Firewall Feature Set Overview

and port numbers. These firewalls are scalable, easy to implement and widely deployed for simple Network layer filtering, but they suffer the following disadvantages:

Do not maintain states for an individual session nor track a session establishment protocol. Ports are usually always open or blocked

Do not examine application data

Do not work well with applications which open secondary data channels using embedded port information in the protocol - “difficult protocols” such as FTP and H.323 (video conferencing applications)

Cannot detect protocol-level problems and attacks

Less secure than stateful inspection or proxy firewalls

ALG and Proxy Firewalls

ALG or proxy firewalls filter packets at the top of the stack - Layer 5. They:

Act as an agent (proxy) between IP client and server transactions. A proxy server often runs on dedicated, hardened operating systems with limited functionality, offering less of a chance to be compromised.

Filter bad packets and bad contents to protect internal hosts incapable of protecting themselves against these attacks:

Bad packets (too long or too short)

Un-recognized commands (possible attack)

Legal but undesirable commands/operations (as set by policy)

Objectionable contents (content and URL filtering)

Drop incoming/outgoing connections such as FTP, gopher, or Telnet applications at the proxy firewall first.

Create two connections, one from the client to the firewall, the other from the firewall to the actual server. This generates a completely new packet which is sent to the actual server based on its data “read” of the incoming packet and correct implementation of the application's protocol. When the server replies, the proxy firewall again interprets and regenerates a new packet to send to the client.

Build another layer of protection between interior hosts and the external world forcing a hacker to first break into the proxy server in order to launch attack on internal hosts.

But the above advantages of an application or proxy firewall are offset by the following weaknesses:

Higher overhead - because it is usually implemented at the Application layer, additional processing is needed to transfer packets between the kernel and the proxy application.

Non-scalability- support for a new protocol or a new feature of an existing protocol often lags by months or years.

Non-transparency- proxy server users may discover the server bars an application, forcing users to find alternatives.

XSR User’s Guide 16-11

Page 397
Image 397
Enterasys Networks X-PeditionTM manual ALG and Proxy Firewalls