Chapter 64 Β· Concepts

Network Appliances β€” Concept Reference

Proxy types, load balancer modes, sensor data sources, and SIEM architecture in structured reference form.

Proxy Types β€” Full Comparison

TypeDirectionWho Uses ItPrimary FunctionsSecurity Risk
Forward ProxyOutbound (internal β†’ internet)Internal users; their traffic exits through itURL filtering, content scanning, caching, user authentication, acceptable use enforcementLow (organization-controlled); can be bypassed by users routing through open proxies
Reverse ProxyInbound (internet β†’ internal servers)External users; their requests arrive through itHides backend servers, inspects inbound requests, SSL termination, caching, load distributionLow (organization-controlled); single point of failure for inbound traffic without redundancy
Open ProxyAny (user-configured)Anyone on the internet; used to bypass restrictionsCircumvents firewall and content filter; anonymizes user traffic; exfiltrates dataHIGH β€” operated by unknown third party; can inject content, capture credentials, exfiltrate data
NAT (simplest proxy)Outbound (internal β†’ internet)All internal devices; transparent network-layer functionTranslates private IPs to public IPs; hides internal addressing; stateful connection trackingVery low; does not inspect application content; no URL filtering or content scanning

Explicit vs. Transparent Proxy

AttributeExplicit ProxyTransparent Proxy
User/device awarenessDevice is configured with proxy IP and port; application knows it is using a proxyDevice has no proxy configuration; user is unaware a proxy exists
Configuration requiredEach device or application must be configured (manually or via policy)Network infrastructure (router/switch/firewall) redirects traffic automatically
Bypass riskApplications that don't support proxy config bypass the explicit proxy entirelyAll traffic is redirected β€” harder to bypass without routing around the network redirect
HTTPS handlingStraightforward β€” application sends CONNECT request to proxy for TLS tunnelingRequires SSL inspection (break-and-inspect) to process HTTPS β€” complex; requires certificate trust
Deployment complexityDevice configuration is the complexity β€” must be managed for all usersNetwork infrastructure configuration is the complexity β€” no device changes needed
Best forManaged enterprise devices where configuration can be pushed via policyEnvironments with unmanaged devices (guest Wi-Fi, BYOD) where device-level config is not possible

Forward Proxy vs. Reverse Proxy β€” Traffic Flow

Forward proxy (outbound, protects users):

Internal user β†’ [Forward Proxy] β†’ Internet website
                                  β†‘
                      URL filter, content scan, cache
Website sees: proxy's IP (not the internal user's IP)
User sees: filtered, scanned, possibly cached response

Reverse proxy (inbound, protects servers):

Internet user β†’ [Reverse Proxy] β†’ Internal web server
                            β†‘
                    Inspect requests, SSL termination, cache
Internet user sees: reverse proxy's IP (not the internal server's IP)
Internal server sees: decrypted requests from the proxy (not raw internet traffic)

Load Balancer β€” Active/Active vs. Active/Passive

AttributeActive/ActiveActive/Passive
Server statesAll servers receive traffic simultaneouslySome servers active (receiving traffic); others on standby (idle but ready)
Resource utilizationHigh β€” all servers productiveLower β€” standby servers consume power but do no work until needed
CapacityFull combined capacity of all serversOnly active servers contribute capacity; standby provides failover headroom
On server failureTraffic redistributed among remaining active servers; capacity reduced proportionallyStandby server promoted to active; capacity maintained at same level
Failover speedVery fast β€” no server state change required; just redistributes loadFast β€” passive server must be promoted (seconds)
ComplexityMore complex β€” all servers must handle any request (session state management)Simpler β€” active servers handle all state; passive servers inherit state on promotion
Cost efficiencyHigher β€” all hardware is productiveLower β€” standby hardware is idle most of the time
Best forHigh-traffic applications where maximum throughput is requiredApplications where simplicity and predictable failover behavior matter more than throughput

Active/Active Load Balancer Feature Reference

FeatureWhat It DoesWhy It Matters
TCP OffloadingMaintains a persistent pool of open TCP connections to backend servers; maps client connections to existing backend connectionsEliminates per-request TCP handshake overhead; critical for high-request-rate environments
SSL/TLS OffloadingLoad balancer performs all TLS encryption/decryption using dedicated crypto hardware; backends receive plaintextFrees backend servers from expensive crypto processing; centralizes certificate management
CachingStores backend responses; subsequent identical requests served directly from cache without hitting backendReduces backend server load; improves response time for repeated requests
Prioritization (QoS)Assigns processing priority to specific applications, protocols, or traffic typesEnsures critical business applications receive resources during congestion periods
Content SwitchingInspects request content (URL path, headers, cookies) and routes to specific backend pools based on contentEnables specialized server tiers for different workloads through a single entry point

Sensor Data Sources β€” What Each Device Provides

Sensor SourceData ProvidedWhat It Detects
IPSSignature matches, blocked packets, anomaly alerts, threat source IPsNetwork-level attacks, exploit attempts, scanning, known malware traffic
FirewallPermitted/denied connections (src IP, dst IP, port, protocol, timestamp)Unauthorized connection attempts, policy violations, traffic volume anomalies
Authentication systemSuccessful/failed logins, MFA results, account lockouts, source IP, timestampBrute force, password spraying, credential stuffing, impossible travel
Web server access logHTTP requests (URL, user agent, response code, size, timing)SQLi, XSS, path traversal, directory scanning, application abuse
Database transaction logQueries executed, user account, tables accessed, row counts, timingUnusual query patterns, bulk data extraction, unauthorized account activity
Email platformSent/received messages, attachment scan results, phishing/spam detectionPhishing campaigns, malware delivery, data exfiltration via email, BEC

Collector Types β€” From Basic to SIEM

Collector TypeWhat It DoesLimitation
Syslog serverReceives syslog messages from any device; stores in searchable log databaseNo correlation; each log entry treated individually; no cross-device analysis
Proprietary consoleVendor-specific management platform; collects from that vendor's devices with rich device-specific featuresOnly collects from that vendor's devices; cannot correlate across different device types
SIEMCollects from all device types; normalizes to common format; runs correlation rules; provides unified dashboards, alerts, and investigation toolsComplex to deploy and tune; high licensing cost; generates alerts that require human review; correlation rules must be maintained

Jump Server β€” Two-Step Access Architecture

Step 1: External admin β†’ [internet] β†’ Jump server
        Authentication: password + MFA token
        Connection: SSH or VPN to jump server IP
        Firewall: only jump server IP exposed externally for admin protocols

Step 2: Jump server β†’ [internal network] β†’ Target server
        Connection: SSH, RDP, or other admin protocol
        Firewall: target servers accept admin protocols only from jump server IP
        Logging: all commands recorded on jump server

Security principle: all internal servers locked to jump server as sole admin source
Attack surface: 1 hardened, MFA-protected, monitored system (not N servers Γ— M admin ports)