Pros and Cons of Proxy Firewalls


Proxy firewalls represent a balance between security and functionality. On the one side, well-written proxies offer security benefits that are significantly better than many other types of firewall technologies. However, they are often slower than other products, and they can limit what applications your network can support. In this section, we will itemize the advantages and disadvantages you should consider when choosing to use a proxy.

Advantages of Proxy Firewalls

Proxy firewalls have several advantages over other types of firewalls:

  • Proxy firewalls provide comprehensive, protocol-aware security analysis for the protocols they support. By working at the application layer, they are able to make better security decisions than products that focus purely on packet header information.

  • The topology of the internal protected network is hidden by proxy firewalls. Internal IP addresses are shielded from the external world because proxy services do not allow direct communications between external servers and internal computers. Although this can also be accomplished using Network Address Translation techniques, it occurs by default with proxy firewalls.

  • Network discovery is made substantially more difficult because attackers do not receive packets created directly by their target systems. Attackers can often develop detailed information about the types of hosts and services located on a network by observing packet header information from the hosts. How different systems set fields such as the Time to Live (TTL) field, window size, and TCP options can help an attacker determine which operating system is running on a server. This technique, known as fingerprinting, is used by an attacker to determine what kinds of exploits to use against the client system. Proxies can prevent much of this activity because the attacking system does not receive any packets directly created by the server.

  • Robust, protocol-aware logging is possible in proxy firewalls. This can make it significantly easier to identify the methods of an attack. It also provides a valuable backup of the logs that exist on the servers being protected by the proxy.

Proxy Firewall Log Discovers RingZero Trojan

The protocol-aware logging possible on proxy firewalls often leads to the early discovery of new exploits. Back in the fall of 1999, the defensive community noticed a large number of probes on ports TCP 80, 8080, and 3128. Analysts poured over router logs, but they could not figure out what was going on. However, Bill Royds in Canada detected similar activity on his proxy firewall. Here is one of the log entries he captured:

[View full width]

Oct 1 06:47:02 gate gwcontrol: 201 http[3785494487]: access denied for smak.mplik.ru to www.rusftpsearch.net [default rule] [no rules found] Oct 1 06:47:02 gate httpd[7188]: 121 Statistics: duration=0.15 id=w7Ii3 sent=357 rcvd=402 srcif=hme1 src=195.58.0.243/61332 srcname=smak.mplik.ru dstif=hme1 dst=206.253.222.89/80 dstname=www.rusftpsearch.net op=GET arg=http://www.rusftpsearch.net/cgibin/pst.pl? pstmode=writeip&psthost=167.33.61.23&pstport=80 result="403 Forbidden" proto=http (request denied by gwcontrol)

What this log entry shows is a client (smak.mplik.ru) trying to communicate through Bill's firewall to a web server (www.rusftpsearch.net). In addition, the web request reveals that the client was attempting to hand an IP address and port to the pst.pl program running on the web server. The contents of this log entry turned out to be critical in identifying a new Trojan horse program called RingZero (http://www.cnn.com/TECH/computing/9910/22/russian.trojan.horse.idg/).

What Bill's firewall caught was a message from a host infected by RingZero trying to report home. RingZero attempted to locate web servers and web proxies by scanning for hosts that have port 80, 8080, or 3128 open. When it found a live server, it reported this by connecting to the pst.pl program on www.rusftpsearch.net. By capturing this important application detail, Bill's proxy firewall led to the discovery of RingZero and the development of an effective response.


Disadvantages of Proxy Firewalls

Although proxy firewalls can provide increased security over packet-filtering firewalls, they do have their disadvantages. Here are some of the issues you should consider prior to fielding a proxy firewall:

  • Proxy firewalls are not compatible with all network protocols. A new proxy agent must be developed for each new application or protocol to pass through the firewall. If the proxy product you choose does not provide support for a needed protocol, you may have to settle for a generic proxy. In some cases, even generic proxies may not work if the protocol is nonstandard.

  • A reduction of performance occurs due to the additional processing requests required for application services. There is no such thing as a free lunch. The extra overhead implied by setting up two connections for every conversation, combined with the time needed to validate requests at the application layer, adds up to slower performance. In some cases, this can be balanced by choosing higher-end servers to run your proxy. However, for some extremely high-bandwidth networks, a proxy firewall may become a performance bottleneck.

  • Virtual Private Networks (VPNs) may not function through a proxy firewall. As will be discussed further in Chapter 7, "Virtual Private Networks," VPN packet authentication will fail if the IP address of the sender is modified during the transmission. Although this is normally thought of as an issue with Network Address Translation, the same issue occurs with proxy firewalls. Of course, if the VPN endpoint is the firewall, this will not be a problem.

  • The configuration of proxy firewalls can be more difficult than other firewall technologies. Especially when using older proxies, it can be difficult to properly install and configure the set of proxies necessary for your network.

It is also worth noting that the number of proxy firewall products on the market is decreasing. The commercial firewall industry is moving away from proxy firewalls, due mainly to performance and compatibility concerns. Many of these vendors are dropping their proxy product lines in exchange for stateful products that make use of Deep Packet Inspection techniques. These techniques, which we described in Chapter 3, "Stateful Firewalls," provide some, but not all of the benefits of proxy firewalls. Like proxy firewalls, Deep Packet Inspection allows security tests at the application layer. However, unlike proxies, it allows direct connections to occur between computer systems. As mentioned earlier, this makes it easier for attackers to perform operating system and application discovery. Deep Packet Inspection firewalls tend to be more flexible than proxies and they can be designed to handle very high-speed networks.

So far, we've looked into the basics of proxy servers and their role in developing a firewall solution. We've talked about how they operate and discussed some of their advantages and disadvantages. In this next section, we will talk about some of various ways proxy technologies are being used to secure networks.



    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net