WeCyberYou! Unlocked Podcast
The WeCyberYou! Unlocked Podcast breaks down cyber security, online safety and digital risks into clear, practical conversations anyone can understand.
Each episode is designed for a specific audience, ensuring the advice is relevant, accessible and grounded in real-world scenarios - not technical jargon.
WeCyberYou! Unlocked Podcast
Cyber Security Controls Demystified Part 7 - Application-Level Gateway Firewall (Proxy)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode, we break down what an Application-Level Gateway Firewall (Proxy) is, how it works at the application layer to intercept and inspect traffic between clients and servers and why its proxy-based architecture makes it one of the most powerful yet resource-intensive security technologies used to protect modern networks and web applications from advanced cyber threats.
Duration: 0:20:34
Visit https://www.wecyberyou.com for more cyber security education, resources and awareness content like this.
Thank you for listening.
WeCyberYou! Team
Like and follow us to be notified when a new episode is released on this channel.
Imagine, right, that you are trying to deliver a highly sensitive package to a secure government facility.
SPEAKER_01Oh boy.
SPEAKER_00Yeah. So you drive up to the front gate, and the guards, they don't just, you know, glance at the delivery address on the box and wave your truck through.
SPEAKER_01Right. That would be way too easy.
SPEAKER_00Exactly. Instead, they stop you entirely. Like they take the package right out of your hands, they completely dismantle your delivery van right there in the driveway, shred it into scrap metal, open your package to inspect the actual contents, and then if it passes, they place those contents into a brand new company-issued box.
SPEAKER_01And then they hand it to a completely different internal courier to take inside the building, right?
SPEAKER_00Yes. And then when the person inside the building wants to send or reply back out to you, that entire obsessive process just happens all over again in reverse.
SPEAKER_01It is wild to think about.
SPEAKER_00It is. And that level of extreme borderline paranoid security, that is exactly how your corporate network is treating your internet traffic right now.
SPEAKER_01Assuming they have the right gear. Yeah.
SPEAKER_00Right. Well, welcome to the WeCyber U Unlocked podcast. We are thrilled you are here. Before we jump into today's topic, please do us a huge favor and um follow the channel right now, wherever you happen to be listening.
SPEAKER_01Yeah, definitely hit that follow button.
SPEAKER_00And make sure you visit WeCyberU.com for more deep dives, articles, and exclusive content just like this. You really, really won't want to miss it.
SPEAKER_01I mean, it is absolutely worth your time to check out the site. There's so much good stuff on there.
SPEAKER_00Today we have a very specific mission for you. We are doing a deep dive into a stack of highly technical networking documentation.
SPEAKER_01Fun stuff.
SPEAKER_00The really dense stuff. But we are focusing on a piece of technology that operates entirely behind the scenes, but you know, it fundamentally shapes how secure networks function. We are talking about application-level gateway firewalls.
SPEAKER_01Right, which uh you might also hear referred to as proxy firewalls.
SPEAKER_00Yeah, that interchangeable naming throws a lot of people off, doesn't it?
SPEAKER_01Oh, constantly. But whether you call it an ALG or a proxy firewall, it really represents, I mean, one of the most aggressive security postures an organization can take.
SPEAKER_00So if you are currently cramming for a major cybersecurity certification, or if you just want to finally understand why your corporate VPN behaves the way it does, you know, how it actually keeps hackers out of the system, consider this your ultimate guide.
SPEAKER_01100%.
SPEAKER_00Okay, let's unpack this. Where does this technology actually sit in the grand scheme of a network? Like geographically speaking or logically?
SPEAKER_01Well, logically, to really understand what makes an ALG so special, you kind of have to look at the OSI model.
SPEAKER_00Aaron Powell Right, the classic OSI model.
SPEAKER_01Yeah. And for anyone who needs a quick refresher, the OSI model is that theoretical seven-layer framework that explains how networks communicate.
SPEAKER_00From the hardware to the software.
SPEAKER_01Exactly. From the physical cables at layer one all the way up to the software applications at layer seven. Now, traditional firewalls, so things like packet filtering or stateful inspection firewalls, they operate further down the stack.
SPEAKER_00Down at the bottom.
SPEAKER_01Well, middle-ish, usually at layer three or layer four.
SPEAKER_00Aaron Powell Okay, so they are mostly looking at what IP addresses and port numbers.
SPEAKER_01Right. They just check where a packet of data is coming from and where it is trying to go. It's very basic routing logic. But an application-level gateway operates right at the very top.
