Symantec™ Security Gateways Reference Guide - Sawmill

48 Understanding accessProxiesProxiesThe security gateway includes several stack-based application proxies that act as both a server and a client,accepting connections from a client and making requests on behalf of the client to the destination server.Application proxies provide protocol-specific security checks that normally are not implemented in theclient or server software. Some proxies can also be configured to scan content for viruses andinconsistencies.To illustrate how a proxy acts as both a client and server, Figure 4-1 shows a sample HTTP connectionusing the HTTP proxy. Notice that having a proxy intervene actually causes two connections, even thoughthe appearance to the client and server is one connection. When the application proxy receives a newconnection request, it answers, making itself the server for the connection. The application proxy theninitiates the same request to the true destination server. The proxy interprets replies received from theserver, and retransmits those replies to the client.Figure 4-1An application proxy creating two separate connectionsApplication data scanningNormally, traffic passed to the HTTP proxy undergoes a rigorous examination, ensuring that data complieswith defined RFCs. For performance reasons, though, it may sometimes be advantageous to eliminate someof the packet examination performed by the HTTP proxy, especially if the packets are believed to originatefrom a trusted source. Disabling application data scanning does exactly this.HTTP connections are generally short-lived, consecutive connections that originate from the same source.A Web client sends a page request (through their Web browser) and the server responds with the page. Inthe source HTML for the Web page, there may be multiple image requests for graphics that appear on theWeb page. Each one of these requests creates another short-lived connection to the Web server while thegraphic is downloaded and displayed on the client. For pages with many graphics, there could be as many as20 or more requests all originating from the same host.Disabling application data scanning instructs the HTTP proxy to examine and record the first fullconnection. Information recorded for the connection includes the source address, the destination address,the destination port, and the protocol. Subsequent connections matching this collected information are notsent up the stack for processing by the HTTP proxy, but instead pass through directly after being processedby the Symantec driver. The security gateway retains this connection information for approximately 60seconds after the last matching connection, and then removes the record. If a new connection matching thesame parameters comes in after the expiration time, the first full connection is once again checked, and anew record created.