![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
Application Gateways Whereas packet filtering gateways operate in what might be called a general manner, applying their rules to all packets presented at the firewall equally, application gateways use a much different approach to achieve network security. Application gateways are programs that deal with the packets to and from specific applications (e.g., FTP, SMTP mail, Telnet), and they apply scientific rules and safeguards for each (see Exhibit 8-3-5).
An application gateway acts as an applications front door, accepting all calls to that application, verifying that the caller has the authorization to use the application, and optionally logging information about the connection. For example, a gateway for Telnet services might check the address of the caller, request a password from the caller to ensure that the user is authorized, and log the names and addresses of all hosts the user contacts. Similar gateways can be used for FTP, SMTP mail, and other network services. Because incoming connections talk to the gateway programs rather than the actual services, potential intruders have a difficult time exploiting security holes in the actual services they are trying to attack. Prefiltering at the gateway can detect, prevent, and log actions that might compromise system security. Pros and Cons SMTP mail applications make heavy use of application gateways for security. Application gateways offer the administrator additional benefits as well. Mail gateways allow the administrator to keep tabs on the E-mail system by monitoring a single host and allow users to reatin their personal E-mail address, no matter what machine they are logged into at the tim of mail creation. Mail gateways can also be used to modify headers of outgoing mail to deny the potential intruder information about the specific hosts available for attack on the network. As stated previously, application gateways offer the ability to log information about all or selected incoming and outgoing traffic. In the event of an attack on the protected network, logging information can provide critical information needed to trace the source of attacks and correct any security holes exposed by them. It is possible to examine the content of the traffic and make decisions based on that information as well. An example would be an SMTP mail gateway that checks all outgoing for the phrase Project Xray (where Project Xray is the name of a development project that is to be protected). Although the capability to filter or log traffic based on content is useful in preventing the dissemination of proprietary information, there may be legal and ethical questions involved in its use. Packet filtering gateways and application-level gateways act as intermediaries between clients and services, special versions of the client programs may be needed to allow users to access the services. Although this requirement is a disadvantage in many ways, it provides another level of securitya potential intruder has to obtain a copy of the customized client or reverse engineer the gateway. Many vendors offer software packages that offer the system administrator a menu-based or graphical user interface (GUI) to the gateway. These packaged-system solutions are easy to configure and manage. In addition to distilling the knowledge of security professionals, these packages have the advantage of technical support from the vendor. Circuit-Level Gateways Circuit-level gateways (illustrated in Exhibit 8-3-6) provide port-based connections between trusted and nontrusted systems. They work in the following manner:
If the connection is authorized, the gateway opens a connection to the port of the called service and passes packets between the two hosts. Logging of connection activity can be done by the gateway if desired.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |