A network administrator wants to prevent employees from uploading sensitive documents to cloud storage services, even when those services use HTTPS. Which type of device can accomplish this, and why?
AA packet-filtering firewall, because it can inspect the content of HTTPS packets
BA stateful firewall, because tracking TCP connection state reveals upload attempts
CAn application-layer proxy with SSL inspection, because it terminates and decrypts HTTPS connections to inspect HTTP content before re-encrypting and forwarding
DA router with access control lists, because blocking port 443 will prevent HTTPS uploads
A packet filter or stateful firewall sees only IP/TCP headers — the application content inside HTTPS is opaque encrypted data. Only an application-layer proxy can terminate the TLS connection (becoming a trusted MITM), decrypt and parse the HTTP request, inspect the content, and then re-encrypt before forwarding to the server. Blocking port 443 would break all HTTPS traffic, not just uploads. This is precisely why proxies exist: network-layer devices are blind to application content.
Question 2 Multiple Choice
A company deploys a device in front of its web servers that handles TLS termination, load-balances requests across multiple backend servers, and caches static assets. This is best described as which of the following?
AA forward proxy, because it intermediates between clients and servers
BA reverse proxy, because it acts on behalf of servers rather than clients
CAn application-layer firewall, because it filters malicious requests
DA transparent proxy, because clients are unaware of the intermediary
A reverse proxy sits in front of servers and acts on their behalf — clients interact with the proxy thinking it is the server. It handles TLS termination (offloading cryptographic work from backend servers), distributes load, and caches content. A forward proxy, by contrast, sits in front of clients and acts on their behalf (e.g., a corporate proxy employees use). While the device here may also do filtering, the defining characteristics — protecting servers, invisible to clients, offloading server-side functions — identify it as a reverse proxy.
Question 3 True / False
A forward proxy sits in front of servers to protect them from external clients, while a reverse proxy sits in front of clients to route their requests.
TTrue
FFalse
Answer: False
This is the opposite of the actual definitions. A forward proxy sits in front of clients and acts on their behalf — clients know about it and configure their requests to go through it. A reverse proxy sits in front of servers and acts on the servers' behalf — clients typically do not know it exists. A forward proxy protects or monitors clients (common in corporate networks); a reverse proxy protects or optimizes servers (common in web architectures, CDNs, and load-balanced deployments).
Question 4 True / False
To inspect application-layer content, a proxy must establish two separate TCP connections: one with the client and one with the destination server.
TTrue
FFalse
Answer: True
True — this is the defining architectural feature of a proxy, and it is what distinguishes it from a network-layer firewall. When a client connects to a proxy, the proxy fully terminates that TCP connection, reads and parses the application-layer messages, then opens a fresh, separate TCP connection to the destination server to forward (possibly modified) requests. This 'connection splitting' is what allows inspection, caching, and modification of content. A simple packet filter or router forwards packets without terminating connections.
Question 5 Short Answer
Why can a traditional network-layer firewall not prevent SQL injection attacks, and what property of an application-layer gateway makes it capable of doing so?
Think about your answer, then reveal below.
Model answer: A network-layer firewall only inspects IP and TCP headers — source/destination addresses and port numbers. SQL injection is embedded in the payload of an HTTP request (e.g., a form field value), which is completely opaque to the firewall. An application-layer gateway terminates the connection and parses the full HTTP request, including request bodies and query parameters, allowing it to detect and block malicious patterns in the application content itself.
The key distinction is the layer of inspection. Network-layer firewalls enforce policies at the transport level (IP, ports, TCP flags), making them effective against port scans and unauthorized connection attempts but blind to application-content attacks. Application-layer gateways understand application protocols, so they can inspect the semantic meaning of requests — recognizing that 'SELECT * FROM users WHERE id=1 OR 1=1' in a URL parameter is an injection attempt. This is why web application firewalls (WAFs), which are specialized application-layer gateways, are the standard defense against OWASP Top 10 attacks.