SPEAKER_00At layer seven.
SPEAKER_01Yes, the application layer. It acts as an absolute undeniable intermediary between a client and a server.
SPEAKER_00Aaron Powell So it doesn't just wave traffic through if the IP address on the envelope looks correct.
SPEAKER_01Not even close. You are on the right track with the envelope idea, but let's take your opening analogy a step further. The proxy firewall doesn't just hold the package, it stops it. It acts as a permanent roadblock. What's fascinating here is their most drastic behavior. It's the reason they are so incredibly secure. They literally stop traffic in its tracks.
SPEAKER_00Wait, really? Because I always thought the internet was this massive web of direct connections. Like if I type a website into my browser and hit enter, I fully expect my laptop to draw a straight line of communication directly to that web server.
SPEAKER_01Yeah, that is the traditional mental model. Everybody thinks that. But an ALG completely shatters it. How so? Let's break down the actual mechanics of how it functions. When your computer initiates that request to a website, the request travels across the network and it hits the proxy firewall. Right. Now in a normal environment, a standard firewall would inspect the headers, say looks good, and pass it along, but the proxy firewall completely terminates your connection.
SPEAKER_00Wait, it just kills the session?
SPEAKER_01It permanently severs it.
SPEAKER_00Yeah.
SPEAKER_01The TCP handshake, you know, that fundamental agreement between two computers to talk to each other. Yeah. It ends right there at the firewall. The firewall becomes the final endpoint for your computer. The web server you are trying to reach has absolutely zero direct connection to your machine.
SPEAKER_00Wait, hold on. The client never communicates directly with the server. Doesn't that break the fundamental way browsing the web is supposed to work?
SPEAKER_01I mean, you would think so, but it creates a brilliant illusion.
SPEAKER_00Yeah.
SPEAKER_01To your computer, the firewall pretends to be the web server on the internet. And then to the actual web server on the internet, the firewall pretends to be your computer. It effectively acts as this highly secure, heavily armed stunt double.
SPEAKER_00A stunt double. I love that.
SPEAKER_01Yeah. The direct line of sight between the outside world and your internal network is completely eliminated.
SPEAKER_00Which means, like, if a hacker is trying to scan my network from the outside, they can't actually see my laptop. They only see the firewall pretending to be my laptop.
SPEAKER_01Absolutely. You are basically a ghost to the outside world.
SPEAKER_00That makes total sense from a stealth perspective, but I have to ask the logical next question here. Go for it. What happens during this pause? Like, why go through the extreme computationally heavy step of severing the connection in the first place? That seems like a lot of work.
SPEAKER_01It is a massive amount of work. But they do it because when you sever the connection, you gain total unobstructed control over the payload.
SPEAKER_00Ah, okay.
SPEAKER_01Because the firewall has stopped the traffic and is acting as the endpoint itself, it has the ability to completely tear open that digital envelope and look at the actual contents inside.
SPEAKER_00Like checking the actual letter, not just the outside of the envelope.
SPEAKER_01Exactly. This is known as deep packet inspection.
SPEAKER_00Okay, here's where it gets really interesting. Because the firewall isn't just looking at ones and zeros, it actually understands application protocols, right? It speaks the language of the software.
SPEAKER_01It is entirely fluent in those languages. Let's compare it again. A basic layer three firewall looks at traffic hitting, say, port 80 and says, oh, port 80 is usually web traffic. I guess I'll let it through.
SPEAKER_00Right. It just assumes it's safe based on the port number.
SPEAKER_01Yeah, it's very trusting. But a proxy firewall looks at port 80, terminates the connection, opens the traffic, and performs a strict protocol validation.
SPEAKER_00So it's double checking everything.
SPEAKER_01It asks, is this actually a properly formatted HTTP request? Or is this a piece of malware that has been cleverly disguised to look like web traffic just to sneak past the guards?
SPEAKER_00So it's basically verifying the grammar and syntax of the language being spoken.
SPEAKER_01Yes. And it goes much deeper than just basic syntax. It performs URL and header analysis too.
SPEAKER_00Aaron Powell What does that look like in practice?
SPEAKER_01Well, it checks if the requested web address is on a known block list. It scrubs for suspicious headers that attackers frequently use to inject malicious code into a back-end database. But perhaps the most powerful feature is that it actually understands specific application commands.
SPEAKER_00Aaron Powell Wait, so if it understands the protocol, does that mean it knows the difference between me just looking at a web page versus trying to upload a file to it?
