SOFTWARE

=**Shields Up**=
 * **Shields Up** is an online [|port] scanning service created by [|Steve Gibson] of [|Gibson Research Corporation] and hosted at [|grc.com]. The purpose of this utility is to alert the users of any ports that have been opened through their [|firewalls] or through their [|NAT routers]. The utility can scan the most common [|file sharing] ports, as well as all [|service ports] (1-1056), and user defined ports, in sets of 64.

=SaaS=

SaaS was initially widely deployed for sales force automation and [|Customer Relationship Management] (CRM). Now it has become commonplace for many business tasks, including computerized billing, [|invoicing], [|human resource management], financials, [|content management], collaboration, document management, and service desk management
 * Software as a service** (**SaaS**, typically pronounced [sæs]), sometimes referred to as "software on demand," is software that is [|deployed] over the internet and/or is deployed to run behind a firewall on a local area network or personal computer. With SaaS, a [|provider] licenses an application to customers either as a [|service] on demand, through a subscription, in a "pay-as-you-go" model, or (increasingly) at no charge.
 * Advantages**
 * Pay per use
 * Instant scalability
 * Security
 * Reliability
 * APIs

=**User Account Control** (**UAC**)= is a technology and security infrastructure introduced with [|Microsoft]'s [|Windows Vista] and [|Windows Server 2008] [|operating systems], with a more refined[|[][|1][[[]|]]] version also present in [|Windows 7] and [|Windows Server 2008 R2]. It aims to improve the security of [|Microsoft Windows] by limiting [|application software] to standard user privileges until an [|administrator] authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and [|malware] should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, [|User Interface Privilege Isolation] is used in conjunction with User Account Control to isolate these processes from each other.[|[][|2][[[]|]]] One prominent use of this is [|Internet Explorer 7]'s "Protected Mode".

=A **cryptographic hash function**= is a [|deterministic procedure] that takes an arbitrary block of [|data] and returns a fixed-size [|bit] string, the (**cryptographic**) **hash value**, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the "message", and the hash value is sometimes called the **message digest** or simply **digest**. The ideal cryptographic hash function has four main or significant properties: Cryptographic hash functions have many [|information security] applications, notably in [|digital signatures], [|message authentication codes] (MACs), and other forms of [|authentication]. They can also be used as ordinary [|hash functions], to index data in [|hash tables], for [|fingerprinting], to detect duplicate data or uniquely identify files, and as [|checksums] to detect accidental data corruption. Indeed, in information security contexts, cryptographic hash values are sometimes called (**digital**) **fingerprints**, **checksums**, or just **hash values**, even though all these terms stand for functions with rather different properties and purposes.
 * it is easy to compute the hash value for any given message,
 * it is [|infeasible] to find a message that has a given hash,
 * it is [|infeasible] to modify a message without changing its hash,
 * it is [|infeasible] to find two different messages with the same hash.

