As we’ve been developing our web security solution for Macs and Windows, the question often comes up if we use an agent/client or just configure the native proxy (often done via PAC files). We’ve chosen the approach to distribute a smart agent for several reasons.
Agents Can’t Be Ignored by Applications
Since an agent is at the kernel level, an application can’t choose to bypass it. Applications do have the option though of ignoring the proxy settings. This means that potentially sensitive data or a malicious app can bypass the proxy without the IT administrator ever knowing. Firefox is a good example of an application that by default ignores proxy settings. Any piece of smart malware would obviously choose to ignore the proxy so there’s one less possibility of being detected.
With it being relatively trivial for any type of app or program to bypass proxy settings via a PAC file, it renders this approach fairly insufficient if being used as a security solution.
Agents Are Intelligent
The proxy settings are inherently very static and leave little room for dynamic configuration. With the growing concerns around privacy, you want a solution that can change with the times and the context of the situation. Maybe this means only taking certain traffic for some employees, or changing what traffic is analyzed depending on the context (location, behavior, application, risk, etc). An agent allows for so much more intelligence in what type of web traffic is taken and how it is analyzed.
By utilizing an agent, so much more can be done with the connection handling which can really boost performance. Sometimes these performance gains can exceed your standard internet connection. We’ll write more about how this is accomplished in an upcoming blog post.
Agents Analyze All Internet Traffic
Since an agent is placed at the kernel level, it can proxy all traffic to a web gateway including standard protocols like HTTP, SMTP, IMAP, UDP, DNS and more. Configuring just proxy settings often only covers HTTP (web traffic) which is great if you just need simple URL filtering and inspection, but there is so much more that happens outside of HTTP. By only looking at HTTP traffic, you have an incomplete picture and also increase the surface area from which attacks can occur. Email talks over other common protocols like IMAP and SMTP, Skype often leverages UDP, and almost all internet based apps use DNS to resolve IP addresses.
Furthermore, if any type of malicious attack knows that a proxy is in use, it can easily leverage another protocol like UDP to communicate with their server and the HTTP proxy would never know about it.
Agents Are Difficult to Disable
Proxy settings via PAC files are fairly simple for users to disable whereas an agent is much more difficult to disable without administrator access because it’s down at the kernel level. Plus, an agent can add more logic to automatically check for being disabled and in that case restart itself or notify an administrator.
While just deploying proxy settings might be simpler from an initial deployment perspective, the benefits pretty much end there and from then on an agent is a much better choice. If you’re interested in our agent based approach, sign up for early access today.