Brought to you by EarthWeb
IT Library Logo

Click Here!
Click Here!


Search the site:
 
EXPERT SEARCH -----
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games

EarthWeb Direct EarthWeb Direct Fatbrain Auctions Support Source Answers

EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info

Previous Table of Contents Next


Application Gateways

Whereas packet filtering gateways operate in what might be called a general manner, applying their rules to all packets presented at the firewall equally, application gateways use a much different approach to achieve network security. Application gateways are programs that deal with the packets to and from specific applications (e.g., FTP, SMTP mail, Telnet), and they apply scientific rules and safeguards for each (see Exhibit 8-3-5).


Exhibit 8-3-5.  Application Gateway

An application gateway acts as an application’s front door, accepting all calls to that application, verifying that the caller has the authorization to use the application, and optionally logging information about the connection. For example, a gateway for Telnet services might check the address of the caller, request a password from the caller to ensure that the user is authorized, and log the names and addresses of all hosts the user contacts. Similar gateways can be used for FTP, SMTP mail, and other network services.

Because incoming connections “talk” to the gateway programs rather than the actual services, potential intruders have a difficult time exploiting security holes in the actual services they are trying to attack. Prefiltering at the gateway can detect, prevent, and log actions that might compromise system security.

Pros and Cons

SMTP mail applications make heavy use of application gateways for security. Application gateways offer the administrator additional benefits as well. Mail gateways allow the administrator to keep tabs on the E-mail system by monitoring a single host and allow users to reatin their personal E-mail address, no matter what machine they are logged into at the tim of mail creation. Mail gateways can also be used to modify headers of outgoing mail to deny the potential intruder information about the specific hosts available for attack on the network.

As stated previously, application gateways offer the ability to log information about all or selected incoming and outgoing traffic. In the event of an attack on the protected network, logging information can provide critical information needed to trace the source of attacks and correct any security holes exposed by them. It is possible to examine the content of the traffic and make decisions based on that information as well. An example would be an SMTP mail gateway that checks all outgoing for the phrase Project Xray (where Project Xray is the name of a development project that is to be protected). Although the capability to filter or log traffic based on content is useful in preventing the dissemination of proprietary information, there may be legal and ethical questions involved in its use.

Packet filtering gateways and application-level gateways act as intermediaries between clients and services, special versions of the client programs may be needed to allow users to access the services. Although this requirement is a disadvantage in many ways, it provides another level of security—a potential intruder has to obtain a copy of the customized client or reverse engineer the gateway.

Many vendors offer software packages that offer the system administrator a menu-based or graphical user interface (GUI) to the gateway. These packaged-system solutions are easy to configure and manage. In addition to distilling the knowledge of security professionals, these packages have the advantage of technical support from the vendor.

Circuit-Level Gateways

Circuit-level gateways (illustrated in Exhibit 8-3-6) provide port-based connections between trusted and nontrusted systems. They work in the following manner:


Exhibit 8-3-6.  Circuit-level Gateway

  A host on one side of the gateway connects to a TCP port.
  The gateway determines whether the calling host is authorized to use the called service; if not, the connection is dropped and optionally logged.

If the connection is authorized, the gateway opens a connection to the port of the called service and passes packets between the two hosts. Logging of connection activity can be done by the gateway if desired.


Previous Table of Contents Next

footer nav
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.