Application Gateways

next up previous contents
Next: Examples of Firewalls Up: Firewall Components Previous: Logging and Detection

Application Gateways

After packet filtering and logging, application gateways function to provide a higher level of security for applications such as telnet, ftp, or SMTP that are not blocked at the firewall. An application gateway is typically located such that all application traffic destined for hosts within the protected subnet must first be sent to the application gateway (in other words, any application traffic that is not directed at the application gateway gets rejected via packet filtering). After performing some action, the application gateway may pass the traffic on to a host or may reject the traffic if it is not authorized. Application gateways are also referred to as ``proxy servers.''

A site would use application gateways to provide a ``guarded gate'' through which application traffic must first pass before being permitted access to specific systems. As an example of an application gateway for telnet, a site might advertise only the name of the telnet gateway to outside users and not the names of specific hosts. The protocol for connecting to specific internal hosts would be as follows:

  1. a user first telnets to the application gateway and enters the name of the desired host;

  2. the gateway perhaps checks the user's source IP address and accepts or rejects it according to any access criteria in place;

  3. the user may need to authenticate herself using an authentication token such as a challenge-response device;

  4. the gateway then creates a telnet connection to the desired host;

  5. the user's system knows only that the telnet session is between the user's system and the application gateway; and

  6. the application gateway logs the connection, including the connection's origination address, destination, time of day, and duration.

Application gateways, then, have a number of advantages over the default mode of permitting application traffic directly to internal hosts:

A disadvantage of application gateways is that, in the case of client-server protocols such as telnet, two steps are required to connect inbound or outbound. This may prove somewhat tedious for users, however it is a small price to pay for the increase in security.

Application gateways are used generally for telnet, ftp, and e-mail. [Ran92] uses one application gateway for both telnet and ftp, and another for e-mail. The telnet application works as described in the earlier example; the ftp application includes the capability to deny puts and gets to specific hosts as required. For example, an outside user who has established a ftp session (via the ftp application gateway) to an internal system such as an anonymous ftp server might try to upload files to the server. The application gateway can filter the ftp protocol and deny all puts to the anonymous ftp server; this would ensure that nothing can be uploaded to the server and would provide a higher degree of assurance than relying only on file permissions at the anonymous ftp server to be set correctly.

An e-mail application gateway serves to centralize e-mail collection and distribution to internal hosts and users. To outside users, all internal users would have e-mail addresses of the form:

where emailhost is the name of the e-mail gateway. The gateway would accept mail from outside users and then forward mail along to other internal systems as necessary, using aliases or forward files. Users sending e-mail from internal systems could send it directly from their hosts, or in the case where internal system names are not known outside the protected subnet, the mail would be sent to the application gateway, which could then forward the mail to the destination host.

Application gateways are also ideal locations for services such as anonymous ftp, gopher, and other information distribution servers. Both [GS91] and [Che90] go into more detail on setting up application servers. [Ran92] and [Ran93] discuss location of application servers and filtering rules for directing application traffic to application gateways.

next up previous contents
Next: Examples of Firewalls Up: Firewall Components Previous: Logging and Detection

John Barkley
Fri Oct 7 16:17:21 EDT 1994