Network Security - Circuit level gateways
Circuit level gateways
A circuit level gateway operates at the transport layer of the OSI or internet reference models and, as the name implies, implements circuit level filtering rather than packet level filtering. It checks the validity of connections (i.e. circuits) at the transport layer (typically TCP connections) against a table of allowed connections, before a session can be opened and data exchanged. The rules defining a valid session prescribe, for example, the destination and source addresses and ports, the time of day, the protocol being used, the user and the password. Once a session is allowed, no further checks, for example at the level of individual packets, are performed.
A circuit level gateway acts as a proxy and has the same advantage as an application level gateway in hiding the internal host from the serving host, but it incurs less processing than an application level gateway.
Disadvantages of circuit level gateways include the absence of content filtering and the requirement for software modifications relating to the transport function.
Circuit level gateways can be implemented within application level gateways or as stand-alone systems. Implementation within an application level gateway allows screening to be asymmetric, with a circuit level gateway in one direction and an application level gateway in the other.
SAQ 15
What advantages could arise from the asymmetry of the arrangement just described?
Examples of firewall implementation
In practice, firewalls are likely to be combinations of the types that I have described. For example, a screened sub-network is commonly incorporated in a firewall scheme, as shown in Figure 17. In this configuration an application level gateway implemented in a bastion host is used in combination with two packet-filtering routers. The screened sub-network that is formed is termed a demilitarised zone (DMZ). Placing servers and dial-in modems that are accessed by external users in a DMZ is a way of separating these higher-risk components from the protected internal network. Both external hosts and hosts within the internal network have access to services provided on the DMZ, but traffic across it is blocked, preventing external users from gaining direct access to the protected internal network.
To end this unit I shall very briefly indicate the way in which the Open University's network is protected by its firewall.
Figure 18 represents the Open University's firewall arrangement, which needs to accommodate the diverse networking needs of many people: for example, students, administrators, academics, whether on site or working from remote sites such as conference venues, home or summer school locations. The Open University has its headquarters at Walton Hall, Milton Keynes. Thirteen regional centres and warehousing facilities each have LANs linked to the Walton Hall LAN to create the Open University's wide area network.
the firewall protecting the Walton Hall / internet interface. The services that students need to access are located within the DMZs. Students typically connect from their homes using dial-up modems or ADSL links to access the internet through their internet service providers, or they gain access from their workplaces. Web browsers are used to access services such as the library, the main web server or student services, and electronic conferencing software is used to access the servers that support the various course conferences.
In general, the firewall allows traffic to and from the DMZs but only traffic that can be identified as being initiated by internal users on the Open University's LANs is permitted to cross the firewall.
An additional feature of the Open University's arrangements allows authorised staff access to appropriate areas of the Walton Hall LAN from external locations. To do this a virtual private network (VPN) provides a logical bypass to the firewall, but access is secured by the use of ‘one-time’ password generators in ‘key fobs’ allocated to authorised users. These generate a frequent supply of different passwords. Before any request for services using the VPN is granted, the user requesting the service must respond with a valid password to a challenge from the VPN security system.
