Different Kinds of Access Control
One of the key jobs of a network administrator is to make sure that only the proper people have access to data on the network. This is known as access control. There are several different devices which you can use to keep outsiders away from your data. Some of these are routers, firewalls, and proxies. Each acts in a different manner to restrict access to information. The following sections detail some of the more common methods used to enforce policy.
Routers are devices that forward traffic from one network to another based on forwarding tables. The first line of defense on routers is the forwarding table. If there is no route to forward the packet to, it is dropped.
Additionally, access control lists add policy filters to traffic. You can forward or drop packets based on such attributes as IP protocol, protocol options, source and destination address, and source and destination port. The router is also the logical place to block spoofed packets.
Although most router access control lists are not as flexible as firewalls, they are quite effective in limiting the types of traffic that reach your network. Almost all routers also do packet filtering, so there is no additional cost to be incurred.
The downside to packet filtering is that the access control looks only at the IP header, not at the payload. Therefore, protocols such as RPC and FTP cannot be easily accommodated by packet filtering.
Many protocols that your userbase might require cannot be firewalled. Multimedia protocols, such as the Real-Time Streaming Protocol or streaming QuickTime, use UDP and cannot normally be associated with a traceable session.
The answer is to use a proxy. A proxy is a software program or device that takes internal client requests, and forwards them to the server on behalf of the client. All communication is between the server on the Internet and the proxy, the client never actually communicates with the Internet connected server.
The most popular proxy of this type is SOCKS5, now under the development of NEC. The downside to using a proxy such as SOCKS5 is that individual software packages must be manually configured to use it, and might require additional client libraries.
Application Gateways are firewalls that proxy specific protocols, such as HTTP, FTP, RealMedia, email, and so on, on behalf of the client workstation.
The advantage of Application Gateways is that they are transparent to the user configurable clients. The downside is that there are a limited number of application proxies provided with the software. If there isn't an application proxy available for the service you require, you will need to seek a different solution.
Stateful inspection is a combination of packet screening and application gateways. Invented by Checkpoint Systems, most firewalls today use a form of stateful inspection.
Stateful inspection looks at the packet headers to create a state table to track sessions. For protocols that need additional information from the payload, such as FTP, those packets are examined to determine the reply traffic patterns.
Stateful inspection firewalls are faster than pure application gateway firewalls, because they don't have to examine every payload of every packet. Additionally they are more flexible because you can define services and state conditions to expand the existing rulebase.