Chapter 1 – Product Description, Features, and Overview
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
18
The great advantage of a network layer firewall is its independence of both the operating system and the
applications running on the machine.
In more complex network layer firewall implementations, the packet filtering process includes the interpretation of
the packet payload. The status of every current connection is analyzed and recorded. This process is called stateful
inspection.
The packet filter records the state of every connection and lets only those packets pass that meet the current
connection criteria. This is especially useful for establishing connections from a protected network to an unprotected
network.
If a system establishes a connection to a protected network, the Stateful Inspection Packet Filter lets a host’s
answer packet pass back into the protected network. If the original connection is closed, no system from the
unprotected network can send packets into the protected network any longer – unless you explicitly allow it.
Well Known Ports
are controlled and assigned by the IANA, and on most systems, can only be used by system (or
root) processes or by programs run by privileged users. Ports are used in TCP (RFC793) to name the ends of
logical connections which carry long term conversations; and, typically, these same port assignments are used with
UDP (RFC768). The assigned ports are in the range 0-1023. IETF RFC 1700 provides a list of the well-known port
number assignments. IETF RFCs are available on the Internet from a number of sources.
Application Layer Gateways: Proxies
A second significant type of firewall is the application layer gateway. It is responsible for buffering connections
between exterior systems and your system. Here, the packets aren’t directly passed on, but a sort of translation
takes place, with the gateway acting as an intermediary stop and translator.
The application gateway buffering processes are called proxy servers, or, for short‚ proxies. Every proxy can offer
further security features for its designed task. Proxies generally offer a wide range of security and protocol options.
Each proxy serves only one or a few application protocols, allowing high-level security and extensive logging and
analysis of the protocol’s usage.
Examples of existing proxies are:
•
The SMTP proxy - Responsible for email distribution and virus checking.
•
The HTTP proxy - Supporting Java, JavaScript, ActiveX-Filter, and ad banner filtering.
•
The SOCKS proxy (the generic circuit-level proxy) - Supporting applications such as FTP clients, ICQ,
IRC, or streaming media.
Application level gateways offer the advantage of physical and logical separation of the protected and unprotected
networks. They make sure that no packet is allowed to flow directly between networks, resulting in higher security.
Protection Mechanisms
Further mechanisms ensure added security. Specifically, the use of private IP addresses in combination with
Network Address Translation (NAT) in the form of:
•
Masquerading
•
Source NAT (SNAT)
•
Destination NAT (DNAT)
These allow a whole network to hide behind one or a few IP addresses, preventing the identification of your network
topology from the outside.
With these protection mechanisms in place, Internet connectivity remains available, but it is no longer possible to
identify individual machines from the outside.
By using Destination NAT (DNAT), it is still possible to place servers within the protected network/DMZ and make
them available for an assigned service.
In the sample graphic above, a user with the IP 5.4.3.2, port 1111 sends a request to the Web server in the DMZ.
Of course, the user knows only the external IP (1.1.1.1, port 80). Using DNAT, the RouteFinder now changes the
external IP address to 10.10.10.99, port 80 and sends the request to the Web server. The Web server then sends
the answer with its IP address (10.10.10.99, port 80) and the user’s IP. The RouteFinder recognizes the packet by
the user address, and it then changes the internal IP (10.10.10.99, port 80) into the external IP address (1.1.1.1,
port 80).