Proxy Policy Engine and Policy Enforcements

The expressiveness of a policy language is indicative of the maturity and sophistication level of a policy engine. The policy engine epitomizes a security proxy's ability to manage users and applications and to perform desired policy enforcement duties on the network. Chapter 1 explains the fundamental differences between a firewall and a security proxy. One of the key differences is in the expression of a policy. A firewall rule implements simple logic that examines information at the packet level, such as L2 to L4 packet headers, but not the actual packet payload.

The firewall rule concept is illustrated in Figure 3-1. When the firewall engine executes a rule in the context of a UDP flow or in the context of a TCP connection, the engine performs one or more actions that are specified by the firewall rule on the matching connections. For example, a firewall rule may instruct the firewall to reset a TCP connection if the connection has been idle for a specified period of time. The firewall must keep track of the TCP connection state, for example, by maintaining the current TCP sequence number and acknowledgment number in order for the firewall to generate a valid TCP reset packet.

Unlike the firewall rules, a proxy policy is highly expressive; this is evident in its formulation through flexible logical expressions that may encompass layer-2 (L2) to layer-4 (L4) packet header information, layer-7 (L7) application protocol content ...