home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 7.2 How Proxying Works Chapter 7
Proxy Systems
Next: 7.4 Using Proxying with Internet Services

7.3 Proxy Server Terminology

This section describes a number of specific types of proxy servers.

7.3.1 Application-Level Versus Circuit-Level Proxies

An application-level proxy is one that knows about the particular application it is providing proxy services for; it understands and interprets the commands in the application protocol. A circuit-level proxy is one that creates a circuit between the client and the server without interpreting the application protocol. The most extreme version of an application-level proxy is an application like Sendmail , which implements a store-and-forward protocol. The most extreme version of a circuit-level proxy is one of the modern hybrid proxy gateways that looks like a proxy to the outside but like a filtering router to the inside.

In general, application-level proxies use modified procedures, and circuit-level proxies use modified clients. This has to do with the practicalities of proxying. In order to make a proxy connection, you have to know where the connection is supposed to go. A hybrid gateway can simply intercept connections, but a proxying host can only receive connections that are bound for it; something else has to tell it where to make the onward connection. An application-level proxy can get that information in the application protocol (either by using design features, or by reinterpreting user-supplied data). A circuit-level proxy can't interpret the application protocol and needs to have the information supplied to it through other means (e.g., by using a modified client that gives the server the destination address). Because the ability to use unmodified clients is a useful feature, application-level proxies generally are designed to take advantage of their application protocol knowledge (so they use modified procedures). Circuit-level proxies usually have no way to use modified procedures, so they use modified clients.

Although there are no known modified-client application-level proxies, there are modified-procedure circuit-level proxies. plug-gw , for example, described in "Generic Proxying with TIS FWTK " later in this chapter, uses modified procedures (the connection is made to the proxy server, instead of the destination host) and is a circuit-level proxy. It bases destination decisions purely on the source address, and the source and destination ports of the connection.

The advantage of a circuit-level proxy is that it provides service for a wide variety of different protocols. Most circuit-level proxy servers are also generic proxy servers; they can be adapted to serve almost any protocol. Not every protocol can easily be handled by a circuit-level proxy, however. Protocols like FTP , which communicate port data from the client to the server, require some protocol-level intervention, and thus some application-level knowledge. The disadvantage of a circuit-level proxy server is that it provides very little control over what happens through the proxy. Like a packet filter, it controls connections on the basis of their source and destination and can't easily determine whether the commands going through it are safe or even in the expected protocol. Circuit-level proxies are easily fooled by servers set up at the port numbers assigned to other servers.

7.3.2 Generic Versus Dedicated Proxies

Although "application-level" and "circuit-level" are frequently used terms, we more often distinguish between "dedicated" and "generic" proxy servers. A dedicated proxy server is one that serves a single protocol; a generic proxy server is one that serves multiple protocols. In practice, dedicated proxy servers are application-level, and generic proxy servers are circuit-level. Depending on how you argue about shades of meaning, it might be possible to produce a generic application-level proxy server (one that understands a wide range of protocols) or a dedicated circuit-level proxy server (one that provides only one service, but doesn't understand the protocol for it). Neither of these ever occur, however, so we use "dedicated" and "generic" merely because we find them somewhat more intuitive terms than "application-level" and "circuit-level."

7.3.3 Intelligent Proxy Servers

A proxy server can do a great deal more than simply relay requests; one that does is an intelligent proxy server . For example, the CERN HTTP proxy server caches data, so that multiple requests for the same data don't go out across the Internet. Proxy servers (particularly application-level servers) can provide better logging and access controls than those achieved through other methods, although few existing proxy servers take full advantage of the opportunities. As proxy servers mature, their abilities are increasing rapidly. Now that there are multiple proxy suites that provide basic functionality, they're beginning to compete by adding features. It's easier for a dedicated, application-level proxy server to be intelligent; a circuit-level proxy has limited abilities.

Previous: 7.2 How Proxying Works Building Internet Firewalls Next: 7.4 Using Proxying with Internet Services
7.2 How Proxying Works Book Index 7.4 Using Proxying with Internet Services