9 Access control

9.6 Circuit level gateways

A circuit level gateway operates at the transport layer of the OSI or internet reference models and, as the name implies, implements circuit level filtering rather than packet level filtering. It checks the validity of connections (i.e. circuits) at the transport layer (typically TCP connections) against a table of allowed connections, before a session can be opened and data exchanged. The rules defining a valid session prescribe, for example, the destination and source addresses and ports, the time of day, the protocol being used, the user and the password. Once a session is allowed, no further checks, for example at the level of individual packets, are performed.

A circuit level gateway acts as a proxy and has the same advantage as an application level gateway in hiding the internal host from the serving host, but it incurs less processing than an application level gateway.

Disadvantages of circuit level gateways include the absence of content filtering and the requirement for software modifications relating to the transport function.

Circuit level gateways can be implemented within application level gateways or as stand-alone systems. Implementation within an application level gateway allows screening to be asymmetric, with a circuit level gateway in one direction and an application level gateway in the other.

SAQ 15

What advantages could arise from the asymmetry of the arrangement just described?

Firewall asymmetry could complement the different levels of risk relating to incoming and outgoing traffic on the protected network. For example, user-friendly outgoing services could be maintained to hosts behind the firewall by allowing circuit level functionality on outbound traffic. This is appropriate where internal users’ requests are relatively trustworthy. By contrast, inbound traffic could be subjected to the full scrutiny of application level content. Application level examination of traffic involves a considerable processing overhead, but this would be performed on incoming traffic only.