| Lesson 4 | Proxy servers and circuit-level gateways |
| Objective | Describe proxy servers and configure circuit-level gateways. |
Proxy Servers and Circuit-level Fateways
Proxy servers allow you to conceal as much information as possible about the
inner configuration while still enabling efficient communication. Proxies such as circuit and application gateways create a complete break between your inside systems and external systems. This break allows your firewall system to examine everything before passing it into or out of your internal network.
Let's take a look at the proxy server transmission process through the following series of images to walk through the steps.
-
Circuit-level Gateways
A circuit-level gateway acts as an IP address translator between the Internet and your internal systems. It transfers inbound and outbound network packets, shielding the IP addresses of the internal network from the Internet at the network level.
Let's take a look at the proxy server transmission process through the following series of images to walk through the steps.
Primary Purpose of Circuit Level Gateways
The primary purpose of Circuit Level Gateways is to provide secure communication between two endpoints by establishing a dedicated circuit or connection between them. This connection is maintained for the duration of the communication session, and all traffic between the endpoints is routed through the circuit level gateway.
Circuit Level Gateways operate at the transport layer (Layer 4) of the OSI model and are designed to work with connection-oriented protocols, such as TCP. When a communication session is initiated, the circuit level gateway creates a new circuit between the two endpoints and performs a handshake process to establish the connection.
Once the connection is established, the circuit level gateway monitors the traffic flowing through the circuit and applies security policies to filter out any unauthorized or malicious traffic. This can include filtering based on IP address, port number, and other characteristics of the traffic. Circuit Level Gateways can provide a high level of security and are often used in environments where secure communication is critical, such as in financial transactions, healthcare, and government agencies. However, they can also introduce additional latency and overhead due to the need to establish and maintain the dedicated circuit.
There is also a fourth type of firewall. A dynamic packet filter is a combination of a packet filter and a circuit-level gateway, and it often has application layer semantics as well.
Once the connection is established, the circuit level gateway monitors the traffic flowing through the circuit and applies security policies to filter out any unauthorized or malicious traffic. This can include filtering based on IP address, port number, and other characteristics of the traffic. Circuit Level Gateways can provide a high level of security and are often used in environments where secure communication is critical, such as in financial transactions, healthcare, and government agencies. However, they can also introduce additional latency and overhead due to the need to establish and maintain the dedicated circuit.
There is also a fourth type of firewall. A dynamic packet filter is a combination of a packet filter and a circuit-level gateway, and it often has application layer semantics as well.
Network Address Translation
The primary advantage of circuit-level gateways is Network Address Translation (NAT). NAT translates internal IP addresses to addresses registered by
Internet Assigned Numbers Authority (IANA). NAT allows security and network administrators great flexibility when developing an address scheme internally.
- Principle characteristic of IP addresses
The primary characteristic of the IP addresses issued by the Internet Assigned Numbers Authority (IANA) is that they are globally unique and used to identify devices on the Internet. IANA is responsible for allocating IP addresses to regional Internet registries (RIRs), which in turn allocate IP addresses to organizations and Internet service providers (ISPs). The IP addresses issued by IANA are divided into five classes, including- Class A,
- Class B,
- Class C,
- Class D, and
- Class E.
Each IP address issued by IANA consists of two parts: the network identifier and the host identifier. The network identifier identifies the network to which the device belongs, while the host identifier identifies the specific device within that network. IANA also assigns blocks of IP addresses to various organizations and groups, including ISPs, government agencies, and private companies. This helps to ensure that there are enough IP addresses to meet the needs of the growing number of devices and users on the Internet.
Overall, the primary characteristic of the IP addresses issued by IANA is that they are globally unique and essential for identifying devices on the Internet.
| Network addresses from IANA recommended for internal IP addressing |
| 10.0.0.0 to 10.255.255.255 |
| 172.16.0.0 to 172.31.255.255 |
| 192.168.0.0 to 192.168.255.255 |
If one of the listed network addresses is chosen, it is not necessary to register the addresses with any Internet authority. All routers on the Internet are programmed to automatically discard any address that has a source or destination of the aforementioned private network IDs. If the machine is configured with a private address, it still cannot be accessed remotely because no routes are available to it.