17

I understand that very simply put a proxy is a sort of 'man in the middle' allowing/denying access to certain services/resources. Strictly in terms of security (I mean here privacy, parental control and the like excluded), can it offer any added security compared to a firewall?

Count Zero
  • 2,879
  • 3
  • 16
  • 14
  • 1
    Interesting question. I've never associated the two before, but if you look at the definition of 'proxy', meaning something that performs an action on your behalf, then that would mean a firewall, in many cases, is a proxy. Having never really worked with Proxies myself, I've always just associated them as a way around firewalls. I look forward to some of the answer you'll get. – Safado Dec 05 '11 at 18:40

3 Answers3

12

A proxy understands the protocol it is designed for. This means that some proxy software can allow or disallow traffic based on elements of the protocol. To give an example, your proxy could disallow HTTP traffic with a certain User-Agent: header or only allow traffic with certain Referer: headers. A proxy can also require authentication before sending the requests along.

Not all proxy software has this ability. Some will simply proxy the requests with no analysis done on the content beyond what is needed to fulfill the request.

A reverse proxy (often used in front of a web server) can potentially protect against flaws in the web server software. It can also have flaws that the web server software doesn't.

A network firewall doesn't understand the HTTP protocol and can't allow or deny traffic based on elements of that protocol. It can only allow or deny based on the lower level protocols such as IP, TCP and UDP. Network firewalls can't do authentication because this is not built in to the lower levels of the OSI stack.

Application Firewalls on the other hand understand the protocol of the application they were designed for and allow or deny traffic based on the content of the traffic. I haven't seen one of these that can do authentication but it's certainly possible.

A web application firewall is just an application firewall that is designed for web protocols.

Many commercial firewall devices are also (at least partially) application firewalls.

So whether you get any added security out of a firewall or a proxy depends greatly on exactly which firewall or proxy you use. It will usually also depend on how it's configured. With no specific security-focused configuration you will usually gain no extra security with either a firewall or a proxy.

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
9

Yes, a proxy can provide extra security.

Proof by example:

  • A web proxy could implement malware scanning. It could prevent you from visiting blacklisted sites (i.e. known to be malicious to browsers).
  • You're on an untrusted network but need http access without being subjected to MITM attacks. Make the http connection through an authenticated, encrypted connection to your trusted web proxy.
bstpierre
  • 4,868
  • 1
  • 21
  • 34
5

Actually the term firewall is commonly misused and people usually use it to refer to packet filtering which is not strictly correct.

You can classify firewalls in 2 categories. Packet filtering and application gateways (AKA proxy).

Looking at the service protocol level (eg.HTTP, SMTP, etc) packet filtering is a poor approach compared to application gateways. Application gateways have semantic knowledge on the protocol and are much more powerful because they can look at the content (HTTP: check if you're downloading malware, SMTP check for virus and refuse a particular mail). Having this said it's a fact that you can't have proxy’s for all service protocols existing. Packet filtering, working on a lower level, though not having such a thin granularity ends up being a more universal approach for all protocols (SMTP: dont accept anything for port 25 from IP xx.xx.xx.xx).

Anyway, there is no reason to choose one over the other. You can use them together and take the best out of each solution.

Note: as @Ladadadada refered not all proxys can do filtering or deep inspection so I would say it's not correct to say all proxys are firewalls. But still, you can consider them a piece of your security infrastructure.

Many "traditional" packet filtering firewalls can now also look one level higher on the network stack and do content inspection (eg.: http content inspection/url denial)

nsn
  • 726
  • 5
  • 8