Chapter 64 Β· Glossary

Network Appliances β€” Term Reference

Key terms for jump servers, proxy types, load balancer modes, and security monitoring infrastructure.

Jump Server (Bastion Host)
A hardened device inside a protected network that serves as the sole authorized entry point for administrative access to internal systems. Administrators connect to the jump server first (via SSH, RDP, or VPN), authenticate (typically with MFA), and then initiate onward connections to target systems from within the jump server. All internal servers are configured to accept administrative protocols only from the jump server's IP β€” direct admin connections from any other source are blocked at the firewall. The jump server concentrates the administrative attack surface into one heavily monitored point. Because it is the gateway to all protected systems, its compromise is catastrophic β€” all internal systems accessible from the jump server become attacker-controlled territory. This makes the jump server the highest-priority hardening target in any environment.
Proxy Server
A device that sits between two communicating parties and makes requests on behalf of one of them. In the most common enterprise deployment, internal users communicate to the proxy rather than directly to internet destinations. The proxy fetches content from the internet, inspects it, and returns it to the user. Proxies provide: caching (storing responses for reuse by subsequent requesters), URL filtering (blocking access to specific sites or categories), content scanning (inspecting responses for malware or malicious code), and access control (enforcing who can access what). A proxy may be explicit (the user's device is configured to use it) or transparent (the network redirects traffic to it without the user's knowledge). The simplest form of proxy is NAT β€” network address translation translates internal IP addresses to external ones and back.
Explicit Proxy
A proxy configuration in which the user's operating system or application is specifically configured with the proxy's IP address and port number. The application sends traffic directly to the proxy address rather than to the intended destination. Explicit proxy configuration must be done on each device or managed centrally via policy (Group Policy, MDM profile). Applications that do not support proxy configuration may bypass the explicit proxy. The advantage: the proxy knows exactly which application made each request, enabling per-application policies. The disadvantage: requires device-level configuration changes; applications that cannot be proxy-configured bypass the proxy entirely.
Transparent Proxy
A proxy that intercepts traffic automatically at the network level without requiring any configuration on the user's device. The user's device has no knowledge that a proxy exists β€” it sends traffic normally to the intended destination, and the network infrastructure (router, switch, or firewall policy-based routing) silently redirects that traffic to the proxy. From the user's perspective, they are communicating directly with the internet. The proxy inspects and forwards traffic invisibly. Advantages: no device configuration required; works for all traffic regardless of application proxy support. Disadvantages: more complex network infrastructure configuration; harder to handle HTTPS (requires SSL inspection, which has its own privacy and trust implications).
Forward Proxy
A proxy that controls and inspects outbound traffic from internal users to the internet. Also called an internal proxy. Internal users send requests to the forward proxy; the proxy makes the request to the internet on their behalf; the response is inspected and returned to the user. The internet destination sees the proxy's IP address, not the internal user's real IP. Functions: URL filtering (blocking access to unauthorized sites), content scanning (detecting malware in downloads), caching (reducing bandwidth for repeated requests), and user authentication (enforcing who can access the internet). A forward proxy is the standard organizational tool for enforcing internet acceptable use policies and protecting users from malicious content.
Reverse Proxy
A proxy that receives inbound traffic from external users (internet) and forwards requests to internal servers on their behalf. External users connect to the reverse proxy β€” they never directly reach the internal server. The reverse proxy hides: the internal server's real IP address, the number of backend servers, and the internal infrastructure topology. Security functions: inspects inbound requests for attacks (SQL injection, XSS, path traversal) before forwarding; drops malicious requests at the proxy boundary; provides an additional layer between the internet and the web application. Performance functions: caches responses from the backend (identical requests are served from cache without hitting the server); performs SSL/TLS termination (decrypts HTTPS at the proxy, forwarding unencrypted to backend, reducing backend CPU load). A WAF (Web Application Firewall) is often deployed as a reverse proxy.
Open Proxy
A publicly accessible proxy server operated by an unknown third party and not controlled by the organization using it. Users route their traffic through the open proxy to bypass organizational security controls β€” the firewall sees only a connection to the open proxy IP, not the actual destination. Security risks: the open proxy operator can view all unencrypted traffic; can inject malicious content into responses; can exfiltrate data; can log credentials submitted through it. Open proxies are commonly used to circumvent DLP controls, bypass content filtering, and enable anonymous browsing. Most organizations block known open proxy IP ranges at the perimeter firewall. Open proxies are the wrong answer in any scenario asking how to improve security β€” they weaken it by routing traffic through uncontrolled third-party infrastructure.
Load Balancer
A network device that distributes incoming traffic across multiple backend servers. From the user's perspective, there is a single server; in reality, the load balancer silently routes requests to one of many backend servers. Load balancers solve two problems: capacity (distributing load allows the service to scale horizontally by adding servers) and fault tolerance (health checks detect failed servers; traffic is redistributed to healthy servers automatically with very fast convergence). Load balancers operate in either active/active mode (all backend servers receive traffic simultaneously) or active/passive mode (some servers are on standby and are promoted when active servers fail). Advanced features include SSL offloading, TCP offloading, caching, content switching, and QoS prioritization.
SSL/TLS Offloading
A load balancer feature in which the load balancer performs all TLS encryption and decryption on behalf of backend servers. Instead of each backend server independently performing the cryptographic handshake and decryption for each client connection, the load balancer handles all TLS processing centrally using purpose-built cryptographic hardware. Decrypted traffic is forwarded to backend servers in plaintext (or with lighter-weight internal encryption). On the return path, the load balancer re-encrypts responses before sending them to external clients. Benefits: reduces CPU load on backend servers (TLS is computationally expensive); centralizes certificate management (only the load balancer needs the TLS certificate); simplifies backend server configuration. The trade-off: traffic between the load balancer and backend servers is unencrypted β€” this is acceptable on a secure internal segment but must be considered in the network design.
TCP Offloading
A load balancer feature that maintains a persistent pool of open TCP connections to backend servers, rather than establishing a new TCP session for each client request. Without TCP offloading, every new client connection requires a three-way TCP handshake with the selected backend server before any application data is exchanged β€” at high request rates, this handshake overhead becomes significant. With TCP offloading, the load balancer maintains pre-established connections to backend servers and maps incoming client connections to existing backend connections. This eliminates per-request connection setup overhead and significantly improves throughput at high request volumes. Also called connection multiplexing or connection pooling.
Content Switching
A load balancer feature that inspects the content of incoming requests and routes them to specific backend server pools based on that content. Rather than simply distributing all requests uniformly across all servers, content switching allows different server pools optimized for different workloads to be managed through a single load balancer. Examples: requests for /api/ go to the API server pool; requests for /static/ go to the CDN-backed static content servers; requests for /checkout/ go to the PCI-compliant payment processing servers. Content switching enables fine-grained traffic management and allows the organization to deploy specialized server configurations for different application tiers while presenting a single entry point to external users.
SIEM (Security Information and Event Management)
A platform that collects, normalizes, stores, and correlates security event data from across an organization's entire infrastructure. A SIEM acts as the central collector: it receives logs and events from firewalls, IPS devices, authentication systems, endpoints, servers, cloud services, and any other device that generates security-relevant data. It normalizes data from different vendors into a common format, stores everything in a searchable database, and runs correlation rules that identify patterns spanning multiple devices and time periods. The correlation engine is what distinguishes a SIEM from a simple log aggregator: it can detect that three individually benign events β€” an IPS alert, a VPN login, and a large database query β€” together constitute an attack pattern that no single device could observe. SIEMs provide dashboards, reports, alert queues, and investigation tools for the security operations center.