, as their traffic is backhauled to a central data center over private MPLS links before going through the gateway and out to the cloud (with another lengthy trip in return).
Cloud applications were designed to be accessed directly, via the shortest path, for a fast, productive experience. Appliances in the data center that allow passthrough are simply not up to the task. For fast, direct, and secure connections, you need to leverage a forward proxy that takes advantage of the performance and scale of the cloud.
What do organizations use forward proxies for?
A security strategy built on a cloud-based proxy architecture is critical for organizations moving to the cloud. Here are a few major use cases of concern to organizations looking to embrace forward proxy (and CASB in particular):
Shadow IT discovery
Cloud usage is spread across SaaS applications, user groups, and different locations. Unsanctioned apps (also known as shadow IT) abound, but maintaining visibility over what users access is difficult to impossible without the right solutions. Fortunately, a forward proxy enables CASB functionality like shadow IT discovery by inspecting all traffic stemming from user devices, allowing IT to identify unsanctioned apps and govern access to them either individually or by category.
Because SaaS applications are built to enable rapid, easy sharing, it’s common for users to inadvertently or carelessly upload critical business data to inappropriate locations that IT would rather have them avoid. A cloud-based forward proxy, because it operates inline and has the scale to inspect all traffic, is the best way to prevent users from uploading sensitive information to risky cloud destinations (whether they do so accidentally or intentionally).
In addition to representing an attractive avenue for data exfiltration, SaaS applications can be a conduit for malware propagation if left unchecked; rapid sharing functionality can be hijacked to distribute infected files within and between organizations. A forward proxy prevents infected files from being uploaded to cloud resources by enabling technologies like advanced threat protection (ATP) and cloud sandbox to operate inline so that they can intercept threats in transit.
How to choose a forward proxy
In many cases, forward proxies have had a bad reputation. They are known to be expensive and highly complex to configure and manage. They can add latency and create a poor user experience. Additionally, if a proxy suffers from downtime, it can bring about a significant disruption to business operations. However, this is because proxies, historically, have been deployed either as physical or virtual appliances.
Forward proxies are extremely beneficial for security when served in the cloud, where they have none of the drawbacks of their appliance-based counterparts. A cloud-based proxy architecture eliminates the expense of purchasing and maintaining appliances, and scales as needed to meet growing traffic demands. This ability to provide unprecedented scalability also solves the key challenge of inspecting encrypted traffic for threats and data leakage, which, as mentioned previously, is a highly compute-intensive endeavor. The right forward proxy enables:
- Consistent data (and threat) protection across all of your cloud data channels with a simple, single policy.
- Unified security as part of a SASE offering that supports the widest breadth of use cases related to CASB, secure web gateway, and ZTNA—for securing access to cloud apps, the web, and internal resources, respectively.
- IT ecosystem simplicity through a single-pass, cloud-based architecture that forgoes the use of appliances and provides the above without the need for complex configurations, such as proxy-chaining.
When choosing a forward proxy, or a CASB, specifically, it’s important to choose a vendor that has a proven inline solution and is a trusted leader in the security space. Zscaler is built on a cloud-native proxy architecture to deliver all the advantages listed above. The company has the world’s largest inline security cloud with 150 data centers on six continents that serve customers in 185 countries; it processes 160 billion transactions each day.
Zscaler is engineered for performance and intelligently routes traffic to its nearest data center, where the company’s offerings peer with many of the top applications, including Microsoft 365, Zoom, and Salesforce, to create the shortest distance between users and their apps. This enhanced performance leads to an improved user experience that bolsters enterprise productivity.
Zscaler provides leading CASB capabilities (from exact data match (EDM) for data loss prevention (DLP) to cloud sandbox for advanced threat protection (ATP)) in order to shield enterprise cloud apps from risk. At the same time, it offers leading, integrated SWG and ZTNA products to deliver truly comprehensive security in a single platform--consistent with Gartner’s vision for SASE.
Because Zscaler provides consistent security across the IT ecosystem and wherever users connect, it is enabling thousands of organizations to securely embrace digital transformation as well as work-from-anywhere initiatives for the remote and hybrid workforce.