Firewall Fundamentals
Because of how effective application proxies can be at filtering traffic, one might wonder why everyone does not use an application proxy firewall. There are a few good reasons for this. First, application proxies are only effective at proxying requests for applications that the proxy has defined. Unfortunately, most proxies can handle only a relatively small number of applications. This limitation means that the other applications are not permitted, or that you have to use a generic service proxy (which may not provide the required functionality), or that the proxy handles the additional traffic as a packet-filtering firewall (making the firewall a hybrid application proxy firewall). Second, application proxies tend to have worse performance than packet-filtering firewalls. This stands to reason because application proxies process packets to the application layer (in contrast to packet-filtering firewalls, which tend to process packets to the network or transport layer). This requires applications proxies to spend more time processing the packet, which results in increased latency in the delivery of data. Therefore, application proxies can generally handle fewer packets per second and a smaller maximum throughput than packet-filtering firewalls. Finally, application proxies tend to be more expensive than corresponding packet-filtering firewalls. This is because application proxies tend to have higher hardware requirements (generally needing faster processors and more memory) as well as higher development costs, because the application intelligence enabling the proxy to function requires more development and maintenance than a packet-filtering firewall. Consequently, application proxies tend to be used as more specialty firewalls, whereas packet-filtering firewalls tend to be a more general-purpose firewall. |
Категории