Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
19 Application layer firewalls
These generally are hosts running proxy servers, which permit no traffic
directly between networks, and which perform elaborate logging and auditing
of traffic passing through them. Since the proxy applications are software
components running on the firewall, it is a good place to do lots of logging
and access control. Application layer firewalls can be used as network
address translators, since traffic goes in one ``side'' and out the other,
after having passed through an application that effectively masks the origin
of the initiating connection. Having an application in the way in some cases
may impact performance and may make the firewall less transparent. Early
application layer firewalls such as those built using the TIS firewall
toolkit, are not particularly transparent to end users and may require some
training. Modern application layer firewalls are often fully transparent.
Application layer firewalls tend to provide more detailed audit reports and
tend to enforce more conservative security models than network layer
firewalls.
Figure 3: Dual Homed Gateway
[\begin{figure} \begin{center} \includegraphics {firewalls-faq3} \end{center}\end{figure}]
Example Application layer firewall : In figure 3, an application layer
firewall called a ``dual homed gateway'' is represented. A dual homed
gateway is a highly secured host that runs proxy software. It has two
network interfaces, one on each network, and blocks all traffic passing
through it.
The Future of firewalls lies someplace between network layer firewalls and
application layer firewalls. It is likely that network layer firewalls will
become increasingly ``aware'' of the information going through them, and
application layer firewalls will become increasingly ``low level'' and
transparent. The end result will be a fast packet-screening system that logs
and audits data as it passes through. Increasingly, firewalls (network and
application layer) incorporate encryption so that they may protect traffic
passing between them over the Internet. Firewalls with end-to-end encryption
can be used by organizations with multiple points of Internet connectivity
to use the Internet as a ``private backbone'' without worrying about their
data or passwords being sniffed.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
