Cryptography Reference
In-Depth Information
most intelligent. It has the capacity to do stateful inspection of network
packets at
every
protocol layer of the network stack. It does so via the
existence of a proxy within the kernel (core of the firewall), and relays
packets on a session-by-session basis usinga custom TCP/IP stack. In
this fashion, each packet is screened at every layer from the physical to
the application and back. Yet, despite this complexity, the filteringcan
be done eJciently. It accomplishes this via the kernel embodyingthe full
set of available proxies. The kernel stands ready to proxy
any
protocol
layer and execute full security checks.
The proxy server examines each incomingpacket against a network secu-
rity policy. If the packet passes this security point, it is checked against
existingsessions. If the packet belons to one, it is relayed to the proxy
stack for that session. Each such proxy stack is dynamically built for each
session. If the packet does not belongto an existingsession, a new proxy
stack is created and the packet is relayed to that stack for analysis.
Each of the dynamically created stacks analyze the network packet for
those protocols determined by the specific session. Each packet may be
discarded at a given layer if it does not meet security standards, or it may
be modified at the pertinent protocol proxy. Furthermore, each proxy
layer records state information for a given session.
If there are particular requested services, the proxy establishes an appli-
cation layer extension. This renders the specific services, such as caching,
without sacrificingeJciency. If no such additional services are needed,
the packet does not go to the applications level.
There is also a
native network stack
, which stands alone without changes
and has its own separate security policy allocated to it. Packets may be
passed to the native stack after passingsecurity checks/modifications, or
the packets may be delivered to other computers, if so destined.
The new firewall architecture marries the need for some of the best possible
security with exceptional performance. It still suffers from the failingof
all firewalls as outlined on page 315, of course, but is a fantastic stride
forward for network security.
There are hybrid systems employingcombinations of the above firewalls
usingwhat is called a
bastion host
, which is a host that a local network designates
as the
only
computer allowed to be accessed directly from the Internet, and
used to shield the local network from security breaches. Usually, bastion hosts
are stages for either application-level or circuit-level gateways. An example
would be what is called a
screened subnet firewall
wherein a packet filter firewall
is positioned on either side of the bastion host, thereby creatingan isolated
subnetwork. Another example is one configured to have both the packet filter
and application gateway firewalls positioned on either side of the bastion host.
Numerous such configurations are possible. The endgoal is maximum security
with minimum time.
Search WWH ::
Custom Search