What actually is a proxy firewall?


A proxy firewall

A proxy firewall, in contrast to a packet-oriented firewall, is able to monitor and filter application-level communication. It protects networks and their resources against unwanted or dangerous traffic.

The Proxy Firewall is also called Application Layer Firewall or Application Firewall for short. It is a security system that can monitor and filter application-level communication. In contrast to purely packet-oriented firewalls, it not only evaluates address and protocol data from IP packets, but also analyzes traffic directly in the application layer.

It uses the Proxysite rationale by acting as a proxy between the resources to be protected and other networks, such as the Internet. The proxy firewall intercepts all requests to and from the Internet, filters them and passes them on behalf of or blocks them. At the same time, the proxy firewall can cache functions of a proxy server bar. All connections from the network to be protected or from the protected network terminate the proxy firewall itself. As a result, it acts as an independent communication partner for the target and source systems.

Through this proxy function, the proxy firewall can analyze the data contiguously up to layer seven of the OSI layer model. Compared to the target system, the proxy firewall behaves like a client, like a server to the requesting client.


To be able to analyze and filter the traffic, the proxy firewall must know the protocols to be monitored. It has its own filter for each protocol, such as HTTP, SMTP, FTP or DNS. In this, unwanted protocol options or data communications can be prohibited. The proxy-based firewall is considered a very secure form of firewall because it blocks direct network traffic between internal and external systems. An internal device can never directly receive a data packet from an external system. The firewall is always in between and at the same time the source and destination of any communication.

The proxy rationale

The proxy policy is based on the proxy function for network services. A proxy works as a proxy for a client who wants to gain access to a particular service. As a result, it shields both services and clients from each other and prevents direct connections between the two communication partners. If a client wants to establish a connection to a service, it first communicates with the proxy. This establishes the connection to the server on behalf of the client. The proxy forwards the data from the client to the server and transmits the data received from the server to the client.

Distinction between transparent and non-transparent proxy

There are two principal ways in which a proxy works. It can be transparent or non-transparent from the client’s point of view. If it is a non-transparent proxy, the client must be informed about its existence. For this purpose, the client and its software receive a special proxy configuration, which ensures that the traffic to the outside is first addressed to the proxy. If this configuration does not exist, the client cannot communicate through the proxy. However, as the proxy usually provides the only communication path to other networks, communication to the outside without the corresponding proxy configuration is generally cut off.

By contrast, the transparent proxy knows nothing about the client’s existence. The transparent proxy intercepts the communication requests of the client to the outside and intervenes as deputy instance. Outwardly, the transparent proxy acts like the non-transparent proxy as a communication partner. However, the client assumes that it communicates directly with the target system. This is made possible by the manipulation of the IP addresses. The clients do not need a special configuration for a transparent proxy.

The operation of a proxy firewall

Since the proxy firewall carries all communication on behalf of the clients to be protected, it can analyze the transmitted data in great detail. It verifies that the communication complies with the previously established protocol rules and policies and allows traffic to be blocked or blocked.

The received packets can not only be examined for source and destination addresses or ports, but the information can be analyzed directly at the application level. Due to the address conversion taking place through the proxy firewall, the clients remain completely hidden in the network to be protected.