posted 22 years ago
An application proxy is an application program that runs on a firewall system between two networks. The host on which the proxy runs does not need to be acting as a router. When a client program establishes a connection �through� a proxy to a destination service, it first establishes a connection directly to the proxy server program. The client then negotiates with the proxy server to have the proxy establish a connection on behalf of the client between the proxy and the destination service. If successful, there are then two connections in place: one between the client and the proxy server and another between the proxy server and the destination service. Once established, the proxy then receives and forwards traffic bi-directionally between the client and service. The proxy makes all connection-establishment and packet-forwarding decisions; any routing functions that are active on the host system are irrelevant to the proxy.
As with packet filtering, application proxies are available on both special purpose proxy machines and general purpose computers. Generally speaking, application proxies are slower than packet filtering routers. However, application proxies are, in some ways, inherently more secure than packet filtering routers. Packet filtering routers have historically suffered from implementation flaws or oversights in the operating system�s routing implementation on which they depend. Since packet filtering capabilities are �add-ons� to routing, they cannot correct or compensate for certain kinds of routing flaws.
As a result of making more complex filtering and access control decisions, application proxies can require significant computing resources and an expensive host upon which to execute. For example, if a certain firewall technology running on a UNIX platform needs to support 200 concurrent HTTP sessions, the host must be capable of supporting 200 HTTP proxy processes with reasonable performance. Add 100 FTP sessions, 25 SMTP sessions, some LDAP sessions, and some DNS transactions and you have a host that needs to sustain 500 to 1,000 proxy processes. Some proxies are implemented using kernel threads (which can dramatically reduce resource requirements) but resource demands remain high.