I've been plunging into an investigation of firewall technology, and some of
the terminology has proven to be quite a problem. The use of "application
gateway" and "proxy" seem to be very ambiguous, and both terms are often used
to mean different things. I'd like to mention what I think I understand,
and invite discussion and correction.
In one case, like the (versions of) ptelnet and pftp I've used, these programs
seem to start versions of telnet or ftp on a bastion host in the firewall DMZ.
The program I run on my machine seems to be a client of the program really
providing services on the bastion host. In conventional terms, the program
running on the bastion is relaying messages, acting as a "proxy."
A different flavor of this involves our use of the TIS firewall toolkit. I
use conventional telnet, unmodified, to connect to a program running on the
bastion host. The bastion program authenticates my request, and makes a
telnet connection to the target system. It then relays messages, acting as
Finally, one could (we don't) run SOCKSified versions of programs, say telnet.
In such a case, both the client and server (on the bastion) would have to be
modified for SOCKS. I believe that the protocol first performs an
authentication, and then the server just relays messages, acting also as
I may have some of this wrong, maybe a lot. However, in each case, a "proxy"
is involved, which should perform authentication, and then just relay messages.
In each case, only the proxy is visible to the outside world.
Have I gotten this right?
Some of my confusion results from references to "proxy" support as if there's
only one variety of proxy, when there appears to be a number of varieties.
This is acute when one is trying to setup some flavor of mosaic.
Any clarifications, or pointers to them, would be greatly appreciated...
Craig Newmark Distributed Systems Security Architect
Charles Schwab & Company 415.627.8413
These are my own opinions, not necessarily those of my employer.
personal mail: cnewmark @
us or cnewmark @