Nội dung Text: Limitations of Application Proxy Firewalls
Limitations of Application Proxy Firewalls
Because of how effective application proxies can be at filtering traffic, one might wonder
why everyone does not use an application proxy firewall. There are a few good reasons
First, application proxies are only effective at proxying requests for applications that the
proxy has defined. Unfortunately, most proxies can handle only a relatively small number
of applications. This limitation means that the other applications are not permitted, or that
you have to use a generic service proxy (which may not provide the required
functionality), or that the proxy handles the additional traffic as a packet-filtering firewall
(making the firewall a hybrid application proxy firewall).
Second, application proxies tend to have worse performance than packet-filtering
firewalls. This stands to reason because application proxies process packets to the
application layer (in contrast to packet-filtering firewalls, which tend to process packets
to the network or transport layer). This requires applications proxies to spend more time
processing the packet, which results in increased latency in the delivery of data.
Therefore, application proxies can generally handle fewer packets per second and a
smaller maximum throughput than packet-filtering firewalls.
Finally, application proxies tend to be more expensive than corresponding packet-
filtering firewalls. This is because application proxies tend to have higher hardware
requirements (generally needing faster processors and more memory) as well as higher
development costs, because the application intelligence enabling the proxy to function
requires more development and maintenance than a packet-filtering firewall.
Consequently, application proxies tend to be used as more specialty firewalls, whereas
packet-filtering firewalls tend to be a more general-purpose firewall.