Administrators often call proxy servers application-layer gateways, which retrieve content from the Internet for internal clients. A performance benefit associated with proxy servers is that they can serve frequently requested content from the disk-based cache rather than fetching the same content again from the Internet. Proxy servers are similar to application-layer gateways in that the servers implement security at the application layer based on individual protocols such as HTTP and FTP. Each protocol requires a separate proxy service (e.g., Web Proxy for Microsoft Proxy Server).
If a proxy server restricts users from accessing content at the domain level (e.g., restricting the use of HTTP at *.domain name.com), the request must travel all the way up the Open System Interconnection (OSI) model to the application layer before the server evaluates and potentially declines it. If the proxy's security policy lets the server accept the request, the proxy acts as the intermediary, or application-layer gateway, between the client and the desired host for the desired service. All subsequent data must go through the proxy's connection between the two hosts. (Note: The Winsock Proxy and SOCKS Proxy services found in Proxy Server 2.0 use circuit-layer filtering, which functions at the session layer rather than at the application or network layers.)
Firewalls, however, operate at a much lower level in the OSI model than application-layer gateways. Firewalls perform most of their work at the network layer and above and don't offer the benefits of cached content. They also tend to offer more realtime monitoring, alerts, and logging.
Firewalls are similar to proxy servers in that they implement security based on an IP-address and network-services security policy. However, you can modify a firewall's policy much more easily than you can a proxy server's. You can block or open specific ports to let a new service in or to keep one out, making it easier to change the network's security policy. This feature is called packet-layer filtering, meaning the firewall evaluates based on characteristics of individual packets as they arrive on the interface rather than the application-layer gateway's approach of evaluating the request itself, which may require reassembling several packets before the evaluation takes place.
Proxy Server 2.0 takes the best of both worlds—application-layer gateways and firewalls—by balancing between application-layer filtering and packet filtering. Proxy Server isn't a complete firewall solution in the sense that you can take your company's security policy and implement it entirely on Proxy Server, but it does offer a performance boost for certain services and selective access control for your Web browsers—something that many firewall solutions have a tough time delivering. Proxy Server is a great addition to an existing firewall-only company and an inexpensive solution for companies without serious protection from the unknowns lurking on the Internet.