SPEAKER_01Exactly. It knows intent. Let's use the file transfer protocol or FTP as an example.
SPEAKER_00Okay.
SPEAKER_01Because the firewall understands FTP natively, it knows the difference between a harmless command to simply list the files in a directory.
SPEAKER_00Just reading the directory.
SPEAKER_01Right. Versus a command to upload a highly dangerous executable file onto your corporate server. Oh wow. Or with HTTP, you know, web traffic. It knows the difference between a harmless achievement request, which is just your browser asking to view a web page, versus an unauthorized PUS2 request, where a user might be trying to dump data into an external database.
SPEAKER_00So it's not just checking if you have an ID badge at the front door, it's actually watching your hands to see exactly what you are trying to do once you are inside the building.
SPEAKER_01Aaron Powell Which leads directly to granular policy enforcement.
SPEAKER_00Right. The actual rules.
SPEAKER_01Because the firewall understands these application commands so deeply, network administrators can apply incredibly specific rules.
SPEAKER_00Aaron Powell Like what kind of rules?
SPEAKER_01They can write a policy that says allow the finance team to download text documents via FTP, but completely block any large file transfers and absolutely forbid anyone from uploading executable files.
SPEAKER_00That is so specific.
SPEAKER_01It is. It gives administrators ultimate control.
SPEAKER_00Aaron Powell But okay, wait. If the firewall is watching my hands and reading my commands, how does it get my message to the server if it already destroyed my original connection?
SPEAKER_01Ah, the million-all air question.
SPEAKER_00Right. Because we killed the connection at the front door, we tore open the packet, we validated the protocol, and we've deemed the request safe. How does my request actually reach its final destination?
SPEAKER_01If the firewall approves your request based on all those security policies we just talked about, it opens a completely separate, brand new TCP connection from itself to the destination server.
SPEAKER_00Oh, I see. It creates a second connection.
SPEAKER_01Yes. This is why you will often hear ALGs referred to as dual connection firewalls.
SPEAKER_00Dual connection, right.
SPEAKER_01There is one connection from you to the firewall and a second totally independent connection from the firewall to the server.
SPEAKER_00Okay, so going back to our analogy, the secure mailroom opens my package, inspects the contents, decides it's safe, puts it in a brand new corporate envelope, and has an internal employee walk it over to the server's desk.
SPEAKER_01You nailed it. But keep in mind, security is a two-way street.
unknownRight.
SPEAKER_01When the destination server replies with the web page or the file you asked for, the firewall doesn't just blindly pass it back to you.
SPEAKER_00It does the whole thing in reverse.
SPEAKER_01Exactly. It intercepts that reply on the second connection, terminates it again, and inspects the response.
SPEAKER_00So it's scanning the server's reply for malware or hitting threats before it forwards it back to my computer on that first connection.
SPEAKER_01It checks the headers, it scans file downloads for viruses, it looks for malicious scripts embedded in the HTML. I mean, it is thorough. Only after the response passes all those rigorous tests does the firewall forward it back to the client.
SPEAKER_00Okay. I can see how that works flawlessly for like plain unencrypted text. But I want to push back on this a bit.
SPEAKER_01Sure, let's hear it.
SPEAKER_00Because that is not how the modern internet works. The vast majority of the web today is HTTPS. It is fully encrypted end-to-end.
SPEAKER_01It is, yeah.
SPEAKER_00So if I go to my bank's website, that data is scrambled so that nobody in the middle can read it. If the proxy firewall is sitting in the middle, how is it inspecting a payload it mathematically shouldn't be able to decipher?
SPEAKER_01That is the ultimate complication for these systems. Because if the traffic is encrypted end-to-end, the firewall is essentially blind.
SPEAKER_00Exactly.
SPEAKER_01It can see that you are connecting to a banking IP address, but it cannot see the application commands or the payload itself. To solve this, proxy firewalls perform what is called SSL or TLS inspection.
SPEAKER_00And what does that entail?
SPEAKER_01Well, they do it by essentially breaking that end-to-end encryption.
SPEAKER_00Breaking it out, like cracking the code.
SPEAKER_01Not cracking it, no. By acting as a proxy for the encryption certificates as well. When you try to connect to the bank, the firewall intercepts your request. Okay. The firewall then turns around and connects to the bank itself, negotiating a secure encrypted session with the bank server on your behalf.
SPEAKER_00Aaron Powell Okay, so the firewall has a secure tunnel to the bank. What about the connection to my computer?
