Forward Proxy vs. Traditional Firewall
Compared to firewalls as a means of protecting systems from outside threats, a forward proxy differs in two key ways:
- Traditional firewalls use a passthrough approach, forwarding traffic to the intended recipient while its contents are still being inspected.
- If the traffic is found to be unsafe, the firewall sends an alert—but it can be received too late. A proxy, on the other hand, doesn’t forward traffic until its contents have been through an authentication process and determined to be safe.
While not a direct comparison of proxy to firewall, it’s worth noting that a cloud-based forward proxy can also inspect encrypted traffic. As most of today’s traffic is encrypted, it’s critical to have visibility into it, but the process of decrypting, inspecting, and re-encrypting traffic is compute-intensive. Appliance-based firewalls, with inherent processing limitations, can’t handle a high volume of encryption without adding latency (however, a cloud firewall can).
Increasingly, discussions of forward proxies go hand in hand with talk of cloud access security brokers (CASBs), cloud security tools that can be deployed in forward proxy mode. With a CASB, a software agent installed on a user device forwards traffic to an inspection point in the cloud, which applies real-time security policies to foster safe connections with cloud-based resources such as SaaS apps and IaaS platforms.
As the adoption of SaaS apps and remote work increases, using a CASB’s cloud-based forward proxy mode (as opposed to a firewall or a proxy appliance, on-premises or deployed virtually) can be a powerful way to protect an organization’s managed devices.
However, when it comes to unmanaged devices, i.e., BYOD or third-party partner devices, forward proxies aren’t quite able to ensure the security of their transactions since they come from the requestor, not the client. Indeed, this use case is better served by the forward proxy’s sibling, the reverse proxy.