App Proxies: No Reviving the Dream

What ever happened to the application proxy?

The shortcomings of today's security products have some security experts feeling a little nostalgic for the proxy, which enforces app protocol-specific traffic -- think HTTP, FTP, XML, AIM, Skype -- and can log user activity.

Conceptually, proxies are attractive because they don't come with the baggage of false positives, says Nate Lawson, engineering director for Cryptography Research. "The decision to support various features of a protocol is made when the proxy is written. If a feature is not supported, it just won't work through the proxy," he says, whereas an IDS/IPS has to make decisions about features it has never seen before, or may or may not be supported.

With the exception of HTTP/Web firewall proxies, application-level proxy technology never really took off, due to performance issues and the difficulty of creating proxies for various apps.

"Proxy firewalls aren't popular today because there has always been a perceived, and once real, performance hit. And proxies for new services -- [such as] AIM and Skype -- take a long time to appear, if ever," Lawson says. "That leaves companies in the unenviable position of having to write their own proxy, which is critical code that could shut down a service if it crashes."

True application proxies would allow or disallow traffic for, say, a PeopleSoft app, says John Pescatore, a vice president with Gartner. But proxies today are mostly protocol proxies in firewalls and mainly deal with HTTP and Web apps, he says.

Lawson says the only hope for resuscitating application proxy technology -- albeit a long shot -- is for app developers to provide machine-readable specifications on their apps, so there would be no need to write new proxies because every application would come with its own proxy definition.

A machine-readable protocol description would ultimately let enterprises control access. "But I'm not sure what is in it for the vendor. Many want to keep their protocols proprietary, and opening them up so people can control access to their services only hurts them," says Dave Goldsmith, president of Matasano Security.

Gartner sees proxies for very specific content-inspection situations, Pescatore says, where it sees a certain type of content going in or out and stops it, for example.

But proxies have the same problem with unknown vulnerabilities that IDS/IPSes do, Pescatore says. "When a new vulnerability comes out, you may have to rewrite the proxy," he says. "You can't put in proxy rules that can anticipate unknown" things, he says.

Application proxies could help enterprises filter their networks and drive risk management policy, but there's no chance they'll stage a comeback, says Thomas Ptacek, a researcher with Matasano Security. That's because most app vendors don't have the security know-how to develop them, he says, nor do users to deploy the necessary security for them. "It's been hard enough for us to get users to enable passwords on applications or turn on SSL. They will not see the value in this system."

But it's nice to dream sometimes, Ptacek says. "Security people come up with this idea from time to time because we all fantasize about the day when the inline appliance we build exerts complete control over everyone's application, so we don't have to get permission from vendors and end-users to fix glaring vulnerabilities."

— Kelly Jackson Higgins, Senior Editor, Dark Reading