Besides stateful packet filtering and NAT, another function of a good firewall is the application proxy service, sometimes called application gateway.
Consider an application proxy as an elaborate version of a packet filter.
Whereas a packet filter is capable of inspecting data only in the lower levels of an IP packet, such as the IP address or port number, an application proxy is capable of inspecting the entire application data portion of an IP packet.
An example is an FTP application proxy that can scan FTP packets for certain file names and block the requests if needed.
An application proxy plays the role of a liaison officer. The internal network computer sends a particular Internet request to the firewall. The application proxy on the firewall picks up on the request, inspects the entire packet against rules configured by the firewall administrator, and then regenerates the entire Internet request before sending it to the destination server on the Internet. The firewall appears to have sent the request. The returned result will again be inspected, and if the rules allow the result to pass, the firewall will build a response packet and send it to the internal network computer.
The following are two important distinctions between packet filters and application proxies:
A packet filter inspects only the packet header, whereas an application proxy can scan the entire application data in the packet.
A packet filter passes an allowed packet. The same packet travels from the internal computer to the server on the Internet. An application proxy regenerates an allowed packet. A new packet is built and sent from the firewall to the server on the Internet. A similar strategy is used on the return packet.
The application proxy maintains two separate connections. One connection is between the application proxy and the internal computer, and the other connection is between the application proxy and the Internet server.
An application proxy service on a firewall offers several advantages:
The application proxy can inspect the entire application portion of the IP packet. This inspection happens both when the Internet request is sent and when the reply packet from the Internet server is returned.
Because the application proxy understands the application protocol, it can create a much more detailed log file of what is sent through the firewall. Packet filter log files know only about the IP packet header information.
The internal computer and the server on the Internet never have a real connection. Instead, the firewall regenerates every packet that is sent between the two. This means that problems or attacks associated with buffer-overflows or illegal conditions in the packets never reach the internal computer.
An application proxy actively sends newly created packets on behalf of the original sender. It doesn’t route packets between the network inter-faces. If the application proxy or firewall were to crash, the communica-tion conneccommunica-tion would cease to exist. With just a packet filter approach, a crash of the firewall may result in any packets being allowed to route through.
An application proxy can inspect network traffic that uses multiple con-nections. Packet filters don’t recognize that separate connections to the same application belong together.
Because the application proxy looks at the entire application data, it can store return results, such as content of Web pages, in a cache. Subsequent requests for the same information can be fulfilled from the cache instead of having to fetch the same content repeatedly. Although many people associate a proxy with this caching function, it is a secondary function from a security standpoint.
Unfortunately, application proxies have some distinct disadvantages, as well:
Proxy per application:The application proxy service needs to under-stand the application protocol used. This means that the firewall should have a specific application proxy for every network application. Most firewalls support a proxy for common applications, such as FTP and HTTP, but for other network applications, you may not find a suitable application proxy. In that situation, you can’t use the application proxy function for these network applications.
Required proxy configuration:For some application proxies, the inter-nal network computer may need to be aware that it is actually connect-ing to the application proxy instead of directly connectconnect-ing to the server on the Internet. Internal network computers that want to use these application proxies require a configuration change. This is called a clas-sic application proxyby RFC1919. If a computer on the internal network can use the firewall application proxy without doing any special configu-ration, RFC1919 calls this a transparent application proxy.
Because application proxies are application-specific, firewall software usually lets you configure individual settings per application proxy supported by the firewall.
Doorman Sam, still on guard at Legal Inc., can be a proxy as well. In the evening, when the legal team is working late, they call down to the front desk and have Sam order pizzas on their behalf. When a pizza delivery guy from Proksie Pizza arrives at the front desk with a stack of pizzas a little later, Sam checks to see if the delivered pizzas match the order. The pizza place never knew who exactly ordered the pizzas; as far as they are concerned, they just
received an order from Legal Inc. Doorman Sam takes the pizzas and has somebody else deliver them to the legal team on the fourth floor. We’re not sure whether the legal team would really appreciate it if Sam tried to imple-ment some sort of caching when they order pizzas the next day as well.