Most cryptographic hash functions are designed to take a [|string] of any length as input and produce a fixed-length hash value. A cryptographic hash function must be able to withstand all known [|types of cryptanalytic attack]. As a minimum, it must have the following properties: > || h, || it should be hard to find any message > || m, || such that > || h=hash(m), || . This concept is related to that of [|one-way function]. Functions that lack this property are vulnerable to [|preimage attacks]. > || m_1, || it should be hard to find another input > || m_2, || — where > || m_1 ne m_2, || — such that > || hash(m_1) = hash(m_2), || . This property is sometimes referred to as //weak collision resistance//, and functions that lack this property are vulnerable to [|second preimage attacks]. > || m_1, || and > || m_2, || such that > || hash(m_1) = hash(m_2), || . Such a pair is called a cryptographic [|hash collision], a property which is sometimes referred to as //strong collision resistance//. It requires a hash value at least twice as long as that required for preimage-resistance, otherwise collisions may be found by a [|birthday attack].
 * //Preimage resistance//Given a hash
 * [[image:http://upload.wikimedia.org/math/7/c/4/7c4073ca34bcc95361750a3f1fddc7a8.png caption="h,"]] ||
 * [[image:http://upload.wikimedia.org/math/7/9/d/79dd9720ffa5bbe026e23afc9ab4df3c.png caption="m,"]] ||
 * [[image:http://upload.wikimedia.org/math/7/4/3/7439ce2dac706751afe703f4c5ed2dcc.png caption="h=hash(m),"]] ||
 * //Second preimage resistance//Given an input
 * [[image:http://upload.wikimedia.org/math/4/2/a/42a6801b6f8351da21c095761aa4c9fa.png caption="m_1,"]] ||
 * [[image:http://upload.wikimedia.org/math/9/8/e/98e4fcac0b2b86010ac519d55699a399.png caption="m_2,"]] ||
 * [[image:http://upload.wikimedia.org/math/6/3/8/6385948fba52d59b4c76f9185e9805fe.png caption="m_1 ne m_2,"]] ||
 * [[image:http://upload.wikimedia.org/math/f/f/9/ff9d68d483433f9a13c49bd78036854d.png caption="hash(m_1) = hash(m_2),"]] ||
 * //Collision resistance//It should be hard to find two different messages
 * [[image:http://upload.wikimedia.org/math/4/2/a/42a6801b6f8351da21c095761aa4c9fa.png caption="m_1,"]] ||
 * [[image:http://upload.wikimedia.org/math/9/8/e/98e4fcac0b2b86010ac519d55699a399.png caption="m_2,"]] ||
 * [[image:http://upload.wikimedia.org/math/f/f/9/ff9d68d483433f9a13c49bd78036854d.png caption="hash(m_1) = hash(m_2),"]] ||

=**Malware**= (also: //scumware//), short for //malicious software//, is [|software] designed to secretly access a computer system without the owner's [|informed consent]. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[|[][|1][[[]|]]] The term "[|computer virus]" is sometimes used as a catch-all phrase to include all types of malware, including true viruses. Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes [|computer viruses], [|worms], [|trojan horses], [|spyware], dishonest [|adware], scareware, [|crimeware], most [|rootkits], and other malicious and unwanted software. In [|law], malware is sometimes known as a computer contaminant, for instance in the legal codes of several [|U. S.] states, including [|California] and [|West Virginia].[|[][|2][[[]|]]][|[][|3][[[]|]]] Malware is not the same as defective software, that is a software that has a legitimate purpose but contains harmful [|bugs]. Preliminary results from [|Symantec] published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[|[][|4][[[]|]]] According to [|F-Secure], "As much malware [was] produced in 2007 as in the previous 20 years altogether."[|[][|5][[[]|]]] Malware's most common pathway from criminals to users is through the [|Internet]: primarily by e-mail and the [|World Wide Web]

=A **backdoor**= in a [|computer] system (or [|cryptosystem] or [|algorithm]) is a method of bypassing normal [|authentication], securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., [|Back Orifice]), or could be a modification to an existing program or hardware device. A backdoor in a login system might take the form of a [|hard coded] user and password combination which gives access to the system. A famous example of this sort of backdoor was as a plot device in the [|1983] film //[|WarGames]//, in which the architect of the "[|WOPR]" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode and direct interaction with the [|artificial intelligence]). An attempt to plant a backdoor in the [|Linux kernel], exposed in November [|2003], showed how subtle such a code change can be.[|[][|3][[[]|]]] In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the function [|root access] to the system.[|[][|4][[[]|]]] Although the number of backdoors in systems using [|proprietary software] (software whose [|source code] is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as [|Easter eggs] in programs, although such cases may involve official forbearance, if not actual permission.

Many [|computer worms], such as [|Sobig] and [|Mydoom], install a backdoor on the affected computer (generally a [|PC] on [|broadband] running insecure versions of [|Microsoft Windows] and [|Microsoft Outlook]). Such backdoors appear to be installed so that [|spammers] can send junk [|e-mail] from the infected machines. Others, such as the [|Sony/BMG rootkit] distributed silently on millions of music CDs through late 2005, are intended as [|DRM] measures — and, in that case, as data gathering [|agents], since both surreptitious programs they installed routinely contacted central servers.

