After packet filtering and logging, application gateways function to provide a higher level of security for applications such as telnet, ftp, or SMTP that are not blocked at the firewall. An application gateway is typically located such that all application traffic destined for hosts within the protected subnet must first be sent to the application gateway (in other words, any application traffic that is not directed at the application gateway gets rejected via packet filtering). After performing some action, the application gateway may pass the traffic on to a host or may reject the traffic if it is not authorized. Application gateways are also referred to as ``proxy servers.''
A site would use application gateways to provide a ``guarded gate'' through which application traffic must first pass before being permitted access to specific systems. As an example of an application gateway for telnet, a site might advertise only the name of the telnet gateway to outside users and not the names of specific hosts. The protocol for connecting to specific internal hosts would be as follows:
Application gateways, then, have a number of advantages over the default mode of permitting application traffic directly to internal hosts:
A disadvantage of application gateways is that, in the case of client-server protocols such as telnet, two steps are required to connect inbound or outbound. This may prove somewhat tedious for users, however it is a small price to pay for the increase in security.
Application gateways are used generally for telnet, ftp, and e-mail. [Ran92] uses one application gateway for both telnet and ftp, and another for e-mail. The telnet application works as described in the earlier example; the ftp application includes the capability to deny puts and gets to specific hosts as required. For example, an outside user who has established a ftp session (via the ftp application gateway) to an internal system such as an anonymous ftp server might try to upload files to the server. The application gateway can filter the ftp protocol and deny all puts to the anonymous ftp server; this would ensure that nothing can be uploaded to the server and would provide a higher degree of assurance than relying only on file permissions at the anonymous ftp server to be set correctly.
An e-mail application gateway serves to centralize e-mail collection and distribution to internal hosts and users. To outside users, all internal users would have e-mail addresses of the form:
user@emailhost.b.c.dwhere emailhost is the name of the e-mail gateway. The gateway would accept mail from outside users and then forward mail along to other internal systems as necessary, using aliases or forward files. Users sending e-mail from internal systems could send it directly from their hosts, or in the case where internal system names are not known outside the protected subnet, the mail would be sent to the application gateway, which could then forward the mail to the destination host.
Application gateways are also ideal locations for services such as anonymous ftp, gopher, and other information distribution servers. Both [GS91] and [Che90] go into more detail on setting up application servers. [Ran92] and [Ran93] discuss location of application servers and filtering rules for directing application traffic to application gateways.