Many of the current firewall designs rely on the combination of packet filtering and the proxy technology (especially "transparent proxying" technology). Today, Proxy systems can manage the different operation authorizations that users have when surfing (for example: who is allowed to use which protocol), blocking unwanted surfers outside the local net from going in, and run a log file containing users operations. Of course that's all besides the filtering on the basis of IP address.

However, the caching ability which makes the Web run faster, has its security disadvantages. It could be bad for business advertising at Web sites. It might even violate copyright law.

Advertisers behind a site have a problem with the caching proxy servers. They have no way of knowing the number of readers behind a hit-it could be one or hundred thousand - they can't tell without looking at the log files of the proxies. Furthermore, every copyrighted document sitting in the proxy's cache is, in fact, an unauthorized copy.

The wrong solution would be to disable the caching. It will hurt the performance, causing fewer visitors at the advertisers sites. A good solution would be letting a caching proxy to keep a copy of a Web page if the proxy promises in return, to tell the Web server the number of hits it got for that page over a reasonable time period. Nodoubtly, advertisers would prefer a more specific information of the readers, but that's something to argue about.

Other problems arise when using the Internet Cache Protocol (ICP) - a lightweight format message used for communication among Web proxy caches, implemented on top of UDP. ICP is used for object location, and can be used for cache selection. Because of its connectionless nature, it has vulnerability to some methods of attack. By checking the source IP address of an ICP message-certain degree of protection is accomplished. ICP queries should be processed only if the querying address is allowed to access the cache. ICP replies should only be accepted from known neighbors, otherwise ignored. Trusting the validity of address in the IP level makes ICP susceptible to IP address spoofing which has many problematic consequences (for example: inserting bogus ICP queries, inserting bogus ICP replies thereby preventing a certain neighbor from being used or forcing a certain neighbor to be used). In fact, only routers are able to detect spoofed addresses, hosts can't do it. But still, the IP Authentication Header can be used to provide cryptographic authentication for the IP packet with the ICP in it.

A very important issue is quantitative assessments on the influence different caching strategies have on the behavior of a proxy server with respect to values like latency, bandwidth consumption, and overall error rates. These values depend on things like document popularity, cache hit rates, and error rates. By using trace-based simulations of the behavior of a WWW cache, using different caching parameters, algorithms, and heuristics, some interesting results were gained. A most important question is how often old objects were retrieved from a cache instead of the latest version on the original server. The stale rate gives a good indication of that.

Now, the next graphs, represent some analyzed results, that were accomplished in a simulation which took place at the University of Kaiserslautern: