How a Proxy Passes Traffic, Stateful inspection, Interfaces & Address Translation

How a Proxy Passes Traffic.

(a)        Unlike its packet-filtering counterparts, a proxy does not route any traffic. In fact, a properly configured proxy will have all routing functionality disabled. As its name implies, the proxy stands in or speaks for each system on each side of the firewall.

(b)       For an analogy, think of two people speaking through a language interpreter. While it is true these two people are carrying on a conversation, they never actually speak to one another.

(c)        All communication passes through the interpreter before being passed on to the other party. The interpreter might have to clean up some of the language used, or filter out comments or statements that might seem hostile. To see how this relates to network communications, refer to Figures.

(d)      Our internal host wishes to request a Web page from the remote server. It formulates the request and transmits the information to the gateway leading to the remote network, which in this case is the proxy server.

(e)        Stateful inspection of an application is unique for each application. Any non-predicted ports used by an application are validated and allowed through the firewall using stateful inspection. The following applications are inspected.

(f)        Connections are not only applied to an ACL, but are logged into a state table.

(g)        After a connection is established, all session data is compared to state table.

(i)         FTP

(ii)        TFTP

(iii)       RCMD

(iv)       SQLNETe.

(v)        VDOLive

(vi)       RealAudio.

(aa)      Connections are not only applied to an ACL, but are logged into a state table.

(ab)      After a connection is established, all session data is compared          to state table.

  Stateful inspection    

(a)        Some protocols are difficult to allow through a firewall securely using traditional filtering mechanisms. In FTP, for example, the control connection is typically created using a known port, but the data connection is over a random port. To allow an FTP data connection through a firewall without leaving a large number of open ports requires stateful inspection: packets are inspected at the application layer to determine which port the data connection is using. Traffic on that port can then be allowed to pass through the firewall for the duration of the FTP session.

(b)        Transport-level state inspection provides a number of ways to make TCP traffic more secure and more difficult for hackers to intercept. Stateful inspection of TCP consists of verifying the consistency of the TCP header as well as preventing

some well-known TCP attacks.

            (c)        Any non-predicted ports used by an application are validated and allowed             through the firewall using stateful inspection. The applications inspected are : FTP,       TFTP, RCMD, SQLNET, VDO Live and Real Audio.

 Interfaces      

(a)        The Secure IP Services Gateway can have many interfaces. Each tunnel (end user or branch office) is a virtual interface, and all gateways have two or more physical interfaces. Packets can be classified by the interface on which they arrive at the source interface or the interface on which they leave the (the destination interface).

(b)        The rules in a policy can be constructed to either use or ignore this classification. If the rule designates “Any” as an interface, the rule ignores this classification. If the rule designates an interface or group of interfaces, the rule uses this classification.

(c)        The rules in any policy can use the following terms to designate an interface:-

(i)         Any                 –          Any physical interface or tunnel.
(ii)        Trusted            –          Any private physical interface or tunnel.
(iii)       Untrusted        –          Any public physical interface.
(iv)       Tunnel             –          Any tunnel.

 Address Translation            When an IP address is converted from one value to another, it is called address translation. This feature has been implemented in most firewall products and is typically used when you do not wish to let remote systems know the true IP address of your internal systems.

Destination IP                         -           206.121.73.5  
Source port                  -          1058
Destination port          -           80

Address translation  
Source IP                    -           192.168.1.50  
Destination IP             -           206.121.73.5  
Sourceport                   -           1037
Destination port          -           80