In summary, a circuit-level gateway (e.g., a SOCKS server) provides an interesting technology and possibility to have applications and application protocols securely traverse a firewall. A clear advantage of circuit-level gateways is their generality, meaning that a circuit-level gateway can act as a proxy server for any TCP-based application and application protocol (not just one of them). This generality, however, also has negative impacts on security. For example, a SOCKS server is not able to scan application data for specific commands or executable content (e.g., Java applets or ActiveX controls).
Circuit-level gateways are particularly useful for applications and application protocols for which application-level gateways (i.e., proxy servers) do not exist or are conceptually hard to design and implement. For example, many application programs (e.g., Web browsers) are distributed in socksified form. Other application programs can be socksified if the client software is available in source code (since it must be recompiled and linked with the SOCKS library). Note that this requirement is quite strong and does not generally apply for proprietary and commercially distributed software packages. It does, however, apply for an increasingly large number of software packages that are distributed under an open source licensing agreement. These packages can easily be modified and extended to make use of SOCKS.
One application protocol that is particularly hard to deal with (using packet-filtering technologies and application-level gateways) is the Internet Inter-ORB Protocol that is widely used in environments and applications that conform to the Common Object Request Broker Architecture (CORBA). The difficulty stems from the fact that the IIOP makes heavy use of UDP and dynamically assigned port numbers. Against this background, a group of vendors have jointly specified the use of SOCKS V5 to have IIOP communications securely traverse a firewall.[6] This is likely to be something we are going to see deployed in the future.
[6]http://www.socks.nec.com/corba-firewall.pdf
Team-Fly |