Firewalls primarily function using at least one of three methods: packet filtering, Network Address Translation (NAT), and proxy services. Crystal Enterprise works with each of these firewall types. Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. NAT translates the IP address of internal hosts to hide them from outside accessNAT is often referred to as "IP masquerading." Proxy services make high-level application connections on behalf of internal hosts to completely break the network layer connection between internal and external hosts. Let's look at these different types in more detail.
Packet filtering inspects and selectively deletes packets before they are delivered to the destination computer. Packet filtering can delete packets based on the following:
Typically, there are two types of packet filtering: stateful and stateless. Stateful packet filters remember the state of connections at the network and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts. Stateless packet filters do not retain information about connections in use; they make determinations packet-by-packet based only on the information contained within the packet.
NAT converts private IP addresses in a private network to globally unique public IP addresses for use on the Internet. Its main purpose is hiding internal hosts. It makes it appear that all traffic from your site comes from a single IP address. NAT hides internal IP addresses by converting all internal host addresses to the address of the firewall as packets are routed through the firewall. The firewall then retransmits the data payload of the internal host from its own address using a translation table to keep track of which sockets (connections) on the exterior interface equate to which sockets on the interior interface. This is also a simple proxy.
There are several NAT types including the following:
Understanding Proxy Servers
Proxy servers were originally developed to cache Web pages that were frequently accessed. As the Web went supernova the proxies became less effective as caching mechanisms, but another asset of proxy servers became evident: Proxy servers can hide all the real users of a network behind a single machine, and they can filter URLs and drop suspicious or illegal content, or hide the identity of a user. The primary purpose of the majority of proxy servers is now serving as a sort of firewall rather than Web caching.
Proxy servers regenerate high-level service requests on an external network for their clients on a private network. This effectively hides the identity and number of clients on the internal network from examination by an external network user.
Proxies work by listening for service requests from internal clients and then sending those requests on the external network as if the proxy server itself was the originating client. When the proxy server receives a response from the public server, it returns that response to the original client as if it were the originating public server. You can even use the proxy server to load balance similar to the NAT load balancing. As far as the user is concerned, talking to the proxy server is just like talking directly to the real server. As far as the real server is concerned, it's talking to a user on the host that is running the proxy server; it doesn't know that the user is really somewhere else.
The use of proxies does not require any special hardware, but something somewhere has to be certain that the proxy server gets the connection. This might be done on the client end by telling it to connect to the proxy server (Socks), or it might be done by intercepting the connection without the client's knowledge and redirecting it to the proxy server.
Socks is a protocol that a proxy server can use to accept requests from client users in a company's network so that it can forward them across the Internet. Socks uses sockets, a method for communication between a client program and a server program in a network. A socket is an end point in a connection. Sockets are created and used with a set of programming requests or function calls to represent and keep track of individual connections. A proxy must exist for each service. Protocols for which no proxy service is available cannot be connected through a proxy except by a generic TCP proxy service that would work similar to a NAT.