With the transparent proxy setup, however, you will have a problem with HTTPS filtering because it violates the browser restriction for man-in-the-middle attacks. In principle, you can reduce the setup overhead by operating a transparent proxy server, but even then the devil is in the details. If you use an HTTP proxy server, for example, all your browser settings need to be edited. The challenge for the system administrator is to create a filtering infrastructure that does not require individual employees to change their work environments. The big result is that the web proxy agents only act as local web proxies for each individual user, which means no problems with network performance. Both are local web proxies themselves and can do everything that classic web filters offer, including blocking IP hosts.
NxFilter also solves this limitation by implementing its own web proxy filtering through its agents NxLogon and NxClient. For example, you cannot enforce a secure search or keyword filtering for URLs because it is done at the DNS level. Much can be said for the use of a DNS filtering mechanism on a corporate network, but in practice, it leads to functional limitations. NxLogon is the AD single-sign-on agent for NxFilter, and NxClient is the remote user filter of the environment. To control the server, two agents, NxLogon and NxClient, provide convenient web-based applications to block UltraSurf, Tor, Skype, Minecraft, and so on. These methods result in potential approaches for the use of NxFilter in corporate networks, because it can differentiate between users and apply specific filtering policies.
This shortcoming is considered the main obstacle for the use of a DNS filter in corporate environments. Although DNS filtering is basically faster and even simpler than traditional web proxy filtering, DNS filtering was subject to certain limitations in the past (clearly, no user authentication because the DNS protocol does not have an authentication scheme, which was probably one reason for the low acceptance rate). They are also popular tools among private users – as are the millions of adblockers based on the same principle. WebProxy and other HTTP filters have enjoyed great popularity for many years – probably because they are comparatively simple to use. The design of the NxFilter user interface can also be customized. For example, companies can use NxFilter to generate their own cloud filter service for paid users. Basically, the developers grant their users extensive rights. Companies, public institutions, and private persons can use the tool. NxFilter is available under a freeware license. Figure 1 illustrates the differences between unfiltered and filtered DNS queries.įigure 1: Comparison of unfiltered (top) and filtered (bottom) DNS traffic. Ideally, the cache provides the responses, which results in a significant reduction of network traffic. If you operate a local DNS filter, the local DNS server serves the queries.
Assuming a corporate network uses the Internet provider's DNS servers, the DNS queries have to be sent to these servers, and the network clients have to wait for a response. The reason for the performance gain is the local cache that NxFilter uses and manages for DNS lookups. The news gets better: Experience reports indicate that the use of NxFilter has a positive effect on the Internet connection of all the network clients. Because the DNS protocol is used, the data traffic does not have to pass through a special filter – thus eliminating latency problems. In essence, NxFilter is a forwarding DNS server with a filter function. NxFilter is a freeware DNS filter that can compete with commercial products in terms of functionality and performance. This limitation can be solved with the help of a DNS filter, which can monitor all the traffic, regardless of the protocol used to send or receive data. However, latency is not the only problem: Proxy servers primarily specialize in filtering HTTP connections. These latency problems grow with the number of users. The use of such filters, often employing the Squid proxy server and similar tools, leads in practice to serious latency problems on the network because the proxy server analyzes and filters the web traffic and thus becomes a bottleneck. Web filters that are based on the HTTP proxy server principle are part of the standard toolkit for protecting corporate networks.
0 kommentar(er)
