Load Balancers and Proxies – CompTIA Security+ SY0-401: 1.1

If you need to expand the capacity of your applications and network resources, you’ll need to use technologies like load balancers and proxies. In this video, you’ll learn how load balancers and proxies can be used to increase the scale of your network capacities.

<< Previous Video: Routers, Firewalls, and SwitchesNext: Web Security Gateways and UTMs >>

As web technologies became more and more popular, we found that we needed some way to scale these web servers that we were using. When you go to google.com, you don’t go to a single server. Google obviously has hundreds and hundreds, and perhaps even thousands of Google servers out there that we are connecting to at any particular time.

So out there on the network, you’re usually hitting something like a load balancer. There’s many ways to distribute load across different servers. A load balancer is a very, very common way to do that when you’re in a data center. It’s usually a piece of hardware that is in the rack, and it’s connecting to four different servers in my particular picture, but it can be many, many more servers on the network.

The load balancer receives the request from your browser, and it distributes the loads evenly, usually, across these servers. You can decide how exactly you’d like to distribute that load, and it really is distributing across what we call a cluster of different servers. The idea is that I don’t really care which server I’m connecting to. All four of those servers are exactly the same.

When I hit a web page. I just want to be able to have the accessibility to the web page, and by distributing that load across them, we can be assured that we’ve got some uptime and availability that we are happy with. We don’t want things slowing down so much that we don’t want to use that web server. Obviously you’re going to need this in a really large environments, because usually you’ve got thousands and thousands of people connecting to your website all at the same time.

The load balancers become very, very important in those environments. And you can distribute based on the load, you can distribute based on what content. Maybe one of these servers provides images, another one provides video, another one provides the web page itself. You can decide exactly how to separate the load across those.

This creates a little bit of a security challenge for us, because you have all of these people coming into the load balancer. You want to be sure that it’s being distributed across all those servers, are all of the servers updated with the latest security patches? Are there vulnerabilities that have not been addressed on the different servers. They are different machines, so it becomes very important that you keep all of them updated to the latest security patches.

And of course, you want to be sure there’s no security issues by using the load balancer itself. Somebody was to find an exploit that would manipulate how the load balancer worked, it could essentially send the data somewhere else other than your web server, and you certainly don’t want that to happen, either. Another very common security technology that we use to protect their end users from bad things on the internet is a proxy.

A proxy is a server or series of servers that’s designed to sit right in the middle of your users and the big, bad internet, and its job is to take any requests the user’s sending out to a web server and stop it, and then send the request on its behalf. So what will happen is you’ll be on your machine, you’ll need to go to Google, and you’ll send your request.

And instead of it getting out to Google, your proxy server sitting in the middle, it says wait, hold on, before you can go to Google, I’m going to stop you right there, and I’m going to find out what you need and ask Google myself. And a proxy server makes the request to Google and receives the response. The proxy server then looks at the data and makes sure there’s nothing bad inside of there.

There’s no malware, there’s no viruses. Usually makes sure that the user’s even allowed to use Google itself, and if it likes the results, it will then send the answer back down to the end user. So it’s an extra step between you and the internet, and there’s some performance requirements there. Obviously sitting in the middle and stopping everybody’s internet connection requires that that proxy server be pretty beefy.

Able to handle a lot of different connections and a lot of bandwidth going across the internet. Proxy servers are also very useful for caching. If I’m going to a website and I’m downloading a big file, and the next person on the internet does exactly the same thing, proxy servers are often configured to cache information.

And so if they see a second request come through, they can simply send that information directly to the second user, and they don’t have to make that request back to the internet. And therefore the results are getting a lot faster to the end users, and there’s a lot of bandwidth we also did not have to use to go out to the internet. So some nice performance increases if the proxy server is doing caching.

There’s two ways to really configure the way that your systems use the proxy server if a proxy server is an explicit proxy, and that is one where you must configure your browser and your other applications to know that the proxy’s there, and to use the proxy.

Then you’ll need to make sure you make those changes in your browser, or you need to make sure as a security administrator that you’re finding an automated way to make those changes inside people’s browsers, and of course any other application that needs to access the internet. There’s also another type of proxy you can choose to use called a transparent proxy.

That means you don’t have to configure anything for your end users. You don’t have to change any of the settings in your browser, you don’t have to change settings on your third party apps, but sometimes applications will not work properly through a transparent proxy. The proxy is still proxying, and so there are changes being made to the network communication, so not all applications work very well with explicit proxies or transparent proxies.

And from a security perspective, it becomes a bit of a challenge for us. If not all applications can use a proxy, and yet the proxy is the primary way that we provide additional security to the internet, then maybe we’re opening ourselves up, because we end up having to make exceptions for certain applications. And any time you make an exception in a firewall, any time you make an exception in a proxy, you’re opening a little bit of a window there for bad things to occur.

So that’s the balancing act you have to make as a security professional. Do you use a proxy to provide a little bit more security, or do you provide a different methodology to allow filtering to and from the internet? There’s a number of options available. Proxies is simply one of many that you can choose from.