We can define a transparent proxy as a server that acts as an intermediary system intercepting the connection between an end-user and a content provider. Other names for transparent proxy are inline proxy or forced proxy. We use the word ‘transparent’ with the proxy because it intercepts requests by intercepting packets directed to the destination, making it seem like the destination itself handles the request. Transparent proxies are set up by the website or network operator and not by the end-user.
Sometimes, we also use the term ‘forced proxy’ for a transparent proxy. It’s because it can be applied to a user’s connection without modifying their computer’s proxy settings. Consequently, transparent proxies can be forced on users without their consent, but they do know their presence in many cases.
A firewall is an example of a transparent proxy that allows traffic passing between an internal network and the Internet but blocks traffic if it violates the firewall’s rule table.
Other examples of transparent proxies are content delivery networks (CDNs). They provide redundancy, caching and improve the speed without modifying or exposing the source system. The user thinks he is directly connected to the service provider, but, in actuality, the CDN handles all of his requests. This is how tech companies like Google, Twitter, and Facebook manage millions of requests with minimal downtime.
The following are the standard transparent proxy settings whenever we set it up:
We can deploy a transparent proxy on the client-side, meaning that the proxy intercepts all traffic to and from a client endpoint. The uses of transparent proxies on the client-side are:
When multiple people access the same content from the same area or location – for instance, when several students view the same news site via their university network, then it is more efficient to use a transparent proxy for initially caching the content and serving it from the cache to subsequent users.
Cellular Internet operators and public wifi spots sometimes use transparent proxies for forcing users to authenticate themselves on the network and agree to their terms of service. They are allowed to surf only when the user certifies and agrees to the terms and conditions.
Most users have no idea that the entire connection can be intercepted and monitored by the operator even after the initial authentication screen via transparent proxy.
When we are operating a network, we can set up a transparent proxy to monitor user traffic and behavior, but traffic monitoring also has many illegitimate uses. For instance, an unscrupulous and untrustworthy public wifi operator can easily monitor user’s connections and steal credentials and data.
We can use a gateway proxy for modifying or blocking network traffic based on rules. An example of a gateway proxy is a transparent firewall proxy discussed in the example above.
We can also use a transparent proxy for filtering out unnecessary and unwanted content. For example, the proxy can refrain from forwarding the request to the web server when a specific website is requested. Instead, it intercepts the connection and displays a notice or an error message to the user.
We can protect a server against a SYN-flood Denial of Service (DoS) attack using a type of transparent proxy i-e, TCP intercept. It performs the function of intercepting all traffic to a web server, accepting client requests, and performing a three-way handshake. Furthermore, if traffic intercept is successful, it performs a three-way handshake with the server, thus joining the two half-connections between client and server.
The Transmission Control Protocol intercept checks for the TCP requests and typically waits for 30 seconds to establish connections. It enters into the ‘aggressive mode’ whenever the number of inactive connections exceeds a certain threshold. In this mode, each new arriving connection causes the oldest passive connection to be deleted.
However, the technique stated above is no longer effective against modern, large-scale Distributed Denial of Service (DDoS) attacks. This is because the attackers, nowadays, control millions of zombie computers and high-powered servers for creating SYN floods that are overwhelming a TCP intercept controller.
Due to this reason, most organizations today use cloud-based services like Imperva’s DDoS Protection. These services can protect against large DDoS attacks, and they also can scale up on-demand, further dealing and handling large-scale attacks.
For example, DDoS services can prevent application layer attacks and protocol attacks that do not occur at the TCP layer.
We can define a Content Delivery Network (CDN) as a globally distributed network of proxy servers that serves and caches content to the users near their geographical location.
An example of CDN is Imperva’s Global Content Delivery Network, a transparent proxy operating on the server-side. Its purpose is to perform front-end optimization for improving the end-user experience. It intercepts traffic to a web server and offers the same content from the server cache instead of letting the user access the server directly. As a result, the user performance is improved, and the system resources required on the server are reduced.
On the other hand, if routers on the Internet are flapping (a router alternately advertises a destination network in quick sequence), then results will be even more unpredictable.
It is required as these caches do not have access to the destination IP address of the origin server from the packet’s IP address.
Therefore, when a cache miss occurs, they cannot identify the origin server address to send the request to.
We discussed that internet traffic could be monitored and filtered by the use of a transparent proxy. It also shapes the way we interact with the web. Whether it serves data faster through filtering out unwanted content, caching, or giving businesses more control over their networks, the transparent proxy adds functionality to the Internet without the addition of any inconveniences.