SPEAKER_01Aaron Powell The firewall creates a second, completely separate, secure tunnel between itself and your computer. It generates a forged digital certificate, pretending to be the bank, and presents that to your browser.
SPEAKER_00Wait, hold on. Let me stop you right there. Yeah. If it intercepts my secure traffic, decrypts it, inspects it in plain text, and then re-encrypts it with a forged certificate, isn't the firewall essentially performing a man-in-the-middle attack on its own users?
SPEAKER_01Yes.
SPEAKER_00And wouldn't my browser immediately throw up a massive red warning screen saying someone is trying to intercept my connection?
SPEAKER_01Mechanically speaking, you are completely right. It is identical to a man-in-the-middle attack. If a hacker did this at a coffee shop, your browser would absolutely scream at you and block the connection immediately.
SPEAKER_00Right, because the certificate is fake.
SPEAKER_01Exactly. However, in a corporate environment, this is done with the explicit authorization of the organization. And they prevent those browser warnings through administrative power.
SPEAKER_00How do they do that?
SPEAKER_01Your IT department installs a trusted root certificate directly onto your work computer.
SPEAKER_00Oh, I see. So they hard code my computer's operating system to blindly trust whatever forged certificate the firewall hands it.
SPEAKER_01Spot on. By installing that root certificate, your computer treats the firewall as an ultimate unquestionable authority.
SPEAKER_00That is wild.
SPEAKER_01It is. But this allows the firewall to decrypt the traffic, scan it for malware, and re-encrypt it without the user ever seeing a warning screen. They do this because they have to balance user privacy with severe corporate security requirements.
SPEAKER_00Because otherwise it's just an open door.
SPEAKER_01Right. If they can't inspect encrypted traffic, then hackers can just use standard encryption to sneak malware right past a firewall.
SPEAKER_00Or conversely, a malicious employee could sneak corporate data out through an encrypted tunnel.
SPEAKER_01Which brings us to another highly advanced capability of these systems data loss prevention or DLP.
SPEAKER_00Oh, DLP is huge right now.
SPEAKER_01It really is. Because the firewall is deeply inspecting all this outbound traffic in plain text, it can actually be programmed to look for sensitive information leaving the network.
SPEAKER_00Give me a real world example of how that works.
SPEAKER_01Let's say you work at a hospital, which, by the way, relies heavily on ALGs.
SPEAKER_00Makes sense with IP and everything.
SPEAKER_01Yeah. So an employee tries to copy a massive list of patient records and email it to their personal account.
SPEAKER_00Which would be a disaster.
SPEAKER_01A total disaster. But the firewall intercepts the encrypted email, decrypts it, and scans the contents. Using pattern matching algorithms, it recognizes the distinct format of social security numbers and medical record codes.
SPEAKER_00So it flags it immediately.
SPEAKER_01More than flags it. It immediately drops the connection, blocks the email from leaving the network entirely, and sends a critical alert to the IT security team.
SPEAKER_00Wow. It stops the leak before the data ever breaches the perimeter.
SPEAKER_01Exactly.
SPEAKER_00So we've talked about these incredible capabilities. It terminates connections to hide internal infrastructure. It performs deep packet inspection to catch malware. It stops application layer attacks. It even decrypts traffic to enforce data loss prevention.
SPEAKER_01It does it all.
SPEAKER_00It sounds completely foolproof, but I'm a realist, you know. If it's this flawless, every single home router on the planet would be running well.
SPEAKER_01Oh, they absolutely would if they could handle it.
SPEAKER_00So what does this all mean? There has to be a catch. What is the downside of all this heavy lifting?
SPEAKER_01The downside comes down to physics, honestly, and physical resources. The limitations of application-level gateways are significant. First and foremost is the performance overhead.
SPEAKER_00Meaning it's slow.
SPEAKER_01Very. Terminating a connection, deeply inspecting the application data, and creating a new connection takes time. Decrypting and re-encrypting HTTPS traffic takes even more time. This introduces massive latency.
SPEAKER_00Meaning my internet connection slows to a crawl. I always wondered why downloading a simple PDF on my office Wi-Fi felt like it took ages. You're telling me the firewall is practically reading the whole document before it hands it over to me.
SPEAKER_01It literally is. Think about how a normal packet filtering firewall works. Okay. It looks at the IP address, sees it as allowed, and routes the packet forward in microseconds. The data barely touches the firewall's memory, but an ALG can't do that.
SPEAKER_00Why not?
SPEAKER_01If you are downloading a 100 megabyte PDF, the firewall cannot just pass the first 10 megabytes to you before it has seen the rest of the file.
