6.6. Proxy classes

A proxy component is responsible for analyzing, filtering and possibly modifying the data that is passed through it.

Proxies work with data streams they receive as input and emit another (possibly altered) data stream as output. They never actually see “traffic” in the traditional sense; the details of connection establishment and management are handled by separate software components. Therefore, proxies can easily interoperate with each other or with other non-firewall software like virus filters, since data is passed among them as simple data stream.

A proxy class is the low level proxy and its configuration settings. Proxy classes are responsible for analyzing and checking the data part of packets and passing it between the client and the server. Proxy classes can be used in service definitions. Together with the other components configured as service parameters (for example, routers) they can be used to analyze/filter communication channels among network hosts. Most proxy classes are protocol-specific, meaning that they are aware of the protocol-specific information within the data stream they are processing.

There are built-in proxy classes for the most typical network traffic types, like HTTP, FTP, POP3, SMTP, telnet, and also for some less frequently used protocols, like TELNET and LDAP. They can be used in service definitions without modifications of the default class properties and their values. See the Proxedo Network Security Suite 2 Reference Guide for details.

Note

Proxies in Application-level Gateway are fully RFC-compliant so a traffic that pretends to be of a certain type but violates RFC specifications concerning the given traffic type are not proxied but automatically denied instead. For example, the HTTP proxy enforces by default the RFCs for HTTP (2616 and 1945).

Example 6.7. RFC-compliant proxying in Application-level Gateway

A good example for this rule is the CODE RED worm that infected so many IIS servers around the world: the heart of this worm was a specially formatted URL request which was not RFC-compliant but was nevertheless serviced by IIS servers that had not been patched against it. Most firewall products, even application proxy firewalls let it pass through and only the most accurate ones, like Application-level Gateway, stopped the worm, realizing that the URL request coming from the worm violated RFC rules.

If using default proxy classes and property values is not enough, it is possible to derive new classes from the original ones. Derived proxy classes inherit all the properties of the original (parent) classes and these properties can then be altered. The number of configurable parameters varies among proxies; proxy for HTTP traffic has the most. It is completely up to the administrator whether and to what extent they are used in the firewall's policy settings.

Note

Whenever you start customizing a proxy, you do not actually create a new proxy, but derive a proxy class from the selected built-in proxy implementation and configure different settings for it. You only modify the configuration, not the proxy module itself.