Page 384 - StudyBook.pdf
P. 384
368 Chapter 6 • Infrastructure Security: Devices and Media
While application-layer gateway technology is much more advanced than
packet-filtering technology, it does have its drawbacks. Due to the fact that every
packet is disassembled completely then checked against a complex set of rules,
application-layer gateways are much slower than packet filters. In addition, only a
limited set of application rules are predefined, and any application not included in
the predefined list must have custom rules defined and loaded into the firewall.
Finally, application-layer gateways process the packet at the application layer of the
OSI model. By doing so, the application-layer gateway must then rebuild the
packet from the top down and send it back out.This breaks the concept behind
client/server architecture and slows the firewall down even further.
Client/server architecture is based on the concept of a client system requesting
the services of a server system.This was developed to increase application perfor-
mance and cut down on the network traffic created by earlier file sharing or main-
frame architectures.When using an application-layer gateway, the client/server
architecture is broken as the packets no longer flow between the client and the
server. Instead, they are deconstructed and reconstructed at the firewall.The client
makes a connection to the firewall at which point the packet is analyzed, then the
firewall creates a connection to the server for the client. By doing this, the firewall
is acting as a proxy between the client and the server.The operation of this tech-
nology is illustrated in Figure 6.2.
Figure 6.2 Application-layer Gateway Technology
Application Layer Gateway
Client Server
Authorized
Packet
OSI Model OSI Model OSI Model
Application Application Application
Presentation Presentation Presentation
Session Session Session
Transport Transport Transport
Network Network Network
Data Link Data Link Data Link
Physical Physical Physical
www.syngress.com
