|
Previous | Table of Contents | Next |
To help sort out the different firewalls, consider how traffic moves through them. In general, firewalls divide the world into two camps: trusted and untrusted. The manner and ease with which connections are allowed to go from the trusted side to the untrusted side is often very different from the reverse path.
Firewall/Plus has the most black-and-white view of what is trusted and what is not. A Firewall/Plus system has exactly two LAN interfaces. The icon for one is a devil; for the other, the icon is an angel. Digitals AltaVista Firewall also has a very strong inside/outside orientation, supporting only two LAN connections. All the other products can handle three or more LAN interfaces.
While two interfaces are often enough for an Internet-oriented firewall, many organizations need three: one for the Internet; one for public servers for things like WWW, News, and FTP; and one for the inside. When firewalls are used internally, even more than three LAN connections may be required to implement the corporate security policy.
The most transparent path from inside to the outside world is provided by packet filtering firewalls such as Check Points Firewall-1. Packet filters allow unadulterated TCP/IP connections to go from the inside of the firewall to the outside, subject only to the security policy and rules set in the firewall. A key feature of these firewalls is that they do not change IP addresses when passing through the firewall. This feature means that any application-layer protocol that has knowledge of IP addresses will work through these firewalls without changes or special programming.
Firewalls that support application or transport-level proxies are not as transparent. These firewalls perform some sort of Network Address Translation (NAT) on packets moving through the firewall. This is done as part of the application or transport-level proxy service.
Generally, the address of the system inside the firewall is replaced with the address of the firewall itself. The problem with this approach is that some application protocols have an intimate knowledge of IP addresses and will not work without special processing. The most common of these is File Transfer Protocol (FTP). Because FTP is so popular, all firewalls that perform NAT also have an FTP-specific application-layer proxy.
Milkyways Black Hole supports both modes of operation; it normally acts as a NAT, but can proxy without changing addresses (what Milkyway calls a white hole) if the application requires it. Check Points Firewall-1, Global Internets Centri, and TIS Gauntlet can do both to some extent as well.
Of course, for organizations using private addresses who want to connect to the Internet, having a complete NAT may not be just a good thingit may be a requirement.
Not all proxies behave the same way. Application- and transport-level proxy service can be more or less intrusive to the client.
In the non-intrusive case, the client system attempts to connect through the firewall to an IP address on the outside. The firewall intercepts the connection and forms a second connection on behalf of the client, bringing the two together with a proxy. The non-intrusive proxy firewalls include Globals Centri, Raptors Eagle, and Milkyways Black Hole.
Warning: Be careful when making a decision based on use of the term transparent. Each firewall vendor has a different definition of transparent, and one vendors transparent connection is another vendors opaque one.
For intrusive connections, the client must make an explicit connection to the firewall. The client then has to tell the firewall where to make the final connection. Intrusive proxies include LSLIs PORTUS, Digitals AltaVista Firewall, and TIS Gauntlet.
Although intrusive may sound like a bad thing, many casual Internet users wont even know whats happening. The popular WWW browsers, including Netscapes Navigator and Microsofts Internet Explorer, have built-in support for working with intrusive proxies. With a few clicks, the browser can be configured to work with the firewall proxy. Proxies are only a problem when trying to use uncommon protocols, such as streaming audio (RealAudio and similar products), CU-SeeMe (video conferencing), and LDAP (Lightweight Directory Access Protocol), through the firewall.
Even non-intrusive proxies are no guarantee of success. For example, when testing Raptors Eagle, Opus One found that their proxy does not properly synchronize both ends of the connection, which can cause data loss and other communications failures. In general, none of the firewall proxies properly handle TCP option negotiation. For out-of-the-box applications, this isnt a big deal. But when firewalls are deployed within a company where more esoteric protocols are used, this could lead to performance problems.
Previous | Table of Contents | Next |