Welcome to Bucaro TecHelp!

Welcome to Bucaro TecHelp!
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Receive notification when a new article, information, or content has been posted to this website.

Email address:


Powered by FeedBlitz

Victims of Sandy Hook

Stop the Slaughter of Innocents. Congress is bought and paid for by gun lunatics and gun promotion groups. If you want to live in a safe America, help buy Congress back for America. Send a donation to Mayors Against Illegal Guns, 909 Third Avenue, 15th Floor New York, NY 10022

What Roles Do Firewalls and Proxy Servers Play in Network Security?

Prior to Firewalls being developed, routers provided network security through the use of Access Control Lists. Firewalls themselves only came on scene in the late 1980s in response to the demand for greater security as the Internet began to take shape.

The first Firewalls were fairly simple packet filters that worked by inspecting the IP packets, and comparing certain information in the packet with a set of packet filtering rules. The Source and Destination IP Address, together with the protocol type would normally be checked against this set of rules. When TCP or UDP were the protocol type, then the port numbers would also be checked. This meant that application protocols using well know port numbers could be identified and filtered by means of the port numbers associated with them.

If applications are using non-standard port number then their identification would not be possible. Packet filters are therefore only really effective at the lower layers of the OSI reference model up to Layer 4, the transport layer. These packet filter firewalls are known as Stateless, because they are not able to determine where a packet sits within a stream of packets, or what the condition of the connection is at the time.

The next development was that of stateful packet inspection where each data packet is examined, as well as its position within a data stream. A stateful packet inspection firewall can determine whether an individual packet is part of an existing conversation or stream, or whether it is the start of a new connection. This type of firewall was given the label of second-generation as it was a step up from the original stateless packet filter.

Both First and Second-generation firewalls could not guarantee to detect or filter particular applications, unless they were adhering to the published lists of well-known TCP and UDP ports. In other words it would be possible to circumvent the firewall by setting up applications protocol communications using non-standard ports. If we are to have confidence that we can protect our networks from unauthorised access or harmful content, then we need to be able to perform deep packet inspection.

A firewall with this capability is often known as an application layer firewall because it can detect specific application protocol content regardless of the TCP or UDP port numbers in use. Any applications that exhibited unusual characteristics would be filtered out to ensure viruses and other unwanted material did not infect the network.

A fairly new feature that is sometimes associated with later firewalls is sandboxing, a security feature that has the ability to separate programs and create an environment where untrusted programs can be run with relative safety. These programs are restricted from accessing certain resources on a host, such as memory or disk space.

A proxy server is normally a standalone device or software running on a host that acts as a packet filter for connection requests. It is an intermediary device sitting between hosts and server that filters the requests by checking IP Addresses, Protocol and⁄or application content. If the proxy server deems the connection request to be valid, then it connects to the application server and requests the service on behalf of the client device.

A proxy server will often cache information such as web pages and return this content directly to the client devices rather than forward the request to the application server such as a Web server. Although there are now many different types of Proxy Servers, by far the most common is the Caching proxy, which is in use with many medium to large business networks as well as Service Provider networks.

To summarize, both proxy servers and firewalls are commonly found in networks today and firewalls have evolved since the first stateless packet filter types at the end of the 80s. With so many applications running on today's Internet, it is imperative that we are able to interrogate and analyse the content of the network packets and not just the header information. Some proxy servers, in particular caching proxies, are able to act as a central filtering point in the network for many application services, as well as be able to cache content and forward this content direct to the client devices without involving the application server itself.


David Christie is MD at NSTUK Ltd, a Technical Training and Consultancy company based in the Northeast of England. David delivers technical training in the area of Data Communications and Telecoms and also provides consultancy and Training Needs Analysis. The company runs an ecommerce website specialising in the sale of Networking hardware and consumer electronics. Website: IP express

RSS Feed RSS Feed



Computer Networking Sections

Network Warrior

Network Warrior takes you step by step through the world of routers, switches, firewalls, and other technologies based on the author's extensive field experience. You'll find new content for MPLS, IPv6, VoIP, and wireless in this completely revised second edition, along with examples of Cisco Nexus 5000 and 7000 switches throughout.

Reader Michael Dragone of Long Island, NY, says," Network Warrior is one of those books that every IT pro should have. I recommend it to anyone who is not only getting started in networking, but also for anyone who is an IT "jack of all trades," as it's impossible to remember all the little command nuances or the real world best practices of a technology if you don't use it every day. Click here for more information.

[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2014 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268