I. Background of Firewall(cont'd)

Proxy Server Firewall

A Proxy Server Firewall operates at the upper levels of the OSI protocol stack (i.e. all the way up to the application layer) and provides internal terminals with proxy services to external networks. Messages from internal terminals are relayed by the Proxy Server Firewall to external destinations. A major benefit of deploying Proxy Server Firewalls is that they are able to hide the internal network information or structure through changing the IP addresses of outgoing packets.

Furthermore, Proxy Server Firewalls is able to look at more detailed information inside the packets, which enables more sophisticated monitoring and control of traffic flows at the network boundary. However, degradation of performance and reduction in the transparency of access to other networks are the possible by-products of using Proxy Server Firewalls.

There are two types of Proxy Server Firewalls:

  • Circuit-Level Firewall

    A Circuit-Level Firewall works at the session layer of the OSI model. They monitor TCP handshaking between the packets to determine if a requested session is legitimate.

    A virtual "circuit" is established between the internal terminals and the proxy server. "Network Address Translation" technique is used, where requests from the external networks go through this "circuit" to the proxy server, and the proxy server relays those requests to the external networks after changing the IP addresses of the packets. All packets delivered by the Circuit-Level Firewall are tagged with public IP addresses and the internal private IP addresses are not exposed to potential intruders. There is no way for a remote terminal to determine the internal private IP addresses of the universities.

     

  • Application-Level Firewall

    An Application-Level firewall provides all the Circuit-Level firewall features and also provides extensive packet analysis.

    Not only does the firewall evaluate IP addresses, it decides whether to drop a packet or send them through based on the application information available in the packet, which stops hackers from hiding information in the packets. Such function is achieved via setting up multiple proxies on a single firewall for difference applications, and examines the data or connection at Application Layer based on tailor-made rule(s) for each application. Because they are application aware, more complex protocols like H.323, SIP and SQL can be handled.

 
Reference:
http://www.windowsecurity.com/whitepapers/General_Firewall_White_Paper.html
http://www.windowsecurity.com/articles/A_firewall_in_an_IT_system.html