Pros and Cons of Proxy Firewalls
Proxy firewalls represent a balance between security and functionality. On the one side, well-written proxies offer security benefits that are significantly better than many other types of firewall technologies. However, they are often slower than other products, and they can limit what applications your network can support. In this section, we will itemize the advantages and disadvantages you should consider when choosing to use a proxy.
Advantages of Proxy Firewalls
Proxy firewalls have several advantages over other types of firewalls:
Proxy firewalls provide comprehensive, protocol-aware security analysis for the protocols they support. By working at the application layer, they are able to make better security decisions than products that focus purely on packet header information.
The topology of the internal protected network is hidden by proxy firewalls. Internal IP addresses are shielded from the external world because proxy services do not allow direct communications between external servers and internal computers. Although this can also be accomplished using Network Address Translation techniques, it occurs by default with proxy firewalls.
Network discovery is made substantially more difficult because attackers do not receive packets created directly by their target systems. Attackers can often develop detailed information about the types of hosts and services located on a network by observing packet header information from the hosts. How different systems set fields such as the Time to Live (TTL) field, window size, and TCP options can help an attacker determine which operating system is running on a server. This technique, known as fingerprinting, is used by an attacker to determine what kinds of exploits to use against the client system. Proxies can prevent much of this activity because the attacking system does not receive any packets directly created by the server.
Robust, protocol-aware logging is possible in proxy firewalls. This can make it significantly easier to identify the methods of an attack. It also provides a valuable backup of the logs that exist on the servers being protected by the proxy.
Disadvantages of Proxy Firewalls
Although proxy firewalls can provide increased security over packet-filtering firewalls, they do have their disadvantages. Here are some of the issues you should consider prior to fielding a proxy firewall:
Proxy firewalls are not compatible with all network protocols. A new proxy agent must be developed for each new application or protocol to pass through the firewall. If the proxy product you choose does not provide support for a needed protocol, you may have to settle for a generic proxy. In some cases, even generic proxies may not work if the protocol is nonstandard.
A reduction of performance occurs due to the additional processing requests required for application services. There is no such thing as a free lunch. The extra overhead implied by setting up two connections for every conversation, combined with the time needed to validate requests at the application layer, adds up to slower performance. In some cases, this can be balanced by choosing higher-end servers to run your proxy. However, for some extremely high-bandwidth networks, a proxy firewall may become a performance bottleneck.
Virtual Private Networks (VPNs) may not function through a proxy firewall. As will be discussed further in Chapter 7, "Virtual Private Networks," VPN packet authentication will fail if the IP address of the sender is modified during the transmission. Although this is normally thought of as an issue with Network Address Translation, the same issue occurs with proxy firewalls. Of course, if the VPN endpoint is the firewall, this will not be a problem.
The configuration of proxy firewalls can be more difficult than other firewall technologies. Especially when using older proxies, it can be difficult to properly install and configure the set of proxies necessary for your network.
It is also worth noting that the number of proxy firewall products on the market is decreasing. The commercial firewall industry is moving away from proxy firewalls, due mainly to performance and compatibility concerns. Many of these vendors are dropping their proxy product lines in exchange for stateful products that make use of Deep Packet Inspection techniques. These techniques, which we described in Chapter 3, "Stateful Firewalls," provide some, but not all of the benefits of proxy firewalls. Like proxy firewalls, Deep Packet Inspection allows security tests at the application layer. However, unlike proxies, it allows direct connections to occur between computer systems. As mentioned earlier, this makes it easier for attackers to perform operating system and application discovery. Deep Packet Inspection firewalls tend to be more flexible than proxies and they can be designed to handle very high-speed networks.
So far, we've looked into the basics of proxy servers and their role in developing a firewall solution. We've talked about how they operate and discussed some of their advantages and disadvantages. In this next section, we will talk about some of various ways proxy technologies are being used to secure networks.