Hi folks, Adam Arosso here. Now, let's talk about a concept in real-time network security called a "proxy." So, what's the idea of a proxy? It's kind of a go-between. In attack parlance we would use the term "man" in the middle, but man in the middle usually implies something nefarious or bad. Proxy is the same thing, but it usually implies good. Did that make sense? Like, if I'm arbitrating between A and B and I'm benevolent, I'm doing something good, then I'm a proxy. So, A thinks it's talking to B but it's really talking to you and you're somehow operating on behalf of B, maybe even invisibly. But if, you know, you're a hacker then it's a man in the middle attack. But, for the most part, it's the same kind of thing. But, look, I mean, when we design firewalls, we do this intentionally and you'd never think of it in some sense as any kind of man in the middle becomes a device that's implementing policy. So, here's the idea. You remember when we talked about packet filtering, we came to the conclusion that there's really three options for a packet filter. The first thing it can do is block. The second thing it can do is allow. The third and most interesting thing it can do is forward. So, what that means is, I can actually create an arrangement, I show it on the screen here where Alice and Bob are connected through a packet filter, probably a router, and that packet filter itself is connected to something called an "application proxy." When the packet comes through and the packet filter sees that, I don't know, whatever is going on that it just doesn't want to make a decision about, let's say it's remote access. It's just going to see a destination port. And it might see a destination port that has something to do with remotely accessing our log in, tell them that these are old examples of how you do it, there are more modern versions as well, sees that and says, "I can't make a decision. I need you to type a password or something". Now, can a router read a password? No. But what it can do is it can forward a packet to a program that's running on a computer at the application level that can serve as a proxy for B. So, A thinks it's hit B but it hasn't. It's hit a man in the middle that goes, "Hey, type a password. Here's a number. What's f of this number. Do a little puzzle for me". Whatever. Any crazy thing you can imagine. Or it might be just doing a log of what's happening and then passing it through. The possibilities are endless around what you might do. There are a couple of different ways you can do this. One is, I can instrument A with special client software that can connect to the proxy. Everybody hates that. You know, that's an agent full or an agent based or a client affecting or client changing implementation. What we like instead is something that doesn't affect the client. In some sense, it allows you to have an agent list or a client change-free environment where the client just thinks it's doing what it's doing and it hits that proxy. So, think of those two things together, packet filter and the application proxy, in some sense, as a firewall. And a lot of products that are out today that really are very much that. They just have at the lower layer making some packet filtering decisions about whatever it can make. For example, if I see something that I just know as okay, I've decided it's okay. Maybe it's the network time protocol or something, and I know that I always allow network time protocol packets in and out, I don't need to pass it along to a proxy. I've already decided ahead of time that we're going to just go ahead and let that through. But, everything else forward up to the proxy, in fact, maybe everything gets forwarded to the proxy, or maybe I make the decision that certain source IPs I'm going to somehow trust. And, let's say you've outsourced something to the Albonian country of whatever which you know does call center operation for you, and they tell you that this is their source IP addresses, you don't really trust that, but you're going to say well, all right, you better stay on this source IPs because the router is only going to accept packets from there. I'm going to forward you to a proxy, you're going to do something before you get the network. But if I get stuff from any other part of the internet, any other source IP, the router is just going to drop it. Doesn't that rock? Like it gives you all kinds of cool building blocks that you can use to implement policy. It's powerful and it's kind of exciting. All of a sudden, these tools you're using allow to design secure networks. You implement policy. And, they can't get it wrong. Right? If you get it wrong, you're a big problem. Let things leak in and out. That's a disaster. You can't allow that. But, the design of sort of layer 1, 2 packet filtering layer 3, that's really really powerful when it's combined with the application logic that you get in a typical firewall. And there's a whole industry that's emerged in the last 20 years selling this kind of thing with this idea of packet filtering and proxy together, extremely powerful. There's companies like CheckPoint and Cisco and Juniper and on and on and on and on have developed capabilities that are just amazing. And there even more powerful ones that are called Next Generation firewalls from companies like Fortinet and Palo Alto Networks and so on. Really, really exciting to have lots of capability and things we haven't talked about in our videos yet. Hopefully, you'll stay with us and you'll see some additional capability. But, when you pack into that application proxy, a lot of interesting capability some really useful cybersecurity defensive mechanisms are enabled. And, I hope that's been useful for you. And, I'll see you in the next video.
