Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices
           9  3.1.1  Firewalls

Previous Topic/Section
3.1.1  Firewalls
Previous Page
Pages in Current Topic/Section
1
Next Page
Network-Level Firewalls
Next Topic/Section

Application-Level Firewalls

Application-level firewalls involve the use of one or more “proxy” programs on the firewall, which act as intermediaries between internal and Internet hosts. Usually, a separate proxy program handles each different protocol passing through the application-level firewall. The proxy program accepts a connection request from one side of the firewall, notes the desired destination address, and then creates a connection request of its own that is sent to the ultimate destination if it determines through its rule base that the connection should be allowed. The proxy then carries on two separate, simultaneous conversations: One between the network client talking to the firewall, while thinking it’s talking to the server and one between the firewall and the server, which thinks it’s talking directly to the client.

At no time are the internal system and external system directly connected to one another. Instead, the firewall proxy carefully passes each side’s requests and responses to the other while keeping external systems from being able to play low-level TCP/IP games with internal systems, and trying to isolate each side from bad input that might exploit vulnerabilities in server or client software.

When determining whether or not to allow a connection, an application-level firewall can look at many criteria, including packet source address, destination address, source and destination port numbers, and possibly other items such as user ID, user group, individual commands in the protocol, etc. Since the proxy programs have knowledge of the protocols, and control each conversation, it’s possible to define rules based on subcommands within the protocol. For example, you could allow certain users to issue the FTP “put” command to save a file to your FTP server, but disallow “put” access to all others. This very flexibility is also a limitation, because if an application-level firewall doesn’t have a proxy program for a protocol, the protocol can’t pass through that firewall at all, as some users of Microsoft Proxy Server were unhappy to find out when trying to create connections to the Internet with proprietary client/server software.

This means that an important question when evaluating application-level firewalls is, “Does it support all of the protocols I want to pass through the firewall?” Another limitation of application-level firewalls is that their use is often not transparent to client workstations. Workstations may need to be configured to send traffic to the firewall proxy by, for example, specifying a proxy server address in browser settings. (Fortunately some browser manufacturers make it possible to do this in a somewhat automated fashion, such as by reading settings from a centralized configuration file).

Because application-level firewalls do so much work to verify and maintain each connection, they’re also the slowest type of firewall.

If you’re buying firewall software to install on your own computer, and plan to use application-level proxies, don’t scrimp on the computer’s processor or network cards!

Application-Level Firewalls

Application-level firewalls act as proxies between the client and server sides of a conversation, examining packets from each side of the conversation and passing them to the other side if permitted.

Pros: Because application-level firewalls have detailed knowledge of application protocols, they can offer finger-grained access control to application features; also, they tend to do a better job of protecting systems from low-level TCP/IP attacks because the two ends of a conversation are not directly connected

Cons: Client configuration changes are generally required, and they tend to be the least efficient type of firewall, due to the overhead of maintaining two connections for each proxy conversation being held..



Previous Topic/Section
3.1.1  Firewalls
Previous Page
Pages in Current Topic/Section
1
Next Page
Network-Level Firewalls
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.