In simple terms, a proxy is someone given the authority to represent someone else. In computer networks, proxies are network devices given the authority to connect to a server on a client’s behalf.
A typical example is a proxy server or proxy firewall that makes a connection on behalf of an internal company employee to a website or other application. There are also reverse proxies that connect external clients to company-hosted assets; for instance, connecting remote users to an intranet website and an internal file and email server via a company web portal. Malware can also act as an unauthorized proxy. For instance, read about the Ramnit malware family network of proxy servers as described by the Check Point Research (cp<r>) team.
Let’s take a closer look at what a proxy firewall is, how a proxy firewall works, and the difference between a proxy firewall and today’s next-generation firewalls (NGFWs).
While all proxy firewalls are proxy servers, not all proxy servers are proxy firewalls. They both serve as an intermediary between servers and clients. Each can cache web pages to reduce network congestion and both conceal information about the user from the server. A proxy firewall does a deeper level inspection of network traffic to identify and protect against potentially malicious traffic.
If you’ve worked for a large organization, you may be familiar with setting your laptop to use a proxy PAC (Proxy Auto-Configuration) file or specifying an IP address of the company proxy server. Browsers and other applications use these operating system settings to direct traffic to the proxy server.
The web browser connects to the proxy server, which intercepts the connection and makes another connection to the destination website on the client’s behalf if the connection is allowed by policy. This enables the proxy firewall to inspect packets within the connection. The main protocol supported is HTTP(S) web traffic, but other protocols, such as FTP, can be supported as well depending upon the proxy firewall capabilities.
Key features of a proxy firewall include:
Proxy firewalls differ from other types of firewalls in a few ways, including the following:
Proxy firewalls are designed to inspect a small set of application-specific traffic. Other firewalls also do deep packet inspection, but historically have enforced policy based upon IP address and port or service address, e.g. TCP ports 80 (HTTP) and 443 (HTTPS) for web.
Simple IP and port-level filtering is the domain of early packet filters or firewalls which enforce simple Access Control Lists (ACL). However, ACLs can become quite long and difficult for humans to understand.
Stateful firewalls went a step further and brought protocol awareness to traffic control. For instance, FTP (File Transfer Protocol) has separate control (TCP port 20) and data (TCP port 21) connections. For data transfer, the port can also be an arbitrary port from the set of available ports, which is in total a little less than 60,000. The port chosen between the client and the server is communicated via the FTP control connection.
Stateful firewalls monitoring the FTP control connection can dynamically allow the data transfer. In policy, this means security admins need only specify FTP is allowed between hosts. There is no need for them to open a wider port range in an ACL list.
As other technologies advanced, such as URL Filtering, application control, intrusion detection and prevention (IDS/IPS), and sandboxing, these were integrated into the firewall resulting in a multi-purpose network security device.
While the name may have changed as the firewall evolved to the Secure Web Gateway (SWG), UTM (Unified Threat Management), and Next-Generation Firewall (NGFW), its location in the network has probably not. Proxy servers and proxy firewalls are typically deployed as a transparent network device that traffic is directed to.
On the other hand, firewalls are more typically deployed inline as transparent border devices at network boundaries. These firewalls also do low-level Network Address Translation (NAT) between networks, participate in routing using static or dynamic routing protocols, and also terminate client-to-site and site-to-site Virtual Private Network (VPN) connections. Usually, this is entirely transparent to end-users, but they can also intercept connections such as SSL/TLS encrypted web connections and email such as SMTP by acting as a Message Transport Agent (MTA).
One thing that proxy firewalls do that NGFWs do not do is cache web traffic to improve performance. Poor performance may be one disadvantage of proxy firewalls when compared with NGFWs. Another is that it’s difficult to keep up to date as applications change so application filtering can sometimes break, resulting in a poor user experience. Likewise, they can become a single point of failure and may cause network disruptions.
Another problem with out-of-band network devices like proxy firewalls is they rely on setting the proxy or PAC file configuration on the client. Users are often able to do this manually, making it relatively easy to bypass the proxy server. Likewise, ambitious users can use an app not supported by the proxy firewall and bypass company security policy in this way as well.
Check Point firewalls, one of the first stateful firewalls, have evolved as new threats arose. Today’s Check Point firewall is a valuable replacement for proxy firewalls and proxy servers, enabling businesses to consolidate network security technologies under one highly scalable and reliable multifunction network device.
Check Point NGFWs are also available in the deployment of your choice; for inline routed or bridge deployments, on-premises as physical devices, in the private and public cloud as virtual devices, and as a Firewall-as-a-Service (FWaaS) deployed as the security component in a SASE (Secure Access Service Edge) model. Other security services included in the SASE model are Zero Trust Network Access (ZTNA) to provide secure access to corporate applications and CASB (cloud access security broker) to natively protect office and email cloud application productivity suites.