6.6.3. Analyzing embedded traffic

Most Application-level Gateway proxies can pass the information received as the payload of the incoming traffic to another proxy for further analysis. This kind of complex data analysis is possible by placing a proxy inside another one. This process is called stacking. Stacking is especially useful in filtering compound traffic, a traffic that consists of two (or more) protocols or that needs to be analyzed in two different ways.

Note
Earlier versions of Application-level Gateway used stacking to inspect encrypted protocols, for example, HTTPS or IMAPS. Now every proxy can decrypt SSL and TLS encryption without having to use another proxy. For details on configuring Application-level Gateway to handle encrypted connections, see How to configure SSL proxying in PNS 1.0.

Usually protocols consist of two parts:

control information, and
data.

Protocol proxies analyze and filter the control part and except for some cases they are unaware of the data part. At this point, further screening of the data might be needed, therefore proxies are able to stack in other proxies capable of filtering the data part, so the external (upper) proxy passes that data traffic to the internal (lower) proxy.

Figure 6.57. Stacking proxies

Example 6.8. Virus filtering and stacked proxies
Virus filtering is also a multiple analysis of traffic. This is typically performed in HTTP, POP3 and SMTP traffic, because these are the protocols viruses generally use for spreading over the Internet (using Application-level Gateway it is possible to filter for viruses in other protocols as well). When virus filtering is configured, a standard protocol proxy works in tandem with an antivirus engine and in this way both protocol specific and virus filtering is performed on the data if you stack the antivirus engine into some proxy. For details on configuring virus filtering in HTTP and HTTPS traffic, see How to configure virus filtering in HTTP.

Example 6.8. Virus filtering and stacked proxies

Virus filtering is also a multiple analysis of traffic. This is typically performed in HTTP, POP3 and SMTP traffic, because these are the protocols viruses generally use for spreading over the Internet (using Application-level Gateway it is possible to filter for viruses in other protocols as well). When virus filtering is configured, a standard protocol proxy works in tandem with an antivirus engine and in this way both protocol specific and virus filtering is performed on the data if you stack the antivirus engine into some proxy.

For details on configuring virus filtering in HTTP and HTTPS traffic, see How to configure virus filtering in HTTP.

For each stacking scenarios there are a number of attributes that can be configured. For more information see the Proxedo Network Security Suite 1.0 Reference Guide.

Previous	Up	Next
	Home

Proxedo Network Security Suite 1.0 Administrator Guide

6.6. Proxy classes

6.6.3. Analyzing embedded traffic