Networking / Beginners

Application gateways

An application gateway uses server programs (called proxies) that run on the firewall. These proxies take external requests, examine them, and forward legitimate requests to the internal host, which provides the appropriate service. Application gateways can support functions such as user authentication and logging. Because an application gateway is considered the most secure type of firewall, this configuration provides a number of advantages to the medium- to high-risk site:

  • The firewall can be configured as the only host address that is visible to the outside network, requiring all connections to and from the internal network to go through the firewall.
  • The use of proxies for different services prevents direct access to services on the internal network, protecting the enterprise against unsecured or misconfigured internal hosts.
  • Strong user authentication can be enforced with application gateways.
  • Proxies can provide detailed logging at the application level.

Application-level firewalls should be configured so that outbound network traffic appears as if the traffic had originated from the firewall (i.e., only the firewall is visible to outside networks). In this manner, direct access to network services on the internal network is not allowed. All incoming requests for different network services such as Telnet, File Transport Protocol (FTP), HyperText Transfer Protocol (HTTP), Remote Login (rlogin), etc., regardless of which host on the internal network will be the final destination, must go through the appropriate proxy on the firewall.

Applications gateways require a proxy for each service, such as FTP, HTTP, etc., to be supported through the firewall. When a service is required that is not supported by a proxy, an organization has three choices:

  • Deny the service until the firewall vendor has developed a secure proxy: This is the preferred approach, as many newly introduced Internet services have unacceptable vulnerabilities.
  • Develop a custom proxy: This is a fairly difficult task and should be undertaken only by very sophisticated technical organizations.
  • Pass the service through the firewall: Using what are typically called "plugs," most application gateway firewalls allow services to be passed directly through the firewall with only minimal packet filtering. This can limit some of the vulnerability but can result in compromising the security of systems behind the firewall.

Low risk

When an inbound Internet service not supported by a proxy is required to pass through the firewall, the firewall administrator should define the configuration or plug that will allow the required service. When a proxy is available from the firewall vendor, the plug must be disabled and the proxy made operative.

Medium to high risk

All inbound Internet services must be processed by proxy software on the firewall. If a new service is requested, that service will not be made available until a proxy is available from the firewall vendor and tested by the firewall administrator. A custom proxy can be developed in-house or by other vendors only when approved by the CIO.

[Previous] [Contents] [Next]

In this tutorial:

  1. Firewall Security Policy
  2. Firewall protection
  3. Firewall architectures
  4. Multi-homed host
  5. Screened host
  6. Screened subnet
  7. Types of firewalls
  8. Packet-filtering gateways
  9. Application gateways
  10. Hybrid or complex gateways
  11. Routing versus forwarding
  12. IP spoofing
  13. DNS and mail resolution
  14. Intranet
  15. Network trust relationships
  16. Virtual private networks
  17. Qualification of the firewall administrator
  18. Remote firewall administration
  19. Firewall backup
  20. System integrity
  21. Physical firewall security
  22. Firewall incident handling
  23. Upgrading the firewall
  24. Revision/update of firewall policy
  25. Examples of service-specific policies