Upload
tyler-cole
View
214
Download
0
Embed Size (px)
Citation preview
PROS & CONS of Proxy Firewall
Advantages of Proxy Firewall
Proxy firewalls provide comprehensive, protocol-aware security analysis for
the protocols they support. By working at the application layer, they are
able to make better security decisions than products that focus purely on
packet header information.
The topology of the internal protected network is hidden by proxy firewalls.
Internal IP addresses are shielded from the external world because proxy
services do not allow direct communications between external servers and
internal computers. Although this can also be accomplished using Network
Address Translation techniques, it occurs by default with proxy firewalls.
Advantages of Proxy Firewall
Network discovery is made substantially more difficult because attackers
do not receive packets created directly by their target systems.
Attackers can often develop detailed information about the types of hosts
and services located on a network by observing packet header information
from the hosts.
How different systems set fields such as the Time to Live (TTL) field,
window size, and TCP options can help an attacker determine which
operating system is running on a server.
Advantages of Proxy Firewall
This technique, known as fingerprinting, is used by an attacker to
determine what kinds of exploits to use against the client system.
Proxies can prevent much of this activity because the attacking system
does not receive any packets directly created by the server.
Robust, protocol-aware logging is possible in proxy firewalls. This can
make it significantly easier to identify the methods of an attack.
It also provides a valuable backup of the logs that exist on the servers
being protected by the proxy.
Disadvantages Of Proxy Firewall Proxy firewalls are not compatible with all network protocols. A new proxy
agent must be developed for each new application or protocol to pass
through the firewall.
A reduction of performance occurs due to the additional processing
requests required for application services. The extra overhead implied by
setting up two connections for every conversation, combined with the
time needed to validate requests at the application layer, adds up to
slower performance. In some cases, this can be balanced by choosing
higher-end servers to run your proxy. However, for some extremely high-
bandwidth networks, a proxy firewall may become a performance
bottleneck.
Disadvantages Of Proxy Firewall
• Virtual Private Networks (VPNs) may not function through a proxy firewall.
VPN packet authentication will fail if the IP address of the sender is modified
during the transmission. Although this is normally thought of as an issue
with Network Address Translation, the same issue occurs with proxy
firewalls. Of course, if the VPN endpoint is the firewall, this will not be a
problem.
• The configuration of proxy firewalls can be more difficult than other firewall
technologies. Especially when using older proxies, it can be difficult to
properly install and configure the set of proxies necessary for your network.
Note
It is also worth noting that the number of proxy firewall products on the market is
decreasing.
The commercial firewall industry is moving away from proxy firewalls, due mainly to
performance and compatibility concerns. Many of these vendors are dropping their
proxy product lines in exchange for stateful products that make use of Deep Packet
Inspection techniques.
Deep Packet Inspection allows security tests at the application layer. However, unlike
proxies, it allows direct connections to occur between computer systems.
Deep Packet Inspection firewalls tend to be more flexible than proxies and they can be
designed to handle very high-speed networks.