A very popular class of firewalls at the moment are so called
proxy servers. What does that word mean to begin with? 'Proxy'
simply means that the machine runs an application 'on behalf of'
services that run on a system that is hidden behind the proxy
server. It is a type of firewall that helps you to securely
communicate with the Internet, which we call 'untrusted'.
Untrusted because it is a scary place out there. You would be
surprised how many would-be hackers are trying to penetrate
systems on an hourly basis and what holes they find.
One other type of firewall that is used a lot are essentially
routers that filter packets and translate IP addresses based
on a set of rules. (But they do not process the data that sits
inside the packets).
Now, the three technologies in order of increasing security are:
1. Packet Filters
- Packet Filters
- Circuit-level Proxies
- Application-level Proxies
There are two sorts of these: static and dynamic. Static packet
filters simply inspect the IP address and port number of traffic
passing through the firewall and either route or drop the packet
based on rules defined by you, the administrator.
Dynamic packet filtering firewalls can open and close ports 'on
the fly'. They do this based on the type of initial connection
request and the port numbers that the client and remote server
negotiate. In this way, packets based on protocols that do not
use fixed port numbers, such as the popular Remote Procedure
Calls (RPC's) can be let through by opening just one port instead
of a whole range of ports.
Dynamic firewalls sometimes have the latest technology built in.
This is called "stateful inspection". That is a technique which
uses even more intelligence in tracking the progress of a connec-
tion and looking for unexpected changes of state that might
indicate a hacker attack. MS Proxy Server V2.0 supports dynamic
filters but not stateful inspection. The new MS ISA Server 2000
adds support for stateful inspection, but not for all protocols.
2. Circuit-level Proxies
TCP/IP uses special identifiers called 'sockets' to make sure
that packets intended for a particular application are not only
routed to the correct host, but are also directed to the
correct application in that host. The special upgrades that were
made by MS to the WinSock API (which handles TCP/IP packets in
Windows) allow you can securely 'remote' a socket to a proxy
That allows the proxy server to perform the low-level networking
functions on behalf of the client. Until the client initiates
a "circuit" with the proxy, the network traffic from the client
is completely hidden from the outside. A proxy server uses its
own (outside) IP address to communicate via the Internet instead
of the actual IP address of the client which remains hidden this
way. A plus with circuit-level proxies is you can base access
rules on the requester's name or group membership. A minus is
that they are unsuitable for peer-to-peer protocols lime SMTP,
3. Application-level Proxies
These are generally considered to have the tightest security
of the three methods. But it's expensive in resources on the
proxy server. Application proxies provide separate processes
for a few high-level protocols like http, https, smtp, and dns.
For instance, with http, the app-level proxy looks like the
requested web server to the client, and in turn emulates the
client to the web server. It intercepts the browser's requests,
inspects the http content to ensure validity and then repackages
the packet and sends it to the actual web server, while giving
its (external) IP address as the source address. The process
is reversed when the requested content comes back. MS Proxy
Server V2.0 and the new MS ISA Server 2000 include application-
level proxies for http, https, and ftp protocols.
Some other security features:
All firewalls can log traffic, and you can configure rules
to send alerts when specific types of activity occur. But a
major headache is false positives. They happen too much and
drive everyone mad. When a real attack occurs it gets dis-
regarded. You can normally configure the firewall so that
some traffic is denied based on source or destination IP
address, protocol types and in some cases on user and/or
group names. Quite a few third party tools interface with
both MS proxy server and ISA server to filter out various
classes of Internet content.
That's all for this short intro and explanation. Hope it
has clarified a bit.
Later! Stu Sjouwerman
(grateful acknowledgements to www.directionsonmicrosoft.com )