Proxy Firewalls
Sign in

Proxy Firewalls

Information Security Professiona
A proxy firewall is one of the safest but also one of the slowest.  As is the case with a lot of information security, there often is a tradeoff between protection and speed or convenience.  Of course, that drawback extends to the real world as well: I could save a good 30 seconds each day if I didn’t feel compelled to close my garage door—thereby securing my house—whenever I leave. The benefit, not coming home to an empty house, far outweighs the time expenditure. Security professionals frequently have to make the same tradeoffs.

The proxy firewall sits between the internal network and the rest of the world, and acts as an intermediary.  So for example, a request from an internal user to access an external webpage would be addressed to the firewall’s IP address.  The request is then sent out to the website bearing the IP address of the proxy.  The external entity receives the request, and sends the information back to the proxy’s IP address.  Once it arrives back at the proxy, the firewall examines the packet and, if it is safe, delivers it to the requester.

In short, each side thinks it is dealing with the proxy.  The main advantage of a proxy is that the outside entity gains no knowledge of your internal network.  To explain further, if multiple users from your organization were to visit a malicious website—without going through a proxy—their individual IP addresses (whether static or dynamic) would be recorded, providing a cracker with information which could be used to map the network.  If all website requests go through a proxy, the cracker sees only a single entity.

In many cases, a proxy firewall has two or more network interface cards.  These firewalls are called dual-homed, or multi-homed.  A multi-homed proxy would have one interface connected to the Internet, another connected to the internal network, and one or more connected to the DMZs (DMZs are described in more detail in the section on “Network Architecture”) which host the mail and web servers.  This arrangement allows finer granularity in the ACLs.  For example, if your web server is in its own zone, then your rules can allow HTTP traffic alone—followed by a deny all—rather than a series of rules.

Next time: How firewalls are defeated.

start_blog_img