What Roles Do Firewalls and Proxy Servers Play in Network Security?
By David W Christie
Prior to Firewalls being developed, routers provided network security through the use
of Access Control Lists. Firewalls themselves only came on scene in the late 1980s in response
to the demand for greater security as the Internet began to take shape.
The first Firewalls were fairly simple packet filters that worked by inspecting the IP
packets, and comparing certain information in the packet with a set of packet filtering rules.
The Source and Destination IP Address, together with the protocol type would normally be checked
against this set of rules. When TCP or UDP were the protocol type, then the port numbers would
also be checked. This meant that application protocols using well know port numbers could be
identified and filtered by means of the port numbers associated with them.
If applications are using non-standard port number then their identification would not be
possible. Packet filters are therefore only really effective at the lower layers of the OSI
reference model up to Layer 4, the transport layer. These packet filter firewalls are known as
Stateless, because they are not able to determine where a packet sits within a stream of packets,
or what the condition of the connection is at the time.
The next development was that of stateful packet inspection where each data packet is
examined, as well as its position within a data stream. A stateful packet inspection firewall
can determine whether an individual packet is part of an existing conversation or stream, or
whether it is the start of a new connection. This type of firewall was given the label of
second-generation as it was a step up from the original stateless packet filter.
Both First and Second-generation firewalls could not guarantee to detect or filter particular
applications, unless they were adhering to the published lists of well-known TCP and UDP ports.
In other words it would be possible to circumvent the firewall by setting up applications protocol
communications using non-standard ports. If we are to have confidence that we can protect our
networks from unauthorised access or harmful content, then we need to be able to perform deep
packet inspection.
A firewall with this capability is often known as an application layer firewall
because it can detect specific application protocol content regardless of the TCP or UDP port
numbers in use. Any applications that exhibited unusual characteristics would be filtered out
to ensure viruses and other unwanted material did not infect the network.
A fairly new feature that is sometimes associated with later firewalls is sandboxing,
a security feature that has the ability to separate programs and create an environment where
untrusted programs can be run with relative safety. These programs are restricted from accessing
certain resources on a host, such as memory or disk space.
A proxy server is normally a standalone device or software running on a host that acts
as a packet filter for connection requests. It is an intermediary device sitting between hosts
and server that filters the requests by checking IP Addresses, Protocol and⁄or application
content. If the proxy server deems the connection request to be valid, then it connects to
the application server and requests the service on behalf of the client device.
A proxy server will often cache information such as web pages and return this content directly
to the client devices rather than forward the request to the application server such as a Web server.
Although there are now many different types of Proxy Servers, by far the most common is the Caching
proxy, which is in use with many medium to large business networks as well as Service Provider networks.
To summarize, both proxy servers and firewalls are commonly found in networks today and
firewalls have evolved since the first stateless packet filter types at the end of the 80s.
With so many applications running on today's Internet, it is imperative that we are able to
interrogate and analyse the content of the network packets and not just the header information.
Some proxy servers, in particular caching proxies, are able to act as a central filtering point
in the network for many application services, as well as be able to cache content and forward
this content direct to the client devices without involving the application server itself.
David Christie is MD at NSTUK Ltd, a Technical Training and Consultancy company based
in the Northeast of England. David delivers technical training in the area of Data Communications
and Telecoms and also provides consultancy and Training Needs Analysis. The company runs an
ecommerce website specialising in the sale of Networking hardware and consumer electronics.
Website: IP express
More Network Security Articles: • The Use of HoneyPots and HoneyNets to Trick Hackers • How to Secure Your Small Business Network • What is Cross Site Scripting? • Use of Taps and Span Ports in Cyber Intelligence Applications • Firewall Rules • Public Key Infrastructure • What is a SQL Injection Attack? • Essentials of Endpoint Device Backup • How a Firewall Provides Network Security • Network Security Across the Enterprise
|