|Lesson 5||Application-level gateway proxy servers |
|Objective|| Describe and configure application-level gateway proxy servers.|
Application-level Gateway Proxy Servers
Application gateways monitor packets at the application level, analyzing
data as an entire message instead of individual packets. Using rules or filters, the proxy server can determine if the message contains good or
1) Application Gateway 1
2) Application Gateway 2
3) Application Gateway 3
4) Application Gateway 4
Application Level Gateway Proxy Servers
Transport layer protocols
When using an application-level gateway, certain transport layer protocols work better than others. Since TCP is a connection-based protocol, it can easily be used through a proxy server. The proxy
server applies the filters to the TCP session only when the session is initialized. During the life of the TCP session, the proxy server does not
analyze the TCP header portion of the packet.
UDP is connectionless and each UDP packet is treated as an individual message. The proxy
server analyzes each packet and applies it to the filters separately, slowing the proxy process. ICMP is nearly impossible to proxy, so programs that rely primarily on ICMP messages
typically do not work through an application-level gateway.
- Transmission Control Protocol/Internet Protocol (TCP/IP): A suite of protocols that turns information into blocks of information called packets. These are then sent across networks such as the Internet.
- UDP (User Datagram Protocol): A connectionless protocol at the transport layer of the TCP/IP protocol stack, often used for broadcast-type protocols such as audio or video traffic.
- Internet Control Message Protocol (ICMP): A protocol used to communicate errors or other conditions at the IP layer
Advantages of an application-level gateway are that the proxy server:
Provides network address translation (NAT)
- Features robust logging and alarming features
- Analyzes nearly every portion of a TCP/IP session
- Allows access restriction to an entire domain
- Provides Reverse proxy service: A company\'s registered Web or email server located outside a network\'s firewall system is used to prevent public users from contacting the Web server directly. When public users access the reverse proxy Web server, it contacts the Web server that resides behind the firewall. reverse proxy services
Scans Simple Mail Transfer Protocol (SMTP): The Internet standard protocol to transfer electronic mail messages from one computer to another. It specifies how two mail systems interact, as well as the format of control messages they exchange to transfer mail.
Monitors specific HTTP and NNTP traffic for restricted content
One disadvantage of application-level gateways is that the filters for the TCP/IP applications must be configured individually. To create secure
filters, firewall administrators will require extensive knowledge of all the applications and the unique settings for each. In some cases,
specific proxy servers will need to be created to proxy a single application.
A proxy array is several proxy
servers configured as one. Proxy arrays are also known as proxy clusters and are provided for load balancing. When several reverse proxy
servers are used together, the total amount that the servers can cache is increased. The group also provides fault tolerance in case one of the
Certain proxy arrays can also act as a single unit. For example, depending on how the proxy servers in the array are configured, changing a
setting of one will change the settings on all. Proxy arrays are often used in a reverse proxy environment as well. When proxy arrays are used
with a reverse proxy solution, public users can access several Web servers simultaneously.
Commercial proxy servers will normally be compatible with all current Internet applications. However, when new applications are developed, you may need to contact the vendor for an update to the proxy server to make it
compatible with the new application. Always make sure that, if your proxy servers are scanning for viruses, they use the most recent virus definition file.
Hypertext Transfer Protocol (HTTP): A TCP/IP application that uses a browser to access and retrieve Web pages from the server.
Network News Transfer Protocol (NNTP): A TCP/IP application that is one-to-many communication: a message is posted to a single location, and any number of users can contact the NNTP server to retrieve it.