9 Access control

9.5 Application level gateways

An application level gateway is implemented through a proxy server, which acts as an intermediary between a client and a server. A client application from within the protected network may request services originating from less secure networks such as the internet. After the client's authentication has been confirmed, the requests for services are relayed onwards by the proxy server, provided that they are allowed by the security policies in force. All subsequent data exchanges in relation to the service request are handled by the proxy server.

An application level gateway relays requests for services at the application level. Policy decisions to block or permit traffic are based on features identified in the application. For instance, electronic mail will be associated with a variety of mail applications and an application level gateway will act on criteria such as the message size, header fields or likely content, as indicated by key words. Application level gateways typically provide proxy services for email, Telnet and the World Wide Web.

Normally, each supported service is rigorously defined so that any undefined services are not available to users. Each internal host allowed to use or provide the specified services must also be defined. The term ‘application level gateway’ is appropriate because, from the view of both the clients within the protected network and the remote servers, the proxy server is seen as the end user. The originating client and the remote server are hidden from each other.

Because an application level gateway is exposed to greater risk than the hosts it protects, the proxy server normally takes the form of a specially secured host, referred to as a bastion host. This is specifically designed to be more resistant to attacks than other hosts on the protected network. For instance, a bastion host will run a secure version of the operating system, and may allow only essential services to be installed with a restricted set of Telnet, DNS, FTP and SMTP protocols. (DNS is the domain name system used on the internet to convert between the names of devices and their IP addresses. FTP is file transfer protocol, an application protocol in the TCP/IP family used, for example, to connect file servers.) In addition, a strong user authentication process is employed along with audit facilities that record any attempts to intrude.

Code specifically designed to enhance regular checking for software bugs is used, and each proxy service is designed to operate independently of others so that installation or removal of a service can be undertaken without affecting other services. Viruses and worms may also be screened.

Access to memory drives on the gateway is severely restricted to minimise threats from Trojans, and user log-on is not allowed. Other threats that could be countered using this type of firewall include those arising from importing macros (a software macro defines how a sequence of operations can be condensed into a single command), or inbound packets that include executable files (containing EXE or COM extensions), because of the possibility of introducing virus and worm files into a network.

SAQ 14

What do you think could be the disadvantages of the application level gateway approach compared with the packet-filtering approach?

An application level gateway is more demanding in terms of the necessary hardware and software because of the burden of acting as a proxy. It is therefore likely to be more expensive than packet filtering and also to incur longer processing delays. The enforcement of strict policies may also be seen as restricting the options of users behind the firewall or of legitimate ones outside. This type of firewall is less user-friendly and less transparent than a packet-filtering firewall.