CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.1  Devices            9  3.1.1  Firewalls

3.1.1  Firewalls 1 Network-Level Firewalls

Application-level firewalls involve the use of one or more “proxy” programs on the firewall, which act as intermediaries between internal and Internet hosts. Usually, a separate proxy program handles each different protocol passing through the application-level firewall. The proxy program accepts a connection request from one side of the firewall, notes the desired destination address, and then creates a connection request of its own that is sent to the ultimate destination if it determines through its rule base that the connection should be allowed. The proxy then carries on two separate, simultaneous conversations: One between the network client talking to the firewall, while thinking it’s talking to the server and one between the firewall and the server, which thinks it’s talking directly to the client.

At no time are the internal system and external system directly connected to one another. Instead, the firewall proxy carefully passes each side’s requests and responses to the other while keeping external systems from being able to play low-level TCP/IP games with internal systems, and trying to isolate each side from bad input that might exploit vulnerabilities in server or client software.

When determining whether or not to allow a connection, an application-level firewall can look at many criteria, including packet source address, destination address, source and destination port numbers, and possibly other items such as user ID, user group, individual commands in the protocol, etc. Since the proxy programs have knowledge of the protocols, and control each conversation, it’s possible to define rules based on subcommands within the protocol. For example, you could allow certain users to issue the FTP “put” command to save a file to your FTP server, but disallow “put” access to all others. This very flexibility is also a limitation, because if an application-level firewall doesn’t have a proxy program for a protocol, the protocol can’t pass through that firewall at all, as some users of Microsoft Proxy Server were unhappy to find out when trying to create connections to the Internet with proprietary client/server software.

This means that an important question when evaluating application-level firewalls is, “Does it support all of the protocols I want to pass through the firewall?” Another limitation of application-level firewalls is that their use is often not transparent to client workstations. Workstations may need to be configured to send traffic to the firewall proxy by, for example, specifying a proxy server address in browser settings. (Fortunately some browser manufacturers make it possible to do this in a somewhat automated fashion, such as by reading settings from a centralized configuration file).

Because application-level firewalls do so much work to verify and maintain each connection, they’re also the slowest type of firewall.

If you’re buying firewall software to install on your own computer, and plan to use application-level proxies, don’t scrimp on the computer’s processor or network cards!

3.1.1  Firewalls 1 Network-Level Firewalls