Firewall concepts

Application Layer Firewalls

Application layer filtering is yet another approach and as the name implies it works primarily on the Application Layer of the OSI Model.

Application Layer Firewalls actually, for lack of a better term, understand certain applications and protocols. Examples would be FTP, DNS and HTTP. This form of filtration is able to check to see if the packets are actually behaving incorrectly or if the packets have been incorrectly formatted for the protocol that is indicated. This process also allows for the use of deep packet inspection and the sharing of functionality with Intrusion Prevention Systems (IPS).

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). Application firewalls work much like a packet filter but application filters apply filtering rules (allow/block) on a per process basis instead of filtering connections on a per port basis.

On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.

 

Proxy Servers

A proxy server is an appliance or application that acts as an intermediary for communicating between computers. A computer has a request for information. The packets are sent to the designated resource but before they can get there they are blocked by the proxy server saying that it will take the request and pass it on. The Proxy Server

processes the request and if it is valid it passes onto the designated computer. The designated computer gets the packet and processes the request, sending the answer back to the proxy server. The proxy server sends the information back to the originating computer. It’s all a little like a situation with two people who refuse to talk directly with each other using someone else to take messages back and forth.

 

From a security stand point a Proxy Server can serve a few purposes:

  • Protects the anonymity of the originating computer
  • The two computers never deal directly with each other
  • Packets that are not configured to be forwarded are dropped before reaching the destination computer.
  • If malicious code is sent it will affect the Proxy server with out affecting the originating or sending computer. Proxies can perform a number of roles including:
  • Content Filtering
  • Caching
  • DNS proxy
  • Bypassing Filters and Censorship
  • Logging and eavesdropping
  • Gateways to private networks
  • Accessing service anonymously

 

Security Profiles

Unified Threat Management and Next Generation Firewall are terms originally coined by market research firms and refer to the concept of a comprehensive security solution provided in a single package. It is basically combining of what used to be accomplished by a number of different security technologies all under a single umbrella or in this case, a single device. On the FortiGate firewall this is achieved by the use of Security Profiles and optimized hardware.

 

In effect it is going from a previous style of firewall that included among its features:

  • Gateway Network Firewall
  • Routing
  • VPN

 

To a more complete system that includes:

  • Gateway Network Firewall
  • Routing
  • VPN
  • Traffic Optimization
  • Proxy Services
  • Content Filtering
  • Application Control
  • Intrusion Protection
  • Denial of Service Attack Protection
  • Anti-virus
  • Anti-spam
  • Data Leak Prevention
  • Endpoint Control of Security Applications
  • Load Balancing
  • WiFi Access Management
  • Authentication Integration into Gateway Security
  • Logging
  • Reporting

 

Advantages of using Security Profiles

  • Avoidance of multiple installations.
  • Hardware requirements are fewer.
  • Fewer hardware maintenance requirements.
  • Less space required.
  • Compatibility – multiple installations of products increase the probability of incompatibility between systems.
  • Easier support and management.
  • There is only one product to learn therefore a reduced requirement of technical knowledge.
  • Only a single vendor so there are fewer support contracts and Service Level Agreements.
  • Easier to incorporated into existing security architecture.
  • Plug and play architecture.
  • Web based GUI for administration.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.