App Proxies: No Reviving the Dream

Application proxies stir up fond memories of more enterprise control, but chances of resurgence are slim

What ever happened to the application proxy?

The shortcomings of today's security products have some security experts feeling a little nostalgic for the proxy, which enforces app protocol-specific traffic -- think HTTP, FTP, XML, AIM, Skype -- and can log user activity.

Conceptually, proxies are attractive because they don't come with the baggage of false positives, says Nate Lawson, engineering director for Cryptography Research. "The decision to support various features of a protocol is made when the proxy is written. If a feature is not supported, it just won't work through the proxy," he says, whereas an IDS/IPS has to make decisions about features it has never seen before, or may or may not be supported.

With the exception of HTTP/Web firewall proxies, application-level proxy technology never really took off, due to performance issues and the difficulty of creating proxies for various apps.

"Proxy firewalls aren't popular today because there has always been a perceived, and once real, performance hit. And proxies for new services -- [such as] AIM and Skype -- take a long time to appear, if ever," Lawson says. "That leaves companies in the unenviable position of having to write their own proxy, which is critical code that could shut down a service if it crashes."

True application proxies would allow or disallow traffic for, say, a PeopleSoft app, says John Pescatore, a vice president with Gartner. But proxies today are mostly protocol proxies in firewalls and mainly deal with HTTP and Web apps, he says.

Lawson says the only hope for resuscitating application proxy technology -- albeit a long shot -- is for app developers to provide machine-readable specifications on their apps, so there would be no need to write new proxies because every application would come with its own proxy definition.

A machine-readable protocol description would ultimately let enterprises control access. "But I'm not sure what is in it for the vendor. Many want to keep their protocols proprietary, and opening them up so people can control access to their services only hurts them," says Dave Goldsmith, president of Matasano Security.

Gartner sees proxies for very specific content-inspection situations, Pescatore says, where it sees a certain type of content going in or out and stops it, for example.

But proxies have the same problem with unknown vulnerabilities that IDS/IPSes do, Pescatore says. "When a new vulnerability comes out, you may have to rewrite the proxy," he says. "You can't put in proxy rules that can anticipate unknown" things, he says.

Application proxies could help enterprises filter their networks and drive risk management policy, but there's no chance they'll stage a comeback, says Thomas Ptacek, a researcher with Matasano Security. That's because most app vendors don't have the security know-how to develop them, he says, nor do users to deploy the necessary security for them. "It's been hard enough for us to get users to enable passwords on applications or turn on SSL. They will not see the value in this system."

But it's nice to dream sometimes, Ptacek says. "Security people come up with this idea from time to time because we all fantasize about the day when the inline appliance we build exerts complete control over everyone's application, so we don't have to get permission from vendors and end-users to fix glaring vulnerabilities."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights