Our implementation of the request-response policy relies primarily on a packet filter located at the firewall perimeter. Some of the responsibilities for recognizing responses to outstanding requests must be delegated to operating system mechanisms provided by protected hosts themselves. However, when application protocols are ill-suited for our request-response paradigm, we must rely on application-level proxies running on bastion hosts.