Application Proxies

In this model, the firewall blocks all traffic with the exception of a few, well-defined holes in its wall. Each hole allows a single application to access the Internet. The gateway must still translate private IP addresses to/from its public address. This is done separately for each application by an application-specific program called a proxy.

The most popular Internet application is the World Wide Web (the Web.) The firewall is configured to specifically pass Web traffic, while the application-level proxy, in this case the Web proxy, is responsible for address translation for Web connections. The Apache Server is an example of a popular Web proxy for Windows.

Electronic mail is another very popular application. Another hole in the firewall accepts the e-mail traffic, and an e-mail proxy is used translate addresses. The Trilent Mail Proxy was developed for this purpose.

Application proxies contribute to security of firewalls. Application-level proxies "understand" the nature of connections their respective applications require. For example, the Trilent Mail Proxy uses mail transfer protocols to pass mail. During its operation, this proxy enforces the mail protocol rules on the traffic sequence. This has the effect of blocking unwanted non-mail traffic, which is unlikely to follow these rules, from accessing the protected network.

Some proxy servers support proxying at the transport layer. They are called circuit-level proxies or transparent proxies, as they do not require configuration. These proxies operate on the same principle as the NAT, described in the previous section, and share its strengths and weaknesses.

There are also intelligent circuit-level proxies, based on SOCKS protocol. These proxies are transparent to the user, but require support for SOCKS to be built into client applications for proxying to work. SOCKS proxies are beyond the scope of this document.