Evaluating Paths Through the Firewall

To help sort out the different firewalls, consider how traffic moves through them. In general, firewalls divide the world into two camps: trusted and untrusted. The manner and ease with which connections are allowed to go from the trusted side to the untrusted side is often very different from the reverse path.

Firewall/Plus has the most black-and-white view of what is trusted and what is not. A Firewall/Plus system has exactly two LAN interfaces. The icon for one is a devil; for the other, the icon is an angel. Digital’s AltaVista Firewall also has a very strong inside/outside orientation, supporting only two LAN connections. All the other products can handle three or more LAN interfaces.

While two interfaces are often enough for an Internet-oriented firewall, many organizations need three: one for the Internet; one for “public” servers for things like WWW, News, and FTP; and one for the inside. When firewalls are used internally, even more than three LAN connections may be required to implement the corporate security policy.

The most transparent path from inside to the outside world is provided by packet filtering firewalls such as Check Point’s Firewall-1. Packet filters allow unadulterated TCP/IP connections to go from the inside of the firewall to the outside, subject only to the security policy and rules set in the firewall. A key feature of these firewalls is that they do not change IP addresses when passing through the firewall. This feature means that any application-layer protocol that has knowledge of IP addresses will work through these firewalls without changes or special programming.

Firewalls that support application or transport-level proxies are not as transparent. These firewalls perform some sort of Network Address Translation (NAT) on packets moving through the firewall. This is done as part of the application or transport-level proxy service.

Generally, the address of the system inside the firewall is replaced with the address of the firewall itself. The problem with this approach is that some application protocols have an intimate knowledge of IP addresses and will not work without special processing. The most common of these is File Transfer Protocol (FTP). Because FTP is so popular, all firewalls that perform NAT also have an FTP-specific application-layer proxy.

Milkyway’s Black Hole supports both modes of operation; it normally acts as a NAT, but can proxy without changing addresses (what Milkyway calls a “white hole”) if the application requires it. Check Point’s Firewall-1, Global Internet’s Centri, and TIS’ Gauntlet can do both to some extent as well.

Of course, for organizations using private addresses who want to connect to the Internet, having a complete NAT may not be just a good thing—it may be a requirement.

Not all proxies behave the same way. Application- and transport-level proxy service can be more or less intrusive to the client.

In the non-intrusive case, the client system attempts to connect through the firewall to an IP address on the outside. The firewall intercepts the connection and forms a second connection on behalf of the client, bringing the two together with a proxy. The non-intrusive proxy firewalls include Global’s Centri, Raptor’s Eagle, and Milkyway’s Black Hole.

---

Warning:  Be careful when making a decision based on use of the term “transparent.” Each firewall vendor has a different definition of “transparent,” and one vendor’s transparent connection is another vendor’s opaque one.

---

For intrusive connections, the client must make an explicit connection to the firewall. The client then has to tell the firewall where to make the final connection. Intrusive proxies include LSLI’s PORTUS, Digital’s AltaVista Firewall, and TIS’ Gauntlet.

Although “intrusive” may sound like a bad thing, many casual Internet users won’t even know what’s happening. The popular WWW browsers, including Netscape’s Navigator and Microsoft’s Internet Explorer, have built-in support for working with intrusive proxies. With a few clicks, the browser can be configured to work with the firewall proxy. Proxies are only a problem when trying to use uncommon protocols, such as streaming audio (RealAudio and similar products), CU-SeeMe (video conferencing), and LDAP (Lightweight Directory Access Protocol), through the firewall.

Even non-intrusive proxies are no guarantee of success. For example, when testing Raptor’s Eagle, Opus One found that their proxy does not properly synchronize both ends of the connection, which can cause data loss and other communications failures. In general, none of the firewall proxies properly handle TCP option negotiation. For out-of-the-box applications, this isn’t a big deal. But when firewalls are deployed within a company where more esoteric protocols are used, this could lead to performance problems.