Many application programs make use of the Internet Protocol (IP) version 4 (IPv.4) and IP version 6 (IPv.6) when being accessed across local and wide area networks as well as across the Internet. While the use of IP has advantages, its widespread use exposes enterprise and other networks to certain risks. Similar threats are faced with traffic running over other protocols (e.g., file transfer protocol (FTP), simple mail transfer protocol (SMTP), etc.), and so companies must be vigilant in regulating traffic passing into and out of their networks, irrespective of origin and with due attention paid to the content, or payload, of data packets in addition to packet header information.
Traditionally, firewalls have been used to regulate enterprise traffic at the packet level. First-generation firewalls were essentially packet filters that acted by inspecting individual packets as they passed between different computer systems. If a packet matched one of the packet filter's rules, the packet filter took the corresponding action prescribed by that rule. Such packet filters typically operated at a relatively low levels of the transmission control protocol/Internet protocol (TCP/IP) stack (typically OSI Layer 2 to Layer 4 (L2-L4)) and firewall administrators defined the matching criteria and corresponding rules for how to treat packets upon a match. These packet filters generally were not able to take action according to whether individual packets were part of existing traffic flows. That is, packet filters did not maintain any information concerning connection state and instead operated only on information contained within the individual packets themselves.
Second-generation firewalls, on the other hand, are “stateful” filters, which maintain records of connections passing through the firewall. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). Because stateful firewalls maintain context about active sessions, they can use that state information to speed up packet processing. If a packet does not match an existing connection, it will be evaluated according to the firewall's rule set for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be processed in accordance with rules for that connection. Examples of L3-L4 firewall rules are:                if protocol==TCP, port==xxxx, Block Traffic        if protocol==IPv4, Source IP=a.b.c.d, Allow Traffic        
As the examples illustrate, a traditional firewall can identify only protocol values, L3 addresses, L4 port information, and enforce coarse actions such as block or allow on the traffic. A slightly more intelligent firewall may be able to identify traffic at higher OSI layers, but cannot associate, for example, a specific user with an application. Thus, even the more intelligent firewall might only permit use of rules such as:                if Source IP=a.b.c.d, protocol==HTTP, Block Traffic        
The possible actions that can be performed on the identified traffic are limited to, for example, block, allow or bandwidth management.
Another form of network device used to regulate traffic in computer networks is a proxy server (often referred to simply as a proxy or sometimes as a secure web gateway (SWG)). Generally, a proxy is a computer system or application program that resides logically between one or more clients and one or more content sources (e.g., servers), and which terminates connections between the clients and the content sources. In response to a client request, for example for a specified service, file, connection, web page, or other resource, the proxy provides the requested content directly (e.g., if it stores a local copy of same) or connects to the specified server and makes the request on behalf of the client. In this latter case, the proxy may retain a copy of the requested content so as to service later requests for that content directly, without having to connect to the server.
Proxies can filter traffic based on many packet attributes, such as source IP address and/or port, and destination IP address and/or port. In addition, proxies can filter traffic based on destination service, such as hypertext transfer protocol (HTTP), file transfer protocol (FTP), Common Internet File System (CIFS), etc., and on other attributes. As these devices operate up to the application layer, i.e., at OSI layers L3-L7, they may inspect the contents of the traffic, blocking what a network administrator views as inappropriate content. In addition proxies can associate a user with a specific traffic flow, and modify the traffic content. Examples of L3-L7 proxy rules are:                If User==John Doe, protocol==IPv4+HTTP, time==12:00 AM, Rewrite the HTTP Protocol Header        If Source IP=a.b.c.d, protocol==CIFS, Block CIFS Write Operation        
Although proxies and firewalls may appear to overlap in terms of operating on information present at common OSI layers, e.g., L3-L4, the two are fundamentally different. For example, a firewall does not terminate connections of L4 (or other) protocols such as TCP or HTTP, while a proxy terminates all connections of all L4 and application protocols. Indeed, a proxy may even initiate its own connections if the connections satisfy the proxy's policies. Because of these and other differences, firewalls and proxies do not traditionally operate in parallel within the same appliance or solution.