Corporate.Net internetRx Q: We connect to the Internet via a router that performs firewall duties. This setup has been adequate, since the network with Internet access is fairly small and none of the machines on it contain sensitive data. However, we are thinking of expanding our use of the Internet and considering a more sophisticated firewall. I have heard of proxy and address translation firewalls. What is the difference and which am I better off with? A: : In general, there are three types of firewalls commonly deployed. The first is the one you have at the moment, which is a packet filter (sometimes termed a screening router). A screening router only allows packets through that pass its screening process, which is determined by an access list defined in the router. Most routers will let you enable outbound TCP connections only. They will also limit the machine IP addresses that can be contacted on your internal network by machines from the outside and let only prespecified protocol types through. Many early Internet connections were implemented this way. However, this type of securi ty can be breached fairly easily. Address translation and proxy servers are two different methods for hiding your internal network numbering scheme from those on the outside Internet. True address translation firewalls, typified by the Cisco PIX firewall, manipulate the address portion of the IP header to present a different IP number to the external Internet than the one used by the internal machine involved. This type of firewall keeps a map of internal-to-external addresses, which can be permanently assigned or created as connections are required. With an address translation firewall, external users will never know the real address used b y internal machines. Proxy servers achieve the same result by a different method. A proxy server (typically a Unix machine) will run two instances of application daemons, such as telnet, HTTP and FTP. One copy of the daemon will be used by the internal machines, and one copy will be used by external machines. The firewall proxy processes pass information between the daemons. An address translation firewall requires that it be defined as the default router for your internal network. This is typically done by the firewall advertising a 0.0.0.0 route. The effect is that if any machine on the internal network has to send a packet to a network number that it does not explicitly know the route to, it will send the packet to the firewall for delivery. This is fine for all network numbers out on the external Internet. However, this setup can cause problems during network fault conditions. Let's say a link on your internal network fails. A machine using that link will no longer have a route to the machines on the other side of the failed link and will send all traffic to its default router, which in this case is the firewall. This activity can soak the Internet connection and take it out of service also. A proxy server gets around this problem. Applications that need to use the Internet connection (like Web browsers) usu ally let you define an address for a proxy machine in their setup for each of the FTP, telnet and HTTP applications. In effect, each application that wants to get to the Internet will send its traffic to the defined proxy server address, and you don't have to advertise a 0.0.0.0 route on your internal network. However, a proxy server generally is not as fast at passing packets as an address translation firewall. Each solution has its place, and your choice is clearly dependent on your specific situation. Chris Lewis is vice president of international operations at ILX Systems in New York. He can be reached at chrisl@ilx.com.

The Dawning of the Age of Java Management by Bruce Bordman Web Middleware Glue Binds Web Apps by Barry Nance Updated May 12, 1997