Firewall design

By D. Brent Chapman, Unix Insider |  Security

A proxy service requires two components:
a proxy server and a proxy client. In this situation, the proxy server
runs on the dual-homed host. A proxy client is a special version of a
normal client program (i.e., a Telnet or FTP client) that talks to the
proxy server rather than to the "real" server out on the Internet; in
addition, if users are taught special procedures to follow, normal
client programs can often be used as proxy clients. The proxy server
evaluates requests from the proxy client, and decides which to approve
and which to deny. If a request is approved, the proxy server contacts
the real server on behalf of the client (thus the term "proxy"), and
proceeds to relay requests from the proxy client to the real server,
and responses from the real server to the proxy client.

In some proxy systems, instead of installing custom client proxy
software, you'll use standard software, but set up custom user
procedures for using it. (We describe how this works in Chapter 7 of
our book.)

A proxy service is a software solution, not a firewall architecture
per se. You can use proxy services in conjunction with any of the
firewall architectures described in the section called "Firewall
Architectures" below.

The proxy server doesn't always just forward users' requests on to
the real Internet services. The proxy server can control what users do,
because it can make decisions about the requests it processes.
Depending on your site's security policy, requests might be allowed or
refused. For example, the FTP proxy might refuse to let users export
files, or it might allow users to import files only from certain
sites. More sophisticated proxy services might allow different
capabilities to different hosts, rather than enforcing the same
restrictions on all hosts.

There is some excellent software available for proxying. SOCKS is a
proxy construction toolkit, designed to make it easy to convert
existing client/server applications into proxy versions of those same
applications. The Trusted Information Systems Internet Firewall Toolkit
(TIS FWTK) includes proxy servers for a number of common Internet
protocols, including Telnet, FTP, HTTP, rlogin, X11, and others; these
proxy servers are designed to be used in conjunction with custom user
procedures. (See the discussion of these packages in Chapter 7 of our book.)

Many standard client and server programs, both commercial and freely
available, now come equipped with their own proxying capabilities, or
with support for generic proxy systems like SOCKS. These capabilities
can be enabled at run time or compile time.

Firewall architectures

There are a variety of ways to put various firewalls
components together. Let's examine some of these approaches in detail.

Dual-homed host architecture

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness