Firewall design

By D. Brent Chapman, Unix Insider |  Security

Proxy services are specialized application or server programs that
run on a firewall host: either a dual-homed host with an interface on
the internal network and one on the external network, or some other
bastion host that has access to the Internet and is accessible from the
internal machines. These programs take users' requests for Internet
services (such as FTP and Telnet) and forward them, as appropriate
according to the site's security policy, to the actual services. The
proxies provide replacement connections and act as gateways to the
services. For this reason, proxies are sometimes known as
application-level gateways.

(Firewall terminologies differ. Whereas we use the term proxy
service to encompass the entire proxy approach, other authors refer to
application-level gateways and circuit-level gateways. Although there
are small differences between the meanings of these various terms, in
general our discussion of proxies refers to the same type of technology
other authors mean when they refer to these gateway systems.)

Proxy services sit, more or less transparently, between a user on the
inside (on the internal network) and a service on the outside (on the
Internet). Instead of talking to each other directly, each talks to a
proxy. Proxies handle all the communication between users and Internet
services behind the scenes.

Transparency is the major benefit of proxy services. It's
essentially smoke and mirrors. To the user, a proxy server presents the
illusion that the user is dealing directly with the real server. To the
real server, the proxy server presents the illusion that the real
server is dealing directly with a user on the proxy host (as opposed to
the user's real host).

Note: Proxy services are effective
only when they're used in conjunction with a mechanism that restricts
direct communications between the internal and external hosts.
Dual-homed hosts and packet filtering are two such mechanisms. If
internal hosts are able to communicate directly with external hosts,
there's no need for users to use proxy services, and so (in general)
they won't. Such a bypass probably isn't in accordance with your
security policy.

How do proxy services work? Let's look at the simplest case, where we
add proxy services to a dual-homed host. (We describe these hosts in
some detail in the "Dual-homed host architecture" section of this

Join us:






Answers - Powered by ITworld

Ask a Question