Application (Proxy) Firewall
Can examine the application message to filter packets by application content
If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact
Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.
Need a separate proxy program for each application