
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
36
|
Chapter 2: Designing Perimeter Networks
The primary disadvantages of proxying firewalls are performance and flexibility.
Since a proxying firewall actively participates in, rather than merely monitoring, the
connections it brokers, it must expend much more of its own resources for each
transaction than a packet filter does—even a stateful one. Furthermore, whereas a
packet filter can very easily accommodate new services, since it deals with them only
at low levels (e.g., via low-level protocols common to many applications), an applica-
tion-layer proxy firewall can usually provide full protection only to a relatively small
variety of known services, albeit probably the most popular and important ones.
However, both limitations can be mitigated to some degree. A proxying firewall run
on clustered server-class machines can easily manage large (T3-sized) Internet con-
nections. Most proxy suites now include some sort of Generic Service Proxy (GSP), a
proxy that lacks application-specific intelligence but can still provide protection
against attacks on TCP/IP anomalies—by rewriting IP and TCP/UDP headers, while
passing data payloads as is. A GSP can be configured to listen on any port (or mul-
tiple ports) for which the firewall has no application-specific proxy.
As a last resort, most ...