PROS & CONS of Proxy Firewall

Advantages of Proxy Firewall

Proxy firewalls provide comprehensive, protocol-aware security analysis for

the protocols they support. By working at the application layer, they are

able to make better security decisions than products that focus purely on

packet header information.

The topology of the internal protected network is hidden by proxy firewalls.

Internal IP addresses are shielded from the external world because proxy

services do not allow direct communications between external servers and

internal computers. Although this can also be accomplished using Network

Address Translation techniques, it occurs by default with proxy firewalls.

Advantages of Proxy Firewall

Network discovery is made substantially more difficult because attackers

do not receive packets created directly by their target systems.

Attackers can often develop detailed information about the types of hosts

and services located on a network by observing packet header information

from the hosts.

How different systems set fields such as the Time to Live (TTL) field,

window size, and TCP options can help an attacker determine which

operating system is running on a server.

Advantages of Proxy Firewall

This technique, known as fingerprinting, is used by an attacker to

determine what kinds of exploits to use against the client system.

Proxies can prevent much of this activity because the attacking system

does not receive any packets directly created by the server.

Robust, protocol-aware logging is possible in proxy firewalls. This can

make it significantly easier to identify the methods of an attack.

It also provides a valuable backup of the logs that exist on the servers

being protected by the proxy.

Disadvantages Of Proxy Firewall Proxy firewalls are not compatible with all network protocols. A new proxy

agent must be developed for each new application or protocol to pass

through the firewall.

A reduction of performance occurs due to the additional processing

requests required for application services. The extra overhead implied by

setting up two connections for every conversation, combined with the

time needed to validate requests at the application layer, adds up to

slower performance. In some cases, this can be balanced by choosing

higher-end servers to run your proxy. However, for some extremely high-

bandwidth networks, a proxy firewall may become a performance

bottleneck.

Disadvantages Of Proxy Firewall

• Virtual Private Networks (VPNs) may not function through a proxy firewall.

VPN packet authentication will fail if the IP address of the sender is modified

during the transmission. Although this is normally thought of as an issue

with Network Address Translation, the same issue occurs with proxy

firewalls. Of course, if the VPN endpoint is the firewall, this will not be a

problem.

• The configuration of proxy firewalls can be more difficult than other firewall

technologies. Especially when using older proxies, it can be difficult to

properly install and configure the set of proxies necessary for your network.

Note

It is also worth noting that the number of proxy firewall products on the market is

decreasing.

The commercial firewall industry is moving away from proxy firewalls, due mainly to

performance and compatibility concerns. Many of these vendors are dropping their

proxy product lines in exchange for stateful products that make use of Deep Packet

Inspection techniques.

Deep Packet Inspection allows security tests at the application layer. However, unlike

proxies, it allows direct connections to occur between computer systems.

Deep Packet Inspection firewalls tend to be more flexible than proxies and they can be

designed to handle very high-speed networks.