Chapter 9: Circuit-Level Gateways

Team-Fly

In this chapter, we elaborate on circuit-level gateways in general, and one major implementation of a circuit-level gateway (i.e., SOCKS) in particular. More specifically, we briefly introduce the technology in Section 9.1, elaborate on SOCKS in Section 9.2, and draw some conclusions in Section 9.3. In summary, circuit-level gateways provide an interesting technology to build applications that provide support for authenticated firewall traversal. They are particularly interesting for applications for which application-level gateways (i.e., proxy servers) are not readily available.

9.1 INTRODUCTION

As already mentioned in Chapter 7, the idea of an application gateway is fundamentally different from a packet filter (i.e., a static or dynamic packet filter). This is equally true for a circuit-level gateway. In essence, a circuit-level gateway is a proxy server for TCP.[1] As illustrated in Figure 9.1, a circuit-level gateway is typically located and running on the firewall of a corporate intranet to relay TCP connections.

click to expand
Figure 9.1: The placement and use of a circuit-level gateway.

More specifically, the circuit-level gateway does the following three things when a client wants to establish a TCP connection to a destination server:

  1. It receives the TCP connection establishment request that is sent out by the client (because the client is configured that way).

  2. It authenticates and possibly authorizes the client (or the user behind the client).

  3. It establishes a second TCP connection to the destination server on the client's behalf.

After having successfully established the second TCP connection, the circuit-level gateway simply relays data forth and back between the two TCP connections. As such, it does not interfere with the data stream. This differentiates a circuit-level gateway from an application-level gateway or proxy server that is able to actually understand the application protocol employed by the two endpoints of the connection. What this basically means is that the circuit-level gateway must not understand the application protocol in use. This simplifies the implementation and deployment of circuit-level gateways considerably.

Note that the only difference between a circuit-level gateway and a simple port forwarding mechanism is that with a circuit-level gateway, the client is aware of the intermediate system, whereas in the case of a simple port-forwarding mechanism, the client must not be aware and may be completely oblivious of the existence of the intermediary. Also, a circuit-level gateway is generic, and any TCP connection can be handled by the same gateway (if enabled in its configuration). Contrary to that, a port-forwarding mechanism is usually specific to a given service, meaning that all qualifying TCP segments are forwarded to a specific port of the destination server.

The most important circuit-level gateway in use today is SOCKS.[2] SOCKS and the SOCKS protocols are currently being marketed by NEC USA, Inc. (e.g., as part of NEC's e-Border product line).

[1]This statement is not completely true, as contemporary circuit-level gateways also are able to handle UDP-based application protocols. This will be explained later in this chapter.

[2]http://www.socks.nec.com


Team-Fly


Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net