Firewalls | Policies Based on Applications

Most early firewall work involved simply blocking unwanted or suspicious traffic at the network boundary. Inbound application proxies take a different approach—they let traffic destined for a particular server into the network (receives requests intended for another server), but capture that traffic in a server that processes it like a port-based firewall.

The application proxy approach provides an additional layer of security for incoming traffic by validating some of the traffic before it reaches the desired server.

The theory is that the inbound application proxy’s additional security layer can protect the server better than the server can protect itself—and can also remove malicious traffic before it reaches the server to help reduce server load.

In some cases, an application proxy can remove traffic that the server might not be able to remove on its own because it has greater filtering capabilities. An application proxy also prevents the server from having direct access to the outside network.

If possible, inbound application proxies should be used in front of any server that does not have sufficient security features to protect it from application-specific attacks. The main considerations when deciding whether or not to use an inbound application proxy are:

  • Is a suitable application proxy availabl e?
  • Is the server already sufficiently protected by existing firewalls ?
  • Can the main server remove malicious content as effectively as the application proxy ?
  • Is the latency caused by the proxy acceptable for the application?
  • How easy it is to update the filtering rules on the main server and the application proxy to handle newly developed threats?

Unless an application proxy is significantly more robust than the server and easy to keep updated, it is usually best to stay with the application server alone. However, it is also important to consider the server’s resources—if the server does not have sufficient resources to withstand attacks, the proxy could be used as a shield.

When an inbound application proxy is behind a firewall or in the firewall’s DMZ (Demilitarized Zone).
, the firewall should be blocking based on IP addresses, as described earlier in this section, to reduce the load on the application proxy.

Doing this puts more of the address-specific policy in a single place—the main firewall—and reduces the amount of traffic seen by the application proxy, freeing more power to filter content.

Outbound application proxies provides controlled,auditable outbound access to both web and non-web applications and are useful for detecting systems that are making inappropriate or dangerous connections from inside the protected network. By far the most common type of outbound proxy is for HTTP(Hypertext Transfer Protocol). Outbound HTTP proxies allow an organization to filter dangerous content before it reaches the requesting PC.

When an HTTP proxy filters content, it can alert the Web user that the site being visited sent the filtered content. The most prominent non-security benefit of HTTP proxies is caching Web pages for increased speed and decreased bandwidth use. Most organizations should employ HTTP proxies.

Published in Firewalls - VPN , Wednesday February 4th 2009
Tags: , ,



12 Responses to “Firewalls | Policies Based on Applications”

  1. Hoff says:

    Why to use an application proxy ?

  2. admin says:

    Usually an application proxy server is use when the client and the server are incompatible for direct connection (the client can’t meet the security authentication requirements of the server but need to permit some services) .

  3. Paul says:

    What are the types provided by IPSEC Authentication Header ?

  4. admin says:

    1. Connectionless integrity
    2. Data origin authentication
    3. Replay protection (optional)

  5. Buzz says:

    How can I patch Fedora Linux ?

  6. admin says:

    Entering yum update without any program name specified will update all programs
    on the system, including the kernel. Of course, you can update individual programs using yum as well, by specifying the program name.

  7. Buzz says:

    What is SNORT ?

  8. admin says:

    Snort is an open source network IDS capable of performing real-time traffic analysis and packet logging on Internet Protocol (IP) networks.

  9. Koala says:

    What are PRGs ?

  10. admin says:

    Pseudo-Random-Number Generators (PRGs) are algorithms that, upon request, return a number spanning some range of values. Because they are software-based, delivery of the PRG to remote locations is easily accomplished by email, ftp, or other electronic distribution techniques.

  11. Koala says:

    What is Ipsweep ?

  12. admin says:

    It is a probing attack that is performed against all operating systems that use the Internet Control Message Protocol (ICMP) service, in which an attacker performs a surveillance sweep to determine which hosts are responding on a network

  13. Ken says:

    interesting post

  14. P. Silva says:

    a very good article about Firewalls | Policies Based on Applications

Leave a Reply


Privacy | About Us | Contact
Copyright © 2008 Home Automation - JAEC - All the rights reserved