A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. A proxy firewall may also be called an application firewall or gateway firewall.
Just like a proxy server or cache server, a proxy firewall acts as an intermediary between in-house clients and servers on the Internet. The difference is that in addition to intercepting Internet requests and responses, a proxy firewall also monitors incoming traffic for layer 7 protocols, such as HTTP and FTP. In addition to determining which traffic is allowed and which is denied, a proxy firewall uses stateful inspection technology and deep packet inspection to analyze incoming traffic for signs of attack.
Proxy firewalls are considered to be the most secure type of firewall because they prevent direct network contact with other systems. (Because a proxy firewall has its own IP address, an outside network connection will never receive packets from the sending network directly.) Having the ability to examine the entire network packet, rather than just the network address and port number, also means that a proxy firewall will have extensive logging capabilities -- a valuable resource for security administrators who are dealing with security incidents. According to Marcus Ranum, who is credited with conceiving the idea of a proxy firewall, the goal of the proxy approach is to create a single point that allows a security-conscious programmer to assess threat levels represented by application protocols and put error detection, attack detection and validity checking in place.
The added security offered by a proxy firewall has its drawbacks, however. Because a proxy firewall establishes an additional connection for each outgoing and incoming packet, the firewall can become a bottleneck, causing a degradation of performance or becoming a single point of failure. Additionally, proxy firewalls may only support certain popular network protocols, thereby limiting which applications the network can support.