Application-level Gateway Proxy Servers

Application gateways monitor packets at the application level, analyzing data as an entire message instead of individual packets. Using rules or filters, the proxy server can determine if the message contains good or malicious data.

When using an application-level gateway, certain transport layer protocols work better than others. Since TCP^[1] is a connection-based protocol, it can easily be used through a proxy server. The proxy server applies the filters to the TCP session only when the session is initialized. During the life of the TCP session, the proxy server does not analyze the TCP header portion of the packet.
UDP^[2] is connectionless and each UDP packet is treated as an individual message. The proxy server analyzes each packet and applies it to the filters separately, slowing the proxy process. ICMP^[3] is nearly impossible to proxy, so programs that rely primarily on ICMP messages typically do not work through an application-level gateway.

Advantages of an application-level gateway are that the proxy server:

1. Provides network address translation (NAT)^[4]
2. Features robust logging and alarming features
3. Analyzes nearly every portion of a TCP/IP session
4. Allows access restriction to an entire domain
5. Provides Reverse proxy service: A company's registered Web or email server located outside a network's firewall system is used to prevent public users from contacting the Web server directly. When public users access the reverse proxy Web server, it contacts the Web server that resides behind the firewall. reverse proxy services
6. Scans Simple Mail Transfer Protocol (SMTP): The Internet standard protocol to transfer electronic mail messages from one computer to another. It specifies how two mail systems interact, as well as the format of control messages they exchange to transfer mail.
7. Monitors specific HTTP^[5] and NNTP^[6] traffic for restricted content

One disadvantage of application-level gateways is that the filters for the TCP/IP applications must be configured individually. To create secure filters, firewall administrators will require extensive knowledge of all the applications and the unique settings for each. In some cases, specific proxy servers will need to be created to proxy a single application.

A proxy array is several proxy servers configured as one. Proxy arrays are also known as proxy clusters and are provided for load balancing. When several reverse proxy servers are used together, the total amount that the servers can cache is increased. The group also provides fault tolerance in case one of the proxies fails. Certain proxy arrays can also act as a single unit. For example, depending on how the proxy servers in the array are configured, changing a setting of one will change the settings on all. Proxy arrays are often used in a reverse proxy environment as well. When proxy arrays are used with a reverse proxy solution, public users can access several Web servers simultaneously.

[1] (TCP/IP)Transmission Control Protocol/Internet Protocol: A suite of protocols that turns information into blocks of information called packets. These are then sent across networks such as the Internet.

[2] (UDP) User Datagram Protocol: A connectionless protocol at the transport layer of the TCP/IP protocol stack, often used for broadcast-type protocols such as audio or video traffic.

[3] (ICMP)Internet Control Message Protocol: A protocol used to communicate errors or other conditions at the IP layer

[4] (NAT) Network address translation: Network Address Translation (NAT) hides internal IP addresses from the external network. When a firewall is configured to provide NAT, all internal addresses are translated to public IP addresses when connecting to an external source.

[5] (HTTP)Hypertext Transfer Protocol: A TCP/IP application that uses a browser to access and retrieve Web pages from the server.

[6] (NNTP) Network News Transfer Protocol: A TCP/IP application that is one-to-many communication: a message is posted to a single location, and any number of users can contact the NNTP server to retrieve it.