Firewalls – Application Proxy Gateways

You are here: Technology Topics » Computer & Gadgets » Computer & Network Security » Firewalls - VPN » Firewalls – Application Proxy Gateways

An application-proxy gateway is a feature of advanced firewalls that combines lower layer access control with upper layer functionality. These firewalls contain a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other, and never allows a direct connection between the two hosts.

Each successful connection attempt actually results in the creation of two separate connections—one between the client and the proxy server, and another between the proxy server and the true destination .

The proxy is meant to be transparent to the two hosts, and from their perspectives there appears to be a direct connection. Because external hosts only communicate with the proxy agent, internal IP addresses are not made known to the outside world.

The proxy agent interfaces directly with the firewall ruleset to determine whether a given piece of network traffic should be allowed to transit the firewall. In addition to the ruleset, each proxy agent has the ability to require authentication of each individual network user. This user authentication can take many forms, including user ID and password, hardware or software token, source address, and biometrics.

The proxy gateway operates at the application layer and can inspect the actual content of the traffic. Unlike stateful protocol analysis, which mainly verifies that traffic is consistent with protocol definitions, application-proxy gateways break down the data and more thoroughly examine packet content—distinguishing between normal traffic for a specific protocol and traffic that could contain exploits for known flaws.

These gateways also perform the TCP handshake with the source system and are able to protect against exploitations at each step of a communication. In addition, gateways can make decisions to permit or deny traffic based on information in the application protocol headers or payloads.

For instance, a gateway can determine if an email message contains a certain type of attachment that the organization does not permit (such as an executable file), or if instant messaging (IM) is being used over port 80 (typically used for HTTP).

Another feature of the gateway is that it can restrict specific actions from being performed (e.g., users could be prevented from using the FTP “put” command, which allows users to write files to the FTP server). It can also be used to allow or deny Web pages that containparticular types of active content, such as Java or ActiveX. Once the gateway determines that data should be permitted, it is forwarded to the destination host.

Application-proxy gateways have numerous advantages over packet filters and stateful inspection. First, an application-proxy gateway offers a higher level of security because it prevents direct connections between two hosts and it inspects traffic content to identify policy violations.

Second, these gateways usually have more extensive logging capabilities because they can examine an entire packet rather than just network addresses and ports—for example, application-proxy gateway logs can record application-specific commands from within the network traffic.

Also, the user authentication capabilities inherent in application-proxy gateway architectures are superior. Another potential advantage is that some application-proxy gateways have the ability to decrypt packets (such as Secure Sockets Layer [SSL]-protected payloads), examine them, and re-encrypt them before sending them on to the proper destination host. Data that the gateway cannot decrypt is passed directly through to the application. Finally, application-proxy gateways are better able to detect address spoofing attacks.

The advanced functionality of firewalls with application-proxy gateways also has several disadvantages when compared to packet filtering and stateful inspection. First, because of the “full packet awareness” of application-proxy gateways, the firewall spends much more time reading and interpreting each packet. Because of this, some of these gateways are poorly suited to high-bandwidth or real-time applications—but application-proxy gateways rated for high bandwidth are available.

To reduce the load on the firewall, a dedicated proxy server  can be used to secure less time-sensitive services such as email and most Web traffic. Another disadvantage is that application-proxy gateways tend to be limited in terms of support for new network applications and protocols—an individual, application-specific proxy agent is required for each type of network traffic that needs to transit a firewall.

Many application-proxy gateway firewall vendors provide generic proxy agents to support undefined network protocols or applications. Those generic agents tend to negate many of the strengths of the application-proxy gateway architecture because they simply allow traffic to “tunnel” through the firewall.



14 Responses to “Firewalls – Application Proxy Gateways”

1. Arnold says:

   I need some good proxy sites for my firewall at work ?
2. Akesh says:

   You should work not trying to do something else. Bypassing your works firewall can be considered circumventing corporate security and you can get fired.

   Also firewalls and network security devices can detect a proxy as soon as you connect to it and your it department can easily catch you.
3. Imy says:

   None of my current internet security suites works on Windows XP 64bit?
4. admin says:

   Usually, for 64 bit you need to use a 64bit version of the security software.
   So use a 64bit version of the internet security suite or use the 32bit XP version.
5. Luana says:

   What is PSTN ?
6. admin says:

   Public Switched Telephone Network (PSTN) is a important communication network.
7. Hoff says:

   What is RIP in network communication ?
8. admin says:

   Routing Information Protocol (RIP) is the first routing protocol used in the TCP/IP-based network in an intradomain environment.
9. Hoff says:

   What is EIGRP ?
10. admin says:

    Enhanced Interior Gateway Routing Protocol (EIGRP) is a routing protocol from Cisco. The Enhanced Interior Gateway Routing Protocol (EIGRP) packet is divided into two parts: an EIGRP header part, which is 20 bytes long, followed by various entities that are encoded using a variable-length TLV (Type-Length-Value) format
11. Hoff says:

    What is OSPF ?
12. admin says:

    OSPF is an instance of a link state protocol based on hop-by-hop communication of routing information, specifically designed for intradomain routing in an IP network
13. Alexia says:

    Why to use packet classification ?
14. admin says:

    It can be use for:

    1. Providing preferential treatment for different types of traffic
    2. Flexibility in accounting and billing
    3. Managing customer expectations
    4. Preventing malicious attacks
15. Ken says:

    interesting post
16. P. Silva says:

    a very good article about Firewalls – Application Proxy Gateways