As far as I have understood it:
- An explicit proxy challenges the user/application within his session.
- NGFW (transparent proxy) and SSO/identity-based solutions are just letting everything pass that is using the current IP address of the user.
I agree the latter is flexible with regard to roaming users (VPN, Wifi and whatnot) but IMHO similar to machine/IP-based authentication, i.e. a step back from actually challenging the individual application for access. (Note: if you use a captive portal, non-interactive apps will have a hard time authenticating.)
The transparent proxy would let all traffic from your machine go directly to the URL filter, including the potential malware. Whereas in the explicit scenario the malware would need to obtain the user’s credentials, parse the PAC file or somehow else determine the location of the proxy to use etc. Might be considered security through obscurity, still more hurdles can’t hurt…
Additionally, a transparent proxy would require recursive DNS access to the Internet, meaning DNS security would need to be implemented. Whereas when using an explicit proxy, the client needs no DNS access at all, the proxy itself would perform a DNS request once the URL filtering/categorization or any other mechanism has allowed access.
Somehow I fail to see where transparent approach would provide more security than explicit.
The more modern approach (NGFW/transparent) seem to rely more and more on blacklisting and heuristics, while we learned that actual security only comes from denying everything that we do not know i.e. whitelisting. I agree that this is difficult in today’s Internet though.
So which one is more secure, transparent or explicit, or does it only depend on the individual definition of security/risk?