difference between proxy server and ICS?

ytrav4

What is the difference between a proxy server and ICS, is a proxy just software based ICS with access lists? Can a proxy server perform the same function that of ICS as in NAT and DHCP? I mean if I had ICS on my home network and had software that can log all the actions of everyone who is accessing the internet, wouldn't that be a proxy?

Webmaster

A proxy is something or someone who act on behalf of something/someone else. So there are different types of 'proxy servers'. The most common type is a caching web proxy. ICS is a Microsoft Windows feature that allows you to share an internet connection with other computers on the internal network.

Can a proxy server perform the same function that of ICS as in NAT and DHCP?

Yes.

I mean if I had ICS on my home network and had software that can log all the actions of everyone who is accessing the internet, wouldn't that be a proxy?

The ability of logging doesn't make it a proxy, the fact that it acts on behalf of internal clients does make it 'proxy' (as in the English word proxy), but is not referred to as a 'proxy server'.

For more detailed information about NAT, ICS, and proxy servers, and their differences I suggest reading my Internet Connection Network+ TechNotes:
www.techexams.net/technotes/networkplus/internetconnections.shtml

ytrav4

Could I say that a machine running ICS is a proxy server as they perform one of the same functions, but do not share all the same functions?

sprkymrk

A computer running ICS is more like a router with NAT.

A proxy is something that will, in addition to performing NAT, actually recieve the packet, make a copy of the packet and send it on. In this way, you can actually do useful stuff at the application layer like scanning for viruses, checking for malformed packets, etc. One other common function of a proxy is caching, in most cases for web browsing, much like IE and other browsers cache temporary internet files for faster browsing by using pages loaded in cache, a web proxy will store cache that many users access.

ytrav4

So routers only forward packets , proxys save the packets and then forward them right? OK, do you know any freeware software that can replace ICS, with a proxy server?

sprkymrk

ytrav4 wrote:

So routers only forward packets , proxys save the packets and then forward them right? OK, do you know any freeware software that can replace ICS, with a proxy server?

Oh one another question
Can a proxy server replace a router? If not what function can't it replicate?

Good questions, I'll answer to the best of my understanding. Someone else can feel free to jump in too.

So routers only forward packets , proxys save the packets and then forward them right?

Yes and no. Routers "routes" packets, including forwarding or in the case of misconfigured networks may do a U-Turn and spit it back out the same interface it came in. Routers can also "drop" packets, if an Access Control List is being used that says "drop packets matching this condition". In this way many people will refer to a router as a firewall of sorts.
Proxy's also vary in function, but the best ones don't "forward" at all. They receive a packet, inspect it, copy it, then send the copy on to it's original destination. The "original" packet was recieved by the proxy, but not forwarded. It's like me giving you a note to send to a friend, but you actually copy the note and give the copy to my friend, not the original. Not all proxies act this way, but the best ones do. This is one reason why there is more overhead involved in running a proxy than a packet filtering router.

OK, do you know any freeware software that can replace ICS, with a proxy server?

I think a google search for "free proxy" will turn up a lot of results. I think I remember one called AnalogX Proxy. Keep in mind though, that in addition to NATing functions, the ICS does provide some minor firewalling capability.

Can a proxy server replace a router?

Yes, but at an added cost of processing overhead. The nice thing about a router on the edge of your network is that they are FAST. You need higher end hardware to run a proxy at the same speed as a low end router as a general rule. Also, make sure we are talking about a firewall/proxy combination. A proxy server that just performs NAT and web caching will not protect you from a lot of bad stuff.

If not what function can't it replicate?

The speed of a packet filtering router. However, on a small LAN with say a broadband Internet connection, you won't see much impact. On a LAN with around 400 computers going out a T-1 line, a proxy will be slower unless you can really afford some good hardware.

I hope all that was clear, but let us know if you have any more questions or need clarification on my long-winded response.

sprkymrk

Oh, and as if I didn't already say enough, let me just drop this in as well. You can use one of the many linux distros out there and set up IPTables for packet filtering and firewall, and also install the squid proxy server. This gives you a pretty good border device. Then you can install Snort and have yourself a nice network IDS as well. If you are not familiar with linux, it's a great learning project. If you are familiar with linux, it will still stretch your mind enough to be a good excercise.

Webmaster

A proxy server cannot replace a router used in a routed connection. Actually, one of the most common configuration mistakes on a proxy server is enabling routing. If a router isn't actually 'routing' but translating (nat), you could use a dual-homed proxy server.

A proxy is not the same as a NAT, it's very different actually. And the one doesn't need the other. With NAT the ip packet's address headers are modified, and this is transparent to the user. Proxy servers such as web proxy servers work on a higher layer, in software, regardless of the underlying network protocols. Proxy also does 'not' refer to any type of caching, but if you understand what a proxy is, it also becomes logical why different type of proxy servers often do support caching (because the can act as a proxy for multiple entities, who may have request the same information (web page in case of http proxy, or dns-ip mapping in case of dns proxy).

Again, I suggest reading these first:
www.techexams.net/technotes/networkplus/internetconnections.shtml

NAT, ICS, proxy, packet filtering, routers, and firewalls are all different services and features, which often are combined in a single hardware appliance or software package. One does not replace the other, they perform different functions and compliment each other.

OK, do you know any freeware software that can replace ICS, with a proxy server?

What type of proxy server?

Assuming you mean a web proxy with caching ability:
www.squid-cache.org
This is 'the' free open source web proxy and is popular in corporate networks as well.

ytrav4

Yeah thanks for all your info, so routers forward while proxies copy and send, I can see why proxies would be slow if all the data going through a T1 line had to be replicated and then sent.

I just get a little confused when it comes to routers, I know the proper definition but I don't feel I understand it. In your example of a LAN with 400 computers the router would only do work when any computer needed to access the Internet or a computer from the outside made a request to the network. So is the purpose of the router to route incoming/outgoing Internet traffic independent of internal traffic handled by switches with the exception of a router that is dividing two networks on one large LAN? Or does the router touch everything?

ytrav4

Trust me webmaster, I read the tech notes that was the first place I went. I see what you saying that NAT changes the packet header and proxys store the original packets and sends a replica. It's helps me understand things better haveing a dynamic conversation with people though. I appreciate you info and time too. I'm reading and asking questions.

sprkymrk

Webmaster wrote:

A proxy server cannot replace a router used in a routed connection. Actually, one of the most common configuration mistakes on a proxy server is enabling routing. If a router isn't actually 'routing' but translating (nat), you could use a dual-homed proxy server.

A proxy is not the same as a NAT, it's very different actually. And the one doesn't need the other. With NAT the ip packet's address headers are modified, and this is transparent to the user. Proxy servers such as web proxy servers work on a higher layer, in software, regardless of the underlying network protocols. Proxy also does 'not' refer to any type of caching, but if you understand what a proxy is, it also becomes logical why different type of proxy servers often do support caching (because the can act as a proxy for multiple entities, who may have request the same information (web page in case of http proxy, or dns-ip mapping in case of dns proxy).

If you'll notice, I did qualify my statement with stating that as long as we are talking about a firewall/proxy, it could replace a router. Perhaps I should have been more clear in my statement - my apologies.
In addition, my somewhat long winded rant went on describing something that could be used in place of ICS. And by replacing a router, it is assumed that you would "proxy" the connection with a proxy, not "route" it, as I tried to explain but perhaps failed.
I also said "one other common function" of proxies (as in things that routers don't do) was caching, since when one thinks of proxies, a web proxy is usually what comes to mind.

Webmaster wrote:

NAT, ICS, proxy, packet filtering, routers, and firewalls are all different services and features, which often are combined in a single hardware appliance or software package. One does not replace the other, they perform different functions and compliment each other.

This is true. A proxy is simply a "go-between" or "substitute". However, in the context of his question, I assumed he was looking for an "application level gateway" proxy, which to me is a NATing firewall with the features you describe above. I may be guilty of overstating the simple.
Good discussion though.

sprkymrk

ytrav4 wrote:

In your example of a LAN with 400 computers the router would only do work when any computer needed to access the Internet or a computer from the outside made a request to the network. So is the purpose of the router to route incoming/outgoing Internet traffic independent of internal traffic handled by switches with the exception of a router that is dividing two networks on one large LAN? Or does the router touch everything?

