Cryptography Reference
In-Depth Information
network that require a particular kind of incomingpacket are recorded.
Any packet cominginto the local network are allowed only if they embody
an appropriate response. Whereas static packet filteringessentially only
checks headers, dynamic filteringof packets looks at the packet in context,
namely, all the way to the application layer. With dynamic filtering, a
network administrator is allowed to define the guidelines to satisfy the
requirements of the local network.
3. Application-Level Gateways — Proxy Servers : 8.14 These types of fire-
walls are also called application proxies , since they require two ingredients,
a proxy server and a proxy client . Suppose that a user, Alice say, in the
local network wants to connect to a service on the Internet. Her request,
together with her authentication ID, is first sent to the proxy server at the
gateway/firewall using a TCP/IP application such as HTTP or FTP. The
proxy server, actingin the role of the Internet server, assesses the request,
and based upon the local network security policy, allows or denies Alice's
wish. If approved the proxy server sends the data, as TCP pieces, to the
proxy client, which contacts the actual Internet server. Then connections
are established between the Internet server and the proxy client, which
relays them to the proxy server for transfer to Alice. Hence Alice's out-
bound connections are always made to the proxy server, and the Internet's
connections are always made with the proxy client. There is never a direct
connection between Alice and the Internet server.
Application gateways execute intricate record keeping and audit of traJc
passingthrough them, as well as the traditional access restrictions required
of any firewall. These firewalls may be used as NATs (see page 314).
The reason is that the data exits the firewall after havingbeen processed
by an application, which usually conceals the source address of the data.
Thus, the complexity of this type of firewall slows performance and reduces
transparency. On the other hand, they are more secure than packet filters,
and render thorough audit records. Moreover, since they do not operate
at the TCP/IP level, rather at the applications level, they need to screen
only a small number of permissible applications.
There are several more advantages to the use of application gateways.
They recognize and administer high-level protocols such as HTTP and
FTP. At the same time, application gateways present the semblance that
they are connectingdirectly with external servers. They can also be em-
ployed within the local network to route services to other servers therein.
8.14 A server may be viewed as a program, or computer, that provides services to other
programs, or computers. A proxy server is a server that acts as a go-between for a user in a
business enterprise, say, and the Internet so that enterprise can ensure security and control,
as well as possibly caching. A cache is a memory location that stores data for quick access.
For example, if a user requests a WWW page and the proxy server has a cache with that page
already in it, downloaded previously for another user, say, then that page can be forwarded
immediately to the next user on request. This saves a great deal of time over the server having
to actually request the WWW page from where it really sits on the Internet.
Search WWH ::




Custom Search