[Home]
[Edit this page]
[Recent Changes]
[Special Pages]
[Help]
Application-level gateway
Application-Level Gateways
An application-level gateway allows the network administrator to implement a much stricter security policy than with a packet-filtering router. Rather than relying on a generic packet-filtering tool to manage the flow of Internet services through the firewall, special-purpose code (a proxy service) is installed on the gateway for each desired application. If the network administrator does not install the proxy code for a particular application, the service is not supported and cannot be forwarded across the firewall. Also, the proxy code can be configured to support only those specific features of an application that the network governor considers acceptable while denying all other features.
This enhanced security comes with an increased cost in terms of purchasing the gateway hardware platform, the proxy service applications, the time and knowledge required to put in order the gateway, a decrease in the level of service that may be provided to users, and a lack of transparency resulting in a less user-friendly system. As always, the network administrator is required to balance the organization's need for security with the user community's demand for ease of use.
It is important to note that users are permitted access to the proxy services, but they are never permitted to log in to the application-level gateway. If users are permitted to log in to the firewall system, the security of the firewall is threatened, since an intruder could potentially perform some activity that compromises the effectiveness of the firewall. For example, the intruder could gain root access, install Trojan horses to collect passwords, and modify the security configuration files of the firewall.
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
Application-level gateway
Application-Level Gateways
An application-level gateway allows the network administrator to implement a much stricter security policy than with a packet-filtering router. Rather than relying on a generic packet-filtering tool to manage the flow of Internet services through the firewall, special-purpose code (a proxy service) is installed on the gateway for each desired application. If the network administrator does not install the proxy code for a particular application, the service is not supported and cannot be forwarded across the firewall. Also, the proxy code can be configured to support only those specific features of an application that the network governor considers acceptable while denying all other features.
This enhanced security comes with an increased cost in terms of purchasing the gateway hardware platform, the proxy service applications, the time and knowledge required to put in order the gateway, a decrease in the level of service that may be provided to users, and a lack of transparency resulting in a less user-friendly system. As always, the network administrator is required to balance the organization's need for security with the user community's demand for ease of use.
It is important to note that users are permitted access to the proxy services, but they are never permitted to log in to the application-level gateway. If users are permitted to log in to the firewall system, the security of the firewall is threatened, since an intruder could potentially perform some activity that compromises the effectiveness of the firewall. For example, the intruder could gain root access, install Trojan horses to collect passwords, and modify the security configuration files of the firewall.
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
