I too have recently been confused by use of the term "transparent" , when
it's applied to proxy-based firewalls.
I have always understood that a proxy gateway maintains its security by
turning IP forwarding "off"
in the kernel of the platform that it is running on. Thus, *all* packets
that hit the outside or "dirty" interface are forced up to the appropriate
proxy application , and if allowed by the rules of the proxy, the proxy
copies the packet to the inside or "clean" interface. No packet ever gets
to travel directly from one interface to the other. (Of course, the same is
true of packets travelling in the reverse direction).
I can see the security benefits of this approach since a proxy could be
configured to look for *anything* in the packet contents and make decisions
about what to allow or disallow. Allow FTP 'gets' but not 'puts' for
Recently, I have been told by an industry 'expert' that traditional proxy
gateways that claim to be "transparent", achieve this transparency by only
forcing the 'connect' packets through the proxy, and all other packets
associated with that connection move directly from one interface to the
other. (I have always understood this to be called a 'circuit level
gateway'). Of course, authentication schemes become critical here, but I
don't understand how this could be used to prevent an "authenticated" user
from sending some nasty commands within an application that they are
"allowed" to use.
Can someone please clarify this for me? How is TIS transparent for example,
and yet maintain the security of an application proxy that checks *every*
- Greg Brennan
>I've been doing some research on firewalls, and was curious as to what it
>exactly means. Does a fully transparant firewall mean that you don't need
>to enter any passwords, like a basic packet filter? Does a non
>transparant firewall mean that every action will take a longer time, or is
>transparancy simply an effect that a user will feel?
Generally transparency means that the user doesn't notice anything
different (when using an Internet application) as a result of accessing
the Internet from behind a firewall than they would if there was no
This means usually that there is no 'modified procedure' or manual
steps that the user has to take in order to use Internet clients
obtained from the Net (or shrink-wrapped from the local computer
There are now 'transparent proxies' supplied in some new commercial
firewalls which handle data (both incoming and outgoing) at the
application layer via application-specific and aware gateway code, but
neither the client user nor machine is aware that an app level proxy is
actually handling (and in many cases modifying and rewriting data) the
TCP socket connections used -- they think that the firewall is just an
IP router to which they route their IP datagrams.
More subject to debate however is whether you can consider to be
o administrator configured (via network admin kits)
Web browser set to use proxy caching HTTP servers.
o installing and configuring the Microsoft Catapult
RWS (Remote Windows Sockets) or a 'Socks' shim on
top of client PC's winsock.dll
They are not usually considered to be 'transparent', because though
they are transparent to the user they are not transparent to the
application or machine.