Application-level firewalls involve the use of one or more proxy programs on the firewall, which act as intermediaries between internal and Internet hosts. Usually, a separate proxy program handles each different protocol passing through the application-level firewall. The proxy program accepts a connection request from one side of the firewall, notes the desired destination address, and then creates a connection request of its own that is sent to the ultimate destination if it determines through its rule base that the connection should be allowed. The proxy then carries on two separate, simultaneous conversations: One between the network client talking to the firewall, while thinking its talking to the server and one between the firewall and the server, which thinks its talking directly to the client.
At no time are the internal system and external system directly connected to one another. Instead, the firewall proxy carefully passes each sides requests and responses to the other while keeping external systems from being able to play low-level TCP/IP games with internal systems, and trying to isolate each side from bad input that might exploit vulnerabilities in server or client software.
When determining whether or not to allow a connection, an application-level firewall can look at many criteria, including packet source address, destination address, source and destination port numbers, and possibly other items such as user ID, user group, individual commands in the protocol, etc. Since the proxy programs have knowledge of the protocols, and control each conversation, its possible to define rules based on subcommands within the protocol. For example, you could allow certain users to issue the FTP put command to save a file to your FTP server, but disallow put access to all others. This very flexibility is also a limitation, because if an application-level firewall doesnt have a proxy program for a protocol, the protocol cant pass through that firewall at all, as some users of Microsoft Proxy Server were unhappy to find out when trying to create connections to the Internet with proprietary client/server software.
This means that an important question when evaluating application-level firewalls is, Does it support all of the protocols I want to pass through the firewall? Another limitation of application-level firewalls is that their use is often not transparent to client workstations. Workstations may need to be configured to send traffic to the firewall proxy by, for example, specifying a proxy server address in browser settings. (Fortunately some browser manufacturers make it possible to do this in a somewhat automated fashion, such as by reading settings from a centralized configuration file).
Because application-level firewalls do so much work to verify and maintain each connection, theyre also the slowest type of firewall.
If youre buying firewall software to install on your own computer, and plan to use application-level proxies, dont scrimp on the computers processor or network cards!
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.