The pros and cons of proxy firewalls

BROWSE BY TAG Application Security,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Do Facebook URL security concerns justify blocking social networks? What are Google Chrome's security features? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

In short, proxy firewalls offer more security than other types of firewalls, but this is at the expense of speed and functionality, as they can limit which applications your network can support. So, why are they more secure? Unlike stateful firewalls, which allow or block network packets from passing to and from a protected network, traffic does not flow through a proxy. Instead, computers establish a connection to the proxy, which serves as an intermediary, and initiates a new network connection on behalf of the request. This prevents direct connections between systems on either side of the firewall and makes it harder for an attacker to discover where the network is, because they will never receive packets created directly by their target system.

Proxy firewalls also provide comprehensive, protocol-aware security analysis for the protocols they support. This allows them to make better security decisions than products that focus purely on packet header information. For example, a proxy firewall specifically programmed to support FTP, can monitor the actual FTP commands issued over the command channel and stop any prohibited activity. This allows protocol-aware logging, which makes it easier to identify attack methodologies and create a backup of the existing logs because the server is protected by the proxy.

The increased security offered by proxy firewalls does come at a price, however. The extra overhead incurred by setting up two connections for every conversation, combined with the time needed to validate requests at the application layer, adds up to a reduction in performance. You can spend money to beef up your proxy server, but it still may wind up being a bottleneck on a really high-bandwidth network. You may also find it difficult to properly install and configure the set of proxies necessary for your network, and it can be hard to get VPNs (virtual private networks) to work through a proxy firewall.

Also, while the latest proxy firewalls provide proxy agents for a large set of Internet protocols, if your network uses a protocol that your proxy firewall does not support, you will have to use either a generic proxy or develop a new proxy agent. With a generic proxy, you'll lose the protocol-aware analysis and logging functions and end up with only the basic security checks. It is important to note that the industry is moving away from proxy firewalls, mainly because of performance and compatibility issues. The industry seems to favor deep-packet inspection firewalls, which tend to be more flexible and are capable of handling higher speed networks. However, before you consider the switch, know that, while deep packet inspection works at the application layer like the proxy agent, there is still a direct connection made between computer systems. As aforementioned, direct connections make it easier for attackers to perform operating system and application fingerprinting to determine the types of exploits to use against the client system.

More Information