A Novel Approach to Manage Asymmetric Traffic Flows for Secure Network Proxies

A transparent secure network proxy intercepts web traffic such as HTTP requests and applies access policies to the intercepted traffic. The proxy will reinitiate a request on behalf of the client when policies permit. Depending on policy configuration, this proxy may masquerade as the client when generating the request. The response from the server may reach the client instead of the proxy due to asymmetric routing, and if so, would be rejected by the client as an invalid response. Consequently the proxy can not complete the original request. This paper presents a new protocol and a comprehensive mechanism that facilitates the formation of a cluster comprised of multiple proxies. This proxy cluster can cover a network that spans a large geographical area, and collaboratively discover and redirect asymmetrically routed traffic flows towards the appropriate member proxy. The protocol and the algorithms presented in this paper can operate in both IPv4 and IPv6 [1] networks.1 1 Background and Motivation Secure network proxies play an essential role in today's enterprise networks. These proxies can enforce access policies, conduct traffic monitoring, and perform content delivery acceleration through caching and WAN optimization. The various security requirements combined with reliability requirements present complex network architectures in which proxies cannot be deployed due to application breakage. The deploy-ability of a secure network proxy is measured by the types of policies the proxy can enforce without impeding applications. In other words, applications must continue to function even when application traffic is subject to processing at the proxy. This section provides a general introduction to the concept of a secure network proxy followed by descriptions of example problems challenging the proxy deployment.