SPEAKER_00Because what if the virus is hiding in the very last megabyte?
SPEAKER_01Exactly. The firewall has to catch the first megabyte, hold it in its random access memory, catch the second, the third, all the way up to 100.
SPEAKER_00Oh wow. It has to rebuild the whole file internally.
SPEAKER_01Yes. It buffers the entire file in its own RAM, scans the complete assembled file for threats, and only then does it start transmitting it to your computer.
SPEAKER_00Wow. So if I have a company with like 5,000 employees, and everyone is downloading files, streaming video, and pulling large data sets all at exactly the same time.
SPEAKER_01The firewall needs an astronomical amount of RAM just to hold all those files in transit.
SPEAKER_00That sounds incredibly expensive.
SPEAKER_01It is, and it needs massive CPU power to decrypt all that traffic, scan it, and re-encrypt it in real time. Designing and maintaining these systems is incredibly complex.
SPEAKER_00Aaron Powell So you can't just buy a cheap box and plug it in.
SPEAKER_01Not at all. If you don't scale the hardware properly, a single proxy appliance will completely choke under the load of a large enterprise.
SPEAKER_00Aaron Powell So where do we actually see these being used in the real world, given how expensive and slow they can be?
SPEAKER_01Aaron Powell You see them deployed in environments where security absolutely trumps convenience.
SPEAKER_00Aaron Powell So high-stakes environments.
SPEAKER_01Exactly. They are essentially mandatory in government agencies, financial institutions, and healthcare organizations, basically, places where a data breach is catastrophic and legally devastating. Right. You also see them heavily deployed in large enterprise networks as secure internet or email gateways.
SPEAKER_00Aaron Powell Okay, quick question. How does an ALG compare to the other major buzzwords we constantly hear in cybersecurity, like a next-gen firewall or a WEF? Do they basically do the same thing?
SPEAKER_01Aaron Powell They are related, definitely, but distinct. If you look at a spectrum, right, on one end you have packet filtering at layer three, which just checks IPs.
SPEAKER_00The basic stuff, right?
SPEAKER_01Then stateful inspection at layer four, which tracks the active state of the connection but doesn't read the application data. And ALG does all of that tracking, plus it reads the application data at layer seven.
SPEAKER_00Right. It reads the actual payload.
SPEAKER_01Now a web application firewall, or Blow B ref also inspects layer seven data, but it is typically focused entirely on inbound web traffic.
SPEAKER_00Like protecting a web server that you're hosting.
SPEAKER_01Yeah. Exactly. Protecting your specific web servers from being hacked. Then you have next generation firewalls, or NGFWs. They attempt to blend all of these features together, offering deep packet inspection and application awareness at much higher speeds.
SPEAKER_00Okay, so why use an ALG if a next gen firewall is faster?
SPEAKER_01Aaron Powell Because the ALG remains distinct due to that specific dual connection proxy architecture where it fully terminates the session and acts as the middleman. And GFWs usually inspect traffic on the fly without fully proxying the connection the way an ALG does.
SPEAKER_00Ah, I see. It really is the ultimate gatekeeper.
SPEAKER_01It is.
SPEAKER_00It doesn't just watch the door, it locks the door, interrogates the guest, takes their message, dismantles the message to look for poison, and then delivers the message itself.
SPEAKER_01That is a great way to summarize it.
SPEAKER_00It terminates the connection, reads the data, and recreates the connection to keep the network safe. It is heavy, it requires a ton of memory, and it is complex to configure. But in environments where protecting sensitive data is the ultimate priority, it is an absolute necessity.
SPEAKER_01Without a doubt.
SPEAKER_00Well, that officially wraps up our deep dive into application level gateways. We want to thank you, the listener, for tuning into the WeCyber U Unlocked podcast. As always, please remember to visit WeCyberU.com for more insights, deep dives, and resources, and be sure to follow the channel so you never miss what we have coming next.
SPEAKER_01And uh if we connect all of this to the bigger picture of where technology is headed, I want to leave you with this final thought to ponder.
SPEAKER_00Let's see.
SPEAKER_01As our internet speeds push into multi-gigabit territory, and as artificial intelligence begins generating dynamic, unpredictable, and highly complex network traffic on the fly, we have to ask ourselves a really difficult question. Which is will the traditional proxy firewall, with its massive CPU and memory requirements, be able to decrypt and inspect everything fast enough? Or will this ultimate security choke point eventually become the very bottleneck that breaks our feature networks?