6.6.3. Analyzing embedded traffic

Most Zorp proxies can pass the information received as the payload of the incoming traffic to another proxy for further analysis. This kind of complex data analysis is possible by placing a proxy inside another one. This process is called stacking. Stacking is especially useful in filtering compound traffic, a traffic that consists of two (or more) protocols or that needs to be analyzed in two different ways.

Note

Earlier versions of Zorp used stacking to inspect encrypted protocols, for example, HTTPS or IMAPS. Now every proxy can decrypt SSL and TLS encryption without having to use another proxy. For details on configuring Zorp to handle encrypted connections, see How to configure SSL proxying in Zorp 7.

Usually protocols consist of two parts:

  • control information, and

  • data.

Protocol proxies analyze and filter the control part and except for some cases they are unaware of the data part. At this point, further screening of the data might be needed, therefore proxies are able to stack in other proxies capable of filtering the data part, so the external (upper) proxy passes that data traffic to the internal (lower) proxy.

Stacking proxies

Figure 6.61. Stacking proxies

Example 6.8. Virus filtering and stacked proxies

Virus filtering is also part of the multiple analysis on traffic. It is typically performed in HTTP, POP3 and SMTP traffic, because these are the protocols, viruses generally use for spreading over the Internet (using Zorp though, it is possible to filter viruses in other protocols as well). When virus filtering is configured, a standard protocol proxy works in tandem with an antivirus engine and this way, both protocol-specific filtering and virus filtering are performed on the data if you stack the antivirus engine into some proxy.

For details on configuring virus filtering in HTTP and HTTPS traffic, see How to configure virus filtering in HTTP.

For each stacking scenarios there are a number of attributes that can be configured. For more information see the Zorp Professional 7 Reference Guide.