Network Firewalls   «Prev  Next»

Lesson 4Proxy servers and circuit-level gateways
ObjectiveDescribe proxy servers and configure circuit-level gateways.

Proxy Servers and Circuit-level Fateways

Proxy servers allow you to conceal as much information as possible about the inner configuration while still enabling efficient communication. Proxies such as circuit and application gateways create a complete break between your inside systems and external systems. This break allows your firewall system to examine everything before passing it into or out of your internal network.

Circuit-level Gateways

A circuit-level gateway acts as an IP address translator between the Internet and your internal systems. It transfers inbound and outbound network packets, shielding the IP addresses of the internal network from the Internet at the network level.

Proxy Server Transmission Process

Let's take a look at the proxy server transmission process using a Slide Show to walk through the steps.
  1. The transmission process begins when the internal system sends out a series of packets destined for the internet.
  2. These packets, then go the circuit-level gateway, which checks them against its predetermined set of rules. If the packets do not violate any rules, the circuit-level gateway sends out the same packets on behalf of the internal system.
  3. The packets that appear on the internet originate from the circuit-level gateway's external port's IP address, which is also the address that resolves any replies.

Circuit Level Gateways

Network address translation

The primary advantage of circuit-level gateways is Network Address Translation (NAT). NAT translates internal IP addresses to addresses registered by Internet Assigned Numbers Authority (IANA). NAT allows security and network administrators great flexibility when developing an address scheme internally.

Internet Addresses

If one of the listed network addresses is chosen, it is not necessary to register the addresses with any Internet authority. All routers on the Internet are programmed to automatically discard any address that has a source or destination of the aforementioned private network IDs. If the machine is configured with a private address, it still cannot be accessed remotely because no routes are available to it.