Proxy

[Stevie]

This is going to sound like a noob question but I'll ask anyway.

I know if you have an internal proxy you go from your PC, to the proxy to the Internet. Normally the proxy is on the DMZ for security and you're trusting no one on the internal network is sniffing the traffic. But if so, you can clearly see it.

However, if you have a cloud based proxy, surely all traffic to said proxy should be going over some form of secure connection correct? Not plain old http? Because if it's going over plain old http then surely someone could sniff the traffic to the proxy?

Or am I wrong?

Websense cloud solution.

[digip]

If its not encrypted before leaving your workstation, ala SSH or VPN, then anyone between you and the destination proxy, can intercept it.

[Stevie]

Thanks for reply. I need to read the manual I think cause it appears the link in IE is just to a file on their server. Sends back the filters, then you access the internet. So as far as I know, no data goes to their servers.

[digip]

Are we talking internal proxy, like squid for LAN to get onto the internet? That kind of proxy can be monitored by work, which is how we had our network setup at my last job and all browsers were required to use the corporate proxy, with a username and password for each employee, to gain internet access, so all of it was monitored. Proxy != encryption nor tunnel in all instances. Its merely a means of requesting data, whether using remote proxies that pass it back to you, which there are many kinds, transparent, non-transparent, completely encrypted TLS and SSL proxies and such, but what exactly kind of proxy are you using? Work's required proxy to make outbound connection to the internet(if you are, work can see all traffic unless you add a layer of encapsulation to your traffic, such as tunneling inside the proxy or TOR through the proxy if capable) or are you using a proxy on some internet website to bypass work filters to view sites, which even then, might get you the data to see the site you want, but work can still see what you are seeing.

[Stevie]

Sorry for late reply.

I was just checking the security of our new one, not to bypass it, just thought it might not be so secure as they claimed.

It's a proxy that is cloud based. You login to Windows and the proxy is set with a .pac file from the proxy host company. This is a web link. Once that pac file is downloaded if has the rules in it that states what you have and don't have access to. If you don't get the pac file, you can't access the internet.

[cooper]

Call me an idiot, but if your LAN goes to the internet via a proxy server, I'd put that proxy within the LAN. Last thing I'd want is a box within DMZ which is the traffic hub for the users and boxes on the LAN which is intended to have excessive internet access to boot.

When that server is on the LAN, you can place a firewall between it and the DMZ which only allows traffic through that came from the proxy server. Sounds more managable to me. Note: IANANA (Network Architect/Admin).

...and the pac file contains the rules to work with the proxy (routing rules, mostly). So long as you adhere to the rules defined in there, you get access. Even if you never touched that link.