Network Firewalls   «Prev  Next»

Lesson 4Proxy servers and circuit-level gateways
ObjectiveDescribe proxy servers and configure circuit-level gateways.

Proxy Servers and Circuit-level Fateways

Proxy servers allow you to conceal as much information as possible about the inner configuration while still enabling efficient communication. Proxies such as circuit and application gateways create a complete break between your inside systems and external systems. This break allows your firewall system to examine everything before passing it into or out of your internal network.
  • Circuit-level Gateways
    A circuit-level gateway acts as an IP address translator between the Internet and your internal systems. It transfers inbound and outbound network packets, shielding the IP addresses of the internal network from the Internet at the network level.

Let's take a look at the proxy server transmission process through the following series of images to walk through the steps.

The transmission process begins when the internal system sends out a series of packets destined for the internet.
1) The transmission process begins when the internal system sends out a series of packets destined for the internet.

These packets, then go the circuit-level gateway, which checks them against its predetermined set of rules. If the packets do not violate any rules, the circuit-level gateway sends out the same packets on behalf of the internal system.
2) These packets, then go the circuit-level gateway, which checks them against its predetermined set of rules. If the packets do not violate any rules, the circuit-level gateway sends out the same packets on behalf of the internal system.

The packets that appear on the internet originate from the circuit-level gateway's external port's IP address, which is also the address that resolves any replies.
3) The packets that appear on the internet originate from the circuit-level gateway's external port's IP address, which is also the address that resolves any replies.


Primary Purpose of Circuit Level Gateways

The primary purpose of Circuit Level Gateways is to provide secure communication between two endpoints by establishing a dedicated circuit or connection between them. This connection is maintained for the duration of the communication session, and all traffic between the endpoints is routed through the circuit level gateway. Circuit Level Gateways operate at the transport layer (Layer 4) of the OSI model and are designed to work with connection-oriented protocols, such as TCP. When a communication session is initiated, the circuit level gateway creates a new circuit between the two endpoints and performs a handshake process to establish the connection.
Once the connection is established, the circuit level gateway monitors the traffic flowing through the circuit and applies security policies to filter out any unauthorized or malicious traffic. This can include filtering based on IP address, port number, and other characteristics of the traffic. Circuit Level Gateways can provide a high level of security and are often used in environments where secure communication is critical, such as in financial transactions, healthcare, and government agencies. However, they can also introduce additional latency and overhead due to the need to establish and maintain the dedicated circuit.
There is also a fourth type of firewall. A dynamic packet filter is a combination of a packet filter and a circuit-level gateway, and it often has application layer semantics as well.


Network Address Translation

The primary advantage of circuit-level gateways is Network Address Translation (NAT). NAT translates internal IP addresses to addresses registered by Internet Assigned Numbers Authority (IANA). NAT allows security and network administrators great flexibility when developing an address scheme internally.
  • Principle characteristic of IP addresses
    The primary characteristic of the IP addresses issued by the Internet Assigned Numbers Authority (IANA) is that they are globally unique and used to identify devices on the Internet. IANA is responsible for allocating IP addresses to regional Internet registries (RIRs), which in turn allocate IP addresses to organizations and Internet service providers (ISPs). The IP addresses issued by IANA are divided into five classes, including
    1. Class A,
    2. Class B,
    3. Class C,
    4. Class D, and
    5. Class E.
    Classes A, B, and C are used for standard IP addresses, while Classes D and E are used for special purposes, such as multicast and experimental networks.
    Each IP address issued by IANA consists of two parts: the network identifier and the host identifier. The network identifier identifies the network to which the device belongs, while the host identifier identifies the specific device within that network. IANA also assigns blocks of IP addresses to various organizations and groups, including ISPs, government agencies, and private companies. This helps to ensure that there are enough IP addresses to meet the needs of the growing number of devices and users on the Internet.
    Overall, the primary characteristic of the IP addresses issued by IANA is that they are globally unique and essential for identifying devices on the Internet.

Network addresses from IANA
recommended for internal IP addressing
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

If one of the listed network addresses is chosen, it is not necessary to register the addresses with any Internet authority. All routers on the Internet are programmed to automatically discard any address that has a source or destination of the aforementioned private network IDs. If the machine is configured with a private address, it still cannot be accessed remotely because no routes are available to it.

SEMrush Software 4 SEMrush Banner 4