Proxy servers are deployed at various points in large number of companies to compress network traffic to save bandwidth or masquerade a client's Internet Protocol (IP) address. Depending on the deployment mode, the usage of proxy server can weaken the firewall policy enforcement, causing unwanted traffic to leave the network and malicious traffic to enter the network.
In stateful firewall architecture, typically a session entry is created on receipt of first packet of a connection with appropriate flags based on the access control list (ACL) lookup result. Moreover, the session entry is maintained till the connection ages out or gets reset. However, to support application-based policy enforcement, first few packets can be leaked till the session is classified by its associated application or categorized by its associated web content. Once the session is classified and/or categorized, the session is subjected to application-based firewall policies to determine whether to continue permitting the traffic or to deny the traffic.
Furthermore, after the session is classified and/or categorized, it will continue belonging to the same application or web-category till the session ages out. Therefore, determining whether to permit or deny the session needs only one ACL enforcement post classification. Since deep-packet inspection of packets is processor-intensive, once a session is classified and/or categorized, subsequent packets in the same session are not subjected to deep-packet inspection in order to support maximum concurrent connections and to have higher throughput. Continuously subjecting data packets of classified and/or categorized sessions through DPI can consume lots of central processor unit (CPU) cycles, resulting in lowered throughput of the system. Thus, once a session is classified and/or categorized, it is not subjected to DPI.
Nevertheless, proxy connections behave differently in that it exhibits persistency nature across multiple application types and web content categories. The Transmission Control Protocol/Internet Protocol (TCP/IP) stack on the client usually transmits traffic belonging to multiple applications or web-content categories on the same connection, if the traffic is going through a proxy server. This often breaks the network firewall policy enforcement, resulting in the network infrastructure mistakenly providing access to denied applications and/or denying access to allowed applications.