With security at the forefront of IT
these days, you hear a lot about firewalls. A firewall acts as a barrier between
an internal local area network (LAN) and the “outside world” –
the LAN’s connection to the Internet or another internetwork. Another type
of intermediary is a proxy server. It’s important for IT professionals to
understand the difference between the two.
In this week’s feature article, we
will discuss how firewalls and proxies differ, what a firewall does and how it
accomplishes its purpose(s), why firewalls are important in our
Internet-connected world, and some of the ways firewalls can be
implemented.
What’s a Proxy?
First, let’s distinguish between proxy servers and
full-fledged firewalls. A proxy is a stand-in; it sits between the internal
and external networks and acts as a go-between for communications that are exchanged
between the two. The word “proxy” means “one who is authorized
to act on behalf of another.” You’ve probably heard of proxy weddings,
whereby someone stands in for one of the parties (bride or groom) so a wedding
ceremony can legally be performed without both being physically present. Proxy
servers are so named because, like the hapless stand-in who says “I do”
when it’s really someone else who does, they act as go-betweens to allow
something to take place (in this case, network communications) between systems
that must remain separate.
Proxy servers provide a measure of
security to the internal network. The proxy usually uses Network Address
Translation (NAT) to allow all the internal computers to connect to the Internet
using only a single public IP address (that of the proxy server itself). The
other computers’ internal IP addresses are not visible over the Internet;
to outsiders it looks as if the proxy server is the only machine that is there.
Proxies can also provide performance enhancement, by caching objects that are
retrieved frequently from the ‘Net and making them available locally to
the internal network. Just as a web browser’s cache speeds up access to
web pages you visit often by storing copies of them on your local disk, a proxy
performs the same function for the entire LAN.
What’s a Firewall?
Like the proxy server, a firewall is a
“middle man” that sets between the internal and external networks.
However, it goes further than the proxy in terms of controlling what goes into
and out of the LAN. A product can be both a proxy and a firewall;
Microsoft’s ISA Server is a good example of this. While its predecessor,
Microsoft Proxy Server, was not considered to be a full-fledged firewall, ISA
is.
The job of a firewall is to use filtering
to prevent unauthorized data from entering the network and restricting the data
that can be sent out. Just as a physical firewall in a building or vehicle is
designed to stop a fire from spreading from one area to another, a network
firewall is designed to keep data in or out of a network.
Firewalls can be hardware devices, which
are dedicated single-purpose computers that run proprietary software, or they
can be software-only packages that are installed on a regular PC running on top
of on operating system like Windows or UNIX. Hardware firewalls tend to be more
expensive (since you’re buying both hardware and software) but also
usually offer better performance. Firewalls use NAT or router software to get
data to the appropriate internal computer after checking it to ensure that the
filtering rules allow it to go through.
Firewall Filtering
Firewalls can filter data at different
levels (different layers of the OSI networking model). The most common filtering
methods are:
Packet filtering, which
works primarily at the network
layer
Circuit
filtering, which works at the transport layer
Application
filtering, which works at the application
layer
Packet filters examine the information in
the IP packet headers of messages and make the decision as to whether the data
is allowed in (or out) based on that information. Thus packet filtering allows
you to designate specific IP addresses (or host or domain names) that will be
specifically blocked or specifically allowed. Filters can also process
information at the transport layer (TCP and UDP port numbers). Specific ports
can be blocked or left open. Because particular services use specific ports (for
example, POP 3 incoming email uses port 110), this allows you to prevent
specific types of data from entering the network (in this case, incoming POP3
email). There are two types of filtering, static and dynamic. With dynamic
filtering, the necessary ports are opened up only when a communication is
actually taking place, rather than staying open all the time. As soon as the
communication ends, the port is closed. Circuit filtering lets...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
Earn an affordable, online bachelor's degree in Information Technology—Security Emphasis
plus nine IT certifications including Sun Certified Programmer for the Java Platform, MySQL Core, and Security+. Your prior college and IT certifications may waive some degree requirements FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals
Email this Article
Print this Article
