IT Baseline Protection Manual S 2.75 Selection of a suitable application gateway
S 2.75 Selection of a suitable application gateway
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
An application gateway is a computer which uses the information in the application layer to filter connections.
This can, for example, be user names in connection with a strong authentication, special information in the transmitted data (e.g. check for computer viruses) or information of the application layer. An application gateway also offers the possibility of creating a unified access to the sub-network requiring protection and of concealing this network. The filter processes running on the application gateway are called proxy processes.
In the event that an application gateway is required for a firewall, the following demands should be made upon purchase:
All important protocols (such as Telnet, FTP, SMTP, DNS, NNTP, HTTP) of the application layer must be treated.
Filtering must be possible for each supported protocol according to all information stipulated in measure S 2.76 Selection and Implementation of Suitable Filter Rules. In particular, it must be possible to formulate the filter rules dependent on the user and to merge several users into one group.
Filtering for contents should be supported, so that a central virus scan and the blockage of active contents is possible (see T 5.23 Computer Viruses).
When using an application gateway, no changes should be necessary to the software in the network requiring protection or in the external network.
The entry and control of filter rules must be simple and clear, e.g. by symbolic service and protocol names.
The programs used must be well documented.
It must be easy to add new protocols.
It must be possible to record IP numbers, service, time and date for established and denied connections, with limitations on certain connections (e.g. for a special user).
It must be possible to send all logging information to an external host.
Special, adjustable events must lead to an immediate warning (e.g. repeated incorrect authentication attempts).
Strong authentication methods must be used for user identification.
The application gateway must support virtual private networks