The router only handles traffic cossing it. Internal traffic between computers on the same subnet is handles by the switches/hubs. However, this is also true of whatever you may use to divide your network at layer 3. Whether a firewall, proxy, router, etc., it only handles routing between the networks, not within.

ytrav4

sprkymrk wrote:

ytrav4 wrote:

In your example of a LAN with 400 computers the router would only do work when any computer needed to access the Internet or a computer from the outside made a request to the network. So is the purpose of the router to route incoming/outgoing Internet traffic independent of internal traffic handled by switches with the exception of a router that is dividing two networks on one large LAN? Or does the router touch everything?

The router only handles traffic cossing it. Internal traffic between computers on the same subnet is handles by the switches/hubs. However, this is also true of whatever you may use to divide your network at layer 3. Whether a firewall, proxy, router, etc., it only handles routing between the networks, not within.

Oh thanks that clears things up, so lets say with your example again a LAN with 400 workstations only use the internet for Email, since the traffic is not used heavly could a workstation connected directly to the internet be configured to have a proxy server that uses NAT and DHCP replace the need for a router? Except for connecting networks of a larger LANS that is.

And is the only unique function of router is to join networks in a larger LAN? What is it about NAT that requires special hardware on large networks?

sprkymrk

ytrav4 wrote:

Oh thanks that clears things up, so lets say with your example again a LAN with 400 workstations only use the internet for Email, since the traffic is not used heavly could a workstation connected directly to the internet be configured to have a proxy server that uses NAT and DHCP replace the need for a router? Except for connecting networks of a larger LANS that is.

And is the only unique function of router is to join networks in a larger LAN? What is it about NAT that requires special hardware on large networks?

As you have discerned, it all depends on the load. It also depends on the power of the "workstation", but I'll give you an example or two I have run into. I once managed a 50 computer network with a T-1 line. They hosted their own mail using an Exchange Server. All mail originating on the LAN and intended for another local user did not have to traverse the firewall/router, only external senders or recipients. In addition, they all had Internet access. This traffic was handled by an old P-3 733 Dell Optiplex with 768MB RAM and configured with 2 NICs and running ISA Server 2K. The box performed firewall, proxy and caching functions in a addition to some IDS. It performed wonderfully and was never a bottleneck for the small LAN. Beyond the Dell PC running this ISA firewall was the border router that had 3 interfaces, 1 to this LAN I managed, 1 to a different LAN owned by the same company but managed by a different department, and the one to the ISP/Internet. If I recall, this was a Cisco 2500 series router that a simple ACL to block spoofing and netbios stuff. Since it was only running the Cisco IOS (in other words no Windows) and all it did was route packets, it performed admirably as well even though it was handling the traffic of 2 networks instead of one. And I'm no Cisco buff, but I think hardware was along the lines of 8MB RAM on a 20 MHz RISC processor.

ytrav4

sprk, you live in Charleston SC, nice. I visited there a few times I wish I was by the cost, beautiful place too. I live in Columbia SC so were not too far apart.

So back to the computers stuff I want to recap,

Is NAT the only way multiple computers can share one IP? Is there another scheme? I think Microsoft ICS uses NAT too.

And the router provides NAT, DHCP, and firewall which can be all emulated with other software solutions but the only physical job that makes the router unique is to route packets to other subnets, separating broadcast domains.

sprkymrk

ytrav4 wrote:

sprk, you live in Charleston SC, nice. I visited there a few times I wish I was by the cost, beautiful place too. I live in Columbia SC so were not too far apart.

Howdy neighbor. I get up there a couple of times a month, which reminds me how much I like it here by the coast.

ytrav4 wrote:

Is NAT the only way multiple computers can share one IP? Is there another scheme? I think Microsoft ICS uses NAT too.

Yes, NAT (network address translation, also known as IP-masquerading) changes the source and/or destination addresses of IP packets as they pass through the router or firewall. It's most common use is to allow multiple hosts on a private network to access the Internet using a single public IP address. And ICS uses NAT and DHCP.