-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
Firewalls+Proxies – Application/Network Layer Differences
Written on June 15, 2006
Leave a Comment
|
In response to firewalls as network appliances becoming more like application-layer firewalls (proxy servers)….
This is true – the network appliance of a firewall is being bundled with more significant capabilities as a natural response to consumer demand.The advantages of a proxy server traditionally have to do with session layer controls.
With a proxy, an administrator can setup ACL restrictions on Internet access with very specific and minute detail.With a proxy, for example, we could assign one form of user object (say, Group A) Full Access to the AOL Instant Messenger Port on the proxy service; we could set a specific user object, or, another group (Group B) at No Access to the same port.
Even more so, as a proxy is an application layer service, we can deny not just ports but _applications_ from transversing the gateway. We could say that, for example, QuickBooks as an application cannot access the Internet, or, we’ve determined that our standard is IE, so another browser like Netscape is not allowed to be used to access the Internet. Also, because this is such a high layer, we can also deploy some interesting encryption on the packets that would otherwise be there, controlled by session and presentation layer interaction.We could also allow port-level access based on an ACL security descriptor – Administrators can do this, General Users can do this.
We could also setup routing restrictions based on object-level and security descriptor-level ACL’s. The routing path for Group A is X, and the routing path for Group B is Y.
And we could setup specific logging and controls by session layer – that some user objects are audited more significantly than others.In our model here, user objects on both the local and remote subnets _must_ authenticate as a session-layer service (say, an NDS, LDAP/KERBOS, or AD structure) to even use the Internet.
We could see a reasonable IP address distributed via our DHCP to an internal host. A normal firewall would consider this acceptable and allow for gateway transversal. However, an application-layer firewall (a proxy) could be configured to challenge the user at the session-layer (who are you, give me a credential) _before_ the service is to recognize the transversal.
Therefore, everybody on the network has a single gateway in our case study here, and, everybody – local or remote, LAN or WAN, WiFi or Wired – must authenticate to the proxy _first_ before exiting the only gateway.
As a single point of entry and exit, that can be monitored at the IP layer (layer 3), the transport layer (layer 4), the session layer (layer 5), the presentation layer (layer 6), and the application layer (layer 7), this makes for a very formidble and auditable gateway.
As Nathan pointed out, many network appliances like firewalls are being shipped with greater intelligence, even allowing them to perform as application-layer firewalls, integrated into the directory services of our choice. Wrangling with them is about as challenging as NSD’s (Network Storage Devices) – usually they’ve a different o/s than your directory service and integrating them is an administrative headache, but still, it offers a great deal of control, more so than a simple layer 3/4 firewall.