Firewall Foundations – Packet Filter vs Proxy
This is my Part 2 of the Firewall Foundations series. Article 1 on Security Posture can be found here.
Firewall Foundations: Packet Filters vs. Proxies
What is the difference between a packet filter and a proxy?
So you think you know what a proxy is? Well if you are familiar with the old Web Proxy servers please forget everything you thought you knew about proxies. We are talking about something very different. The old proxy servers took web requests from clients and checked to see if it had that page already cached, and if not, it would then redirect the client request to the internet, if the request was allowed. A linear flowchart would look something like:
- Client request for KnowtheNetwork.com -> Proxy checks cache -> Not found, forward request
- Client request for Google.com -> Proxy checks cache -> Cached page found, replies w/ cached page
- Client request for badwebsite.com -> Proxy checks cache -> Proxy denies the request based on policy
A modern day proxies are entirely different.
Let’s examine the Dewey decimal system. A librarian organizes fiction books based on 2 pieces of information, the authors last name and title of the book. Based on these 2 pieces of information a librarian makes a decision about the correct placement of the book on the shelf. This is a packet filter.
A packet filter simply looks at two types of information, port number and IP. A filter reads the Source IP, Destination IP, Source Port, & Destination Port and based off of these 4 factors makes a decision on whether to allow the connection or deny the packet.
Consider the analogy once again… Let’s assume some crafty authors are trying to get Math books into the fiction shelf. In order to do so they take a math text book and Re-cover it with Dostoevsky’s “Crime & Punishment” book cover. The librarian sees the author and title on the cover and the book is filed in fiction. Success!! The system was fooled because there is no way of discovering that the book is really an evil math book.
Unless you read the book. If you read the book cover to cover to ensure that the contents are truly fiction you have now become a proxy.
The difference from a security standpoint should be readily apparent by now. The proxy opens every packet and examines the data for content that is not allowed. The decision is based on content not “title and author”. In the past a packet filter might have seen a request for web traffic and allowed the packet not knowing it was a malicious packet, whereas a proxy would have detected the data payload as malicious and denied it ever coming into your network.
Proxies are great, they are tremendously more secure but they require horsepower to process and the act of opening the packets can cause certain types of traffic problems. Proxies can be applied to many types of traffic web (HTTP), email (SMTP, POP3), and FTP.
If you aren’t using proxies on your network firewall then you are essentially blind to the traffic entering and leaving your network and that is dangerous ground.
Bonus: What type of traffic can a proxy not analyze?
HTTPS and VPN’s, Why not? They are encrypted and not privy to a firewalls prying eyes.