The proxy firewall sits between the internal network and the rest of the world, and acts as an intermediary.  So for example, a request from an internal user to access an external webpage would be addressed to the firewall’s IP address.  The request is then sent out to the website bearing the IP address of the proxy.  The external entity receives the request, and sends the information back to the proxy’s IP address.  Once it arrives back at the proxy, the firewall examines the packet and, if it is safe, delivers it to the requester.

In short, each side thinks it is dealing with the proxy.  The main advantage of a proxy is that the outside entity gains no knowledge of your internal network.  To explain further, if multiple users from your organization were to visit a malicious website—without going through a proxy—their individual IP addresses (whether static or dynamic) would be recorded, providing a cracker with information which could be used to map the network.  If all website requests go through a proxy, the cracker sees only a single entity.

In many cases, a proxy firewall has two or more network interface cards.  These firewalls are called dual-homed, or multi-homed.  A multi-homed proxy would have one interface connected to the Internet, another connected to the internal network, and one or more connected to the DMZs (DMZs are described in more detail in the section on “Network Architecture”) which host the mail and web servers.  This arrangement allows finer granularity in the ACLs.  For example, if your web server is in its own zone, then your rules can allow HTTP traffic alone—followed by a deny all—rather than a series of rules.

Next time: How firewalls are defeated.