Firewall Foundations – Packet Filter vs Proxy

This is my Part 2 of the Firewall Foundations series. Article 1 on Security Posture can be found here.

Firewall Foundations: Packet Filters vs. Proxies

What is the difference between a packet filter and a proxy?

Preface

So you think you know what a proxy is? Well if you are familiar with the old Web Proxy servers please forget everything you thought you knew about proxies. We are talking about something very different. The old proxy servers took web requests from clients and checked to see if it had that page already cached, and if not, it would then redirect the client request to the internet, if the request was allowed. A linear flowchart would look something like:

  • Client request for KnowtheNetwork.com -> Proxy checks cache -> Not found, forward request
  • Client request for Google.com -> Proxy checks cache -> Cached page found, replies w/ cached page
  • Client request for badwebsite.com -> Proxy checks cache -> Proxy denies the request based on policy

A modern day proxies are entirely different.

The Lesson

Let’s examine the Dewey decimal system. A librarian organizes fiction books based on 2 pieces of information, the authors last name and title of the book. Based on these 2 pieces of information a librarian makes a decision about the correct placement of the book on the shelf. This is a packet filter.

A packet filter simply looks at two types of information, port number and IP. A filter reads the Source IP, Destination IP, Source Port, & Destination Port and based off of these 4 factors makes a decision on whether to allow the connection or deny the packet.

Consider the analogy once again… Let’s assume some crafty authors are trying to get Math books into the fiction shelf. In order to do so they take a math text book and Re-cover it with Dostoevsky’s “Crime & Punishment” book cover. The librarian sees the author and title on the cover and the book is filed in fiction. Success!! The system was fooled because there is no way of discovering that the book is really an evil math book.

Unless you read the book. If you read the book cover to cover to ensure that the contents are truly fiction you have now become a proxy.

The difference from a security standpoint should be readily apparent by now. The proxy opens every packet and examines the data for content that is not allowed. The decision is based on content not “title and author”. In the past a packet filter might have seen a request for web traffic and allowed the packet not knowing it was a malicious packet, whereas a proxy would have detected the data payload as malicious and denied it ever coming into your network.

Proxies are great, they are tremendously more secure but they require horsepower to process and the act of opening the packets can cause certain types of traffic problems. Proxies can be applied to many types of traffic web (HTTP), email (SMTP, POP3), and FTP.

In summary

If you aren’t using proxies on your network firewall then you are essentially blind to the traffic entering and leaving your network and that is dangerous ground.

Bonus: What type of traffic can a proxy not analyze?

HTTPS and VPN’s, Why not? They are encrypted and not privy to a firewalls prying eyes.

5 responses to “Firewall Foundations – Packet Filter vs Proxy”

  1. Ken Stewart says:

    Great article. Very enlightening and well put.

    On the HTTPS front, I have heard tell some larger corporations are installing a web proxy and installing a certificate in the client IE systems so the web proxy decrpyts the packets, and then re-encrypts them to the destination site. They are claiming this for compliance and audit reasons, but who knows…

    I know the individual clients now are able to use VPN clients outbound, but I wonder if there is an increase in the amount of outbound blocks on VPNs because the corporate IT cannot control the traffic.

  2. Tsu Doh Nimh says:

    I’ve seen the beginning stages of these HTTPS proxies but I think it is too early to consider for production especially in the SMB market. The main reason being that most HTTPS proxies either require an internal certificate to be applied to all internal clients or you get an invalid cert error. A bit of a headache.

    I’m also aware of many networks that restrict outgoing VPN traffic due to outbound content compliance and/or inability to manage the data leakage.

  3. Brad Pears says:

    Great article. The analogy using teh book to understand the difference between simply a packet filter vs a proxy was great….

  4. proxydude says:

    You can find all the information free on the Internet though a book reads allot better!

  5. donmaxoni says:

    Nice work!i use proxy and vpn to secure my data,it works like a charm

Leave a Reply