Explicit vs transparent proxy



  • As far as I have understood it:

    • An explicit proxy challenges the user/application within his session.
    • NGFW (transparent proxy) and SSO/identity-based solutions are just letting everything pass that is using the current IP address of the user.

    I agree the latter is flexible with regard to roaming users (VPN, Wifi and whatnot) but IMHO similar to machine/IP-based authentication, i.e. a step back from actually challenging the individual application for access. (Note: if you use a captive portal, non-interactive apps will have a hard time authenticating.)

    The transparent proxy would let all traffic from your machine go directly to the URL filter, including the potential malware. Whereas in the explicit scenario the malware would need to obtain the user's credentials, parse the PAC file or somehow else determine the location of the proxy to use etc. Might be considered security through obscurity, still more hurdles can't hurt... Additionally, a transparent proxy would require recursive DNS access to the Internet, meaning DNS security would need to be implemented. Whereas when using an explicit proxy, the client needs no DNS access at all, the proxy itself would perform a DNS request once the URL filtering/categorization or any other mechanism has allowed access.

    Somehow I fail to see where transparent approach would provide more security than explicit. The more modern approach (NGFW/transparent) seem to rely more and more on blacklisting and heuristics, while we learned that actual security only comes from denying everything that we do not know i.e. whitelisting. I agree that this is difficult in today's Internet though. So which one is more secure, transparent or explicit, or does it only depend on the individual definition of security/risk?



  • Somehow I fail to see where transparent approach would provide more security than explicit.

    It doesn't, in contrary. It is just more convenient to enroll since clients do not need to be configured explicitly. Security is usually a trade-off and the additional risks might be acceptable when gaining better usability.

    From the security perspective an explicit proxy is the preferred solution since it is independent of the actual target port (NGFW needs to use DPI based heuristics here) and has no problems with multiple users on the same IP address (i.e. NAT, terminal server, ...). Additionally an explicit proxy bases its security decision on the proxy request, i.e. the URL (HTTP) or domain name (HTTPS) given there. And it is the proxy who determines the IP address of the target based on the requested domain name.

    Contrary to this with a transparent proxy the client determines the target IP address1 and the transparent proxy passes the connection establishment through before being able to apply security checks based on the domain or URL. This can be used to bypass policies by simply claiming to connect to a whitelisted domain in HTTP Host header and TLS ClientHello SNI, while the actual IP address connected to is for example some C2 server.

    The more modern approach (NGFW/transparent) seem to rely more and more on blacklisting and heuristics, while we learned that actual security only comes from denying everything that we do not know i.e. whitelisting.

    This is not really a difference between explicit and implicit proxies, i.e. the policies they apply can be the same. Apart from very restrictive setups both usually rely on blacklisting and pass though most traffic. The target hostname lacks reliability though in case of the transparent proxy since the IP address is resolved by the client1 and not by the proxy. And lack of reliable input into a policy means that the policy decision will also lack reliability.


    1 As Mike Ounsworth pointed out in his answer this can be avoided if the DNS server is in control by the company too and simply returns the IP address of the proxy. This isn't though how most installations are set up.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2