Proxy firewalls also provide comprehensive, protocol-aware security analysis for the protocols they support. This...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
allows them to make better security decisions than products that focus purely on packet header information. For example, a proxy firewall specifically programmed to support FTP, can monitor the actual FTP commands issued over the command channel and stop any prohibited activity. This allows protocol-aware logging, which makes it easier to identify attack methodologies and create a backup of the existing logs because the server is protected by the proxy.
The increased security offered by proxy firewalls does come at a price, however. The extra overhead incurred by setting up two connections for every conversation, combined with the time needed to validate requests at the application layer, adds up to a reduction in performance. You can spend money to beef up your proxy server, but it still may wind up being a bottleneck on a really high-bandwidth network. You may also find it difficult to properly install and configure the set of proxies necessary for your network, and it can be hard to get VPNs (virtual private networks) to work through a proxy firewall.
Also, while the latest proxy firewalls provide proxy agents for a large set of Internet protocols, if your network uses a protocol that your proxy firewall does not support, you will have to use either a generic proxy or develop a new proxy agent. With a generic proxy, you'll lose the protocol-aware analysis and logging functions and end up with only the basic security checks. It is important to note that the industry is moving away from proxy firewalls, mainly because of performance and compatibility issues. The industry seems to favor deep-packet inspection firewalls, which tend to be more flexible and are capable of handling higher speed networks. However, before you consider the switch, know that, while deep packet inspection works at the application layer like the proxy agent, there is still a direct connection made between computer systems. As aforementioned, direct connections make it easier for attackers to perform operating system and application fingerprinting to determine the types of exploits to use against the client system.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Michael Cobb
A flaw in the open source graphics library libpng enabling denial-of-service attacks was discovered. Expert Michael Cobb explains how the ...continue reading
Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains...continue reading
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.