Java Reference
In-Depth Information
point. The hardware and software that sit between the Internet and the local network,
checking all the data that comes in or out to make sure it's kosher, is called a
firewall
.
The firewall is often part of the router that connects the local network to the broader
Internet and may perform other tasks, such as network address translation. Then again,
the firewall may be a separate machine. Modern operating systems like Mac OS X and
Red Hat Linux often have built-in personal firewalls that monitor just the traffic sent to
that one machine. Either way, the firewall is responsible for inspecting each packet that
passes into or out of its network interface and accepting it or rejecting it according to a
set of rules.
Filtering is usually based on network addresses and ports. For example, all traffic coming
from the Class C network 193.28.25.x may be rejected because you had bad experiences
with hackers from that network in the past. Outgoing SSH connections may be allowed,
but incoming SSH connections may not. Incoming connections on port 80 (web) may
be allowed, but only to the corporate web server. More intelligent firewalls look at the
contents of the packets to determine whether to accept or reject them. The exact con‐
figuration of a firewall—which packets of data are and to pass through and which are
not—depends on the security needs of an individual site. Java doesn't have much to do
with firewalls—except insofar as they often get in your way.
Proxy Servers
Proxy servers
are related to firewalls. If a firewall prevents hosts on a network from
making direct connections to the outside world, a proxy server can act as a go-between.
Thus, a machine that is prevented from connecting to the external network by a firewall
would make a request for a web page from the local proxy server instead of requesting
the web page directly from the remote web server. The proxy server would then request
the page from the web server and forward the response back to the original requester.
Proxies can also be used for FTP services and other connections. One of the security
advantages of using a proxy server is that external hosts only find out about the proxy
server. They do not learn the names and IP addresses of the internal machines, making
it more difficult to hack into internal systems.
Whereas firewalls generally operate at the level of the transport or internet layer, proxy
servers normally operate at the application layer. A proxy server has a detailed under‐
standing of some application-level protocols, such as HTTP and FTP. (The notable
exception are SOCKS proxy servers that operate at the transport layer, and can proxy
for all TCP and UDP connections regardless of application layer protocol.) Packets that
pass through the proxy server can be examined to ensure that they contain data appro‐
priate for their type. For instance, FTP packets that seem to contain Telnet data can be
rejected.
Figure 1-4
shows how proxy servers fit into the layer model.