=An **operating system** (**OS**)= is [|software], consisting of programs and data, that runs on computers and manages the computer hardware and provides common services for efficient execution of various [|application software]. For hardware functions such as input and output and [|memory allocation], the operating system acts as an intermediary between application programs and the computer hardware,[|[][|1][[[]|]]][|[][|2][[[]|]]] although the application code is usually executed directly by the hardware, but will frequently call the OS or be interrupted by it. Operating systems are found on almost any device that contains a computer—from [|cellular phones] and [|video game consoles] to [|supercomputers] and [|web servers]. Examples of popular modern operating systems for personal computers are [|Microsoft Windows], [|Mac OS X], and [|Linux].

=DS= A **directory service** is the software system that stores, organizes and provides access to information in a [|directory]. In software engineering, a directory is a map of the differences between names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may have multiple definitions, in a directory, a name may be associated with multiple, different pieces of information. Likewise, as a word may have different parts of speech and different definitions, a name in a directory may have many different types of data. Directories may be very narrow in scope, supporting only a small set of [|node] types and data types, or they may be very broad, supporting an arbitrary or extensible set of types. In a telephone directory, the nodes are names and the data items are telephone numbers. In the [|DNS] the nodes are domain names and the data items are IP addresses (and alias, mail server names, etc.). In a directory used by a network operating system, the nodes represent resources that are managed by the OS, including users, computers, printers and other shared resources. Many different directory services have been used since the advent of the Internet but this article focuses mainly on those that have descended from the [|X.500] directory service.

=The **Domain Name System** (**DNS**)= is a hierarchical naming system built on a [|distributed database] for computers, services, or any resource connected to the [|Internet] or a [|private network]. It associates various information with [|domain names] assigned to each of the participating entities. Most importantly, it translates domain names meaningful to [|humans] into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the //[|phone book]// for the Internet by translating human-friendly computer [|hostnames] into [|IP addresses]. For example, the domain name //[|www.example.com]// translates to the addresses //192.0.32.10// ([|IPv4]) and //2620:0:2d0:200::10// ([|IPv6]). The Domain Name System makes it possible to assign [|domain names] to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, [|World Wide Web] (WWW) [|hyperlinks] and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as (IPv4) or  (IPv6). Users take advantage of this when they recite meaningful [|Uniform Resource Locators] (URLs) and [|e-mail addresses] without having to know how the computer actually locates them. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating [|authoritative name servers] for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed and fault tolerant and has helped avoid the need for a single central register to be continually consulted and updated. In general, the Domain Name System also stores other types of information, such as the list of [|mail servers] that accept [|email] for a given Internet domain. By providing a worldwide, distributed [|keyword]-based redirection service, the Domain Name System is an essential component of the functionality of the [|Internet]. Other identifiers such as [|RFID tags], [|UPC codes], International characters in email addresses and host names, and a variety of other identifiers could all potentially utilize DNS.[|[][|1][[[]|]]] The Domain Name System also defines the technical underpinnings of the functionality of this database service. For this purpose it defines the DNS protocol, a detailed specification of the data structures and communication exchanges used in DNS, as part of the [|Internet Protocol Suite].

=**Computer software**, or just **software**= , is the collection of [|computer programs] and related [|data] that provide the instructions telling a [|computer] what to do. We can also say software refers to one or more computer programs and data held in the storage of the computer for some purposes. Program [|software] performs the [|function] of the [|program] it implements, either by directly providing [|instructions] to the computer hardware or by serving as input to another piece of software.The [|term] was coined to contrast to the old term [|hardware] (meaning physical devices). In contrast to hardware, software is intangible, meaning it "cannot be touched".[|[][|1][[[]|]]] Software is also sometimes used in a more narrow sense, meaning [|application software] only. Sometimes the term includes data that has not traditionally been associated with computers, such as film, tapes, and records.[|[][|2][[[]|]]]

=**Encryption**= is the process of transforming [|information] (referred to as [|plaintext]) using an [|algorithm] (called [|cipher]) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a [|key]. The result of the process is **encrypted** information (in cryptography, referred to as [|ciphertext]). In many contexts, the word **encryption** also implicitly refers to the reverse process, **decryption** (e.g. “[|software for encryption]” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted). Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now commonly used in protecting information within many kinds of civilian systems. For example, the [|Computer Security Institute] reported that in 2007, 71% of companies surveyed utilized encryption for some of their data in transit, and 53% utilized encryption for some of their data in storage.[|[][|1][[[]|]]] Encryption can be used to protect data "at rest", such as files on [|computers] and storage devices (e.g. [|USB flash drives]). In recent years there have been numerous reports of confidential data such as customers' personal records being exposed through loss or theft of laptops or backup drives. Encrypting such files at rest helps protect them should physical security measures fail. [|Digital rights management] systems which prevent unauthorized use or reproduction of copyrighted material and protect software against [|reverse engineering] (see also [|copy protection]) are another somewhat different example of using encryption on data at rest. Encryption is also used to protect data in transit, for example data being transferred via [|networks] (e.g. the [|Internet], [|e-commerce]), [|mobile telephones], [|wireless microphones], [|wireless intercom] systems, [|Bluetooth] devices and bank [|automatic teller machines]. There have been numerous reports of data in transit being intercepted in recent years.[|[][|2][[[]|]]] Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks. Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a [|message authentication code] (MAC) or a [|digital signature]. Standards and [|cryptographic software] and hardware to perform encryption are widely available, but successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks. Sometimes an adversary can obtain unencrypted information without directly undoing the encryption. See, e.g., [|traffic analysis], [|TEMPEST], or [|Trojan horse].

=A **digital signature** or **digital signature scheme**= is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering. Digital signatures are often used to implement [|electronic signatures], a broader term that refers to any electronic data that carries the intent of a signature,[|[][|1][[[]|]]] but not all electronic signatures use digital signatures.[|[][|2][[[]|]]][|[][|3][[[]|]]][|[][|4][[[]|]]] In some countries, including the United States, India, and members of the [|European Union], electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear whether they are digital cryptographic signatures in the sense used here, leaving the legal definition, and so their importance, somewhat confused. Digital signatures employ a type of [|asymmetric cryptography]. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide [|non-repudiation], meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything representable as a [|bitstring]: examples include [|electronic mail], [|contracts], or a message sent via some other [|cryptographic protocol].

=**Transport Layer Security** (**TLS**) and its predecessor, **Secure Sockets Layer** (**SSL**)= , are [|cryptographic protocols] that provide [|security] for communications over networks such as the [|Internet]. TLS and SSL encrypt the segments of network connections at the [|Application Layer] to ensure secure end-to-end transit at the [|Transport Layer]. TLS is also the name of a working group of the [|Internet Engineering Task Force],[|[][|1][[[]|]]] but in this article TLS refers to the protocol, not the working group. Several versions of the protocols are in widespread use in applications like [|web browsing], [|electronic mail], [|Internet faxing], [|instant messaging] and [|voice-over-IP (VoIP)]. TLS is an [|IETF] [|standards track] protocol, last updated in [|RFC 5246], that was based on the earlier SSL specifications developed by [|Netscape] Corporation.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent [|eavesdropping] and [|tampering]. TLS provides endpoint [|authentication] and [|communications confidentiality] over the [|Internet] using [|cryptography]. TLS provides [|RSA] security with 1024 and 2048 bit strengths. In typical end-user/browser usage, TLS authentication is //unilateral//: only the server is //authenticated// (the client knows the server's identity), but not //vice versa// (the client remains unauthenticated or anonymous). TLS also supports the more secure //bilateral// connection mode (typically used in enterprise applications), in which both ends of the "conversation" can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party's [|certificate]). This is known as [|mutual authentication], or 2SSL. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario). Unless, that is, [|TLS-PSK], the [|Secure Remote Password] (SRP) protocol, or some other protocol is used that can provide strong mutual authentication in the absence of certificates. Typically, the key information and certificates necessary for TLS are handled in the form of [|X.509] certificates, which define required fields and data formats. SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between [|peers].

=RBAC= In computer systems security, **role-based access control** (**RBAC**)[|[][|1][[[]|]]][|[][|2][[[]|]]] is an approach to restricting system access to authorized users. It is a newer alternative approach to [|mandatory access control] (MAC) and [|discretionary access control] (DAC). RBAC is sometimes referred to as role-based security. Within an organization, [|roles] are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user; this simplifies common operations, such as adding a user, or changing a user's department. Three primary rules are defined for RBAC: 1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized. Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles.

=**Microsoft Baseline Security Analyzer** **MBSA**= is a software tool released by [|Microsoft] to determine [|security] state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as [|Internet Explorer], [|IIS] [|web server], and products [|Microsoft SQL Server], and [|Microsoft Office] macro settings. Security updates are determined by the current version of MBSA using the [|Windows Update Agent] present on Windows computers since Windows 2000 Service Pack 3. The less-secure settings, often called Vulnerability Assessment (VA) checks, are assessed based on a hard-coded set of registry and file checks. An example of a VA might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.

=**Wireshark**= is a [|free and open-source] [|packet analyzer]. It is used for [|network] troubleshooting, analysis, software and [|communications protocol] development, and education. Originally named **Ethereal**, in May 2006 the project was renamed Wireshark due to trademark issues. Wireshark is [|cross-platform], using the [|GTK+] [|widget toolkit] to implement its user interface, and using [|pcap] to capture packets; it runs on various [|Unix-like] [|operating systems] including [|Linux], [|Mac OS X], [|BSD], and [|Solaris], and on [|Microsoft Windows]. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are [|free software], released under the terms of the [|GNU General Public License]. There is also a malicious rogue anti-spyware program called Wireshark Antivirus that reports false information. This is in no way related to the [|packet analyzer] program, Wireshark, and the two should not be confused.

=POLYMORPHISM= In [|computer science], **polymorphism** is a [|programming language] feature that allows values of different [|data types] to be handled using a uniform interface. The concept of parametric polymorphism applies to both data types and [|functions]. A function that can evaluate to or be applied to values of different types is known as a //polymorphic function.// A data type that can appear to be of a generalized type (e.g., a [|list] with elements of arbitrary type) is designated //polymorphic data type// like the generalized type from which such specializations are made. There are two fundamentally different kinds of polymorphism, originally informally described by [|Christopher Strachey] in 1967. If the function denotes different and potentially heterogeneous implementations depending on a limited range of individually specified types and combinations, it is called **ad-hoc polymorphism**. Ad-hoc polymorphism is supported in many languages using [|function] and [|method overloading]. If all code is written without mention of any specific type and thus can be used transparently with any number of new types, it is called **parametric polymorphism**. [|John C. Reynolds] (and later [|Jean-Yves Girard]) formally developed this notion of polymorphism as an extension to the lambda calculus (called the [|polymorphic lambda calculus], or [|System F]). Parametric polymorphism is widely supported in [|statically typed] [|functional programming languages]. In the object-oriented programming community, programming using parametric polymorphism is often called //[|generic programming]//.

=**Spyware**= is a type of [|malware] that can be installed on [|computers] and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's [|personal computer]. Sometimes, however, spywares such as [|keyloggers] are installed by the owner of a shared, corporate, or [|public computer] on purpose in order to secretly monitor other users. While the term //spyware// suggests that software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of [|personal information], such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting [|Web browser] activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of [|Internet] or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term [|privacy-invasive software].

Anti-spyware programs can combat spyware in two ways:
 * 1) They can provide real time protection against the installation of spyware software on the computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across.
 * 2) Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto the computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software the user can schedule weekly, daily, or monthly scans of the computer to detect and remove any spyware software that have been installed on the computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on the computer and will provide a list of any threats found, allowing the user to choose what to delete and what to keep.

=**proxy server**= is a [|server] (a computer system or an application program) that acts as an intermediary for requests from [|clients] seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by [|IP address] or [|protocol]. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it '[|caches]' responses from the remote server, and returns subsequent requests for the same content directly. A proxy server has a large variety of potential purposes, including: A proxy server that passes requests and replies unmodified is usually called a [|gateway] or sometimes //tunneling proxy//. A proxy server can be placed in the user's local computer or at various points between the user and the destination servers on the Internet. A [|reverse proxy] is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching.
 * To keep machines behind it anonymous (mainly for [|security]).[|[][|1][[[]|]]]
 * To speed up access to resources (using caching). Web proxies are commonly used to [|cache] web pages from a web server.[|[][|2][[[]|]]]
 * To apply access policy to network services or content, e.g. to block undesired sites.
 * To log / audit usage, i.e. to provide company employee Internet usage reporting.
 * To bypass security/ parental controls.
 * To scan transmitted content for malware before delivery.
 * To scan outbound content, e.g., for data leak protection.
 * To circumvent regional restrictions.