Currently, there are three main types of gateways:
-Protocol gateway WNx "N
-Application gateway o:JWN
-Security gateway E-c
The only generic meaning retained is that of a gateway that acts as an intermediary between two different domains or systems, and the nature of the differences to be overcome determines the type of gateway needed.
What is a gateway
Gateways used to be easily understood concepts. In the early days of the Internet, the term gateway meant a router. A router is a marker in a network that extends beyond the local network, and this "gateway" to the unknown was, and still is, used to calculate routes and forward packetized data to parts of the network beyond the originating network, and as such, it was considered the gateway to the Internet. Over time, routers ceased to be magical, and the emergence and maturity of public*** IP-based WANs contributed to the growth of routers. Now that routing functions can also be performed by hosts and switching hubs, gateways are no longer a mystical concept. Now that routers have become multifunctional network devices that can segment LANs into segments, interconnect related LANs in private WANs, and interconnect WANs to form the Internet, routers have lost their original concept of gateways. However, the term gateway is still used, and it continues to be applied to many different functions, making it no longer an easy task to define a gateway.
Currently, there are three main types of gateways:
-Protocol gateway WNx "N
-Application gateway o:JWN
-Security gateway E-c
The only generic meaning retained is that of a gateway that acts as an intermediary between two different domains or systems, and the nature of the differences to be overcome determines the type of gateway needed.
I. Protocol Gateways
Protocol gateways typically do protocol conversion between network regions that use different protocols. This conversion process can occur at layer 2, layer 3, or between layers 2 and 3 of the OSI reference model. However, there are two types of protocol gateways that do not provide conversion: security gateways and pipes. Because of the logical differences between two interconnected network areas, security gateways are necessary intermediaries between two technically similar network areas. For example, a private WAN and the public Internet. This special case is discussed in a subsequent section, "Combined Filtering Gateways," which focuses on protocol gateways that perform physical protocol translation.
1. Pipeline gateways
Pipelines are a more general technique for transmitting data over incompatible network areas. Packets of data are encapsulated in frames that can be recognized by the transport network, and when they reach their destination, the receiving host unencapsulates them and discards the encapsulated information so that the packets are restored to their original format.
Pipelining can only be used for Layer 3 protocols, from SNA to IPv6. while pipelining has the advantage of being able to overcome the limitations of a particular network topology, it also has disadvantages. Pipes by their very nature can hide packets that shouldn't be accepted. Simply put, pipes can breach firewalls through encapsulation and pass data that should be filtered out to private network areas.
2. Private gateways
Many private gateways can bridge the gap between traditional mainframe systems and the rapidly evolving distributed processing systems. A typical private gateway is used to connect PC-based clients to a converter at the edge of the LAN. The converter provides access to the mainframe system over an X.25 network. shoO
These gateways are usually inexpensive, single-function boards that need to be mounted on computers connected to the LAN, which makes them inexpensive and easily upgradable. In the example above, the single-function gateway upgrades hard-wired terminals and terminal servers from the mainframe era to PCs and LANs.
3. Layer 2 protocol gateways
Layer 2 protocol gateways provide LAN-to-LAN translation, and are often called translation bridges rather than protocol gateways. This translation may be needed to interconnect LANs that use different frame types or clock frequencies.
(1) Frame Format Differences IEEE802-compliant LANs ***share the public*** media access layer, but their frame structures and media access mechanisms prevent them from interoperating directly.
Translating bridges utilize the ****similarities of Layer 2, such as MAC addresses, to provide dynamic translation of the different parts of the frame structure, making it possible for them to interoperate. First generation LANs required separate devices to provide translation bridges, today's multi-protocol switching hubs typically provide high bandwidth backbones that can act as translation bridges between different frame types, the behind-the-scenes nature of translation bridges now obfuscates this protocol translation, separate translation devices are no longer needed, and multi-purpose switching hubs inherently function as Layer 2 protocol translation gateways.
An alternative to using a device that only involves Layer 2 such as a translation bridge or a multiprotocol switching hub is to use a Layer 3 device: a router. Routers have long been an important part of the LAN backbone. If routers are used to interconnect LANs and WANs, they usually support standard LAN interfaces, and with proper configuration, routers can easily provide translation for different frame types. The disadvantage of this solution is that if Layer 3 devices are used routers require table lookup, which is a software function, whereas the functions of Layer 2 devices such as switches and hubs are implemented in hardware and can thus run faster.
(2) Transmission Rate Differences
Many past LAN technologies have improved transmission rates, for example, IEEE 802.3 Ethernet now has 10Mbps, 100Mbps, and 1bps versions, which have the same frame structure, the main difference lies in the physical layer and the media access mechanism, in the various differences, the transmission rate is the most obvious difference. Among the differences, the transmission rate is the most obvious one. Token Ring has also increased the transmission rate, with earlier versions operating at 4 Mbps and the current version at 16 Mbps. 100 Mbps FDDI is a direct descendant of Token Ring and is often used as the backbone of a Token Ring network. These LAN technologies, which differ only in clock frequency, require a mechanism to provide a buffered interface between two otherwise compatible LANs, and today's multiprotocol, high-bandwidth switching hubs provide robust backplanes capable of buffering the rate difference.1494!
2 What is a Gateway
Today's multiprotocol LANs provide internal rate buffering for different rate versions of the same LAN technology. provide internal rate buffering, and can also provide Layer 2 frame translation for different 802-compatible LANs. Routers can also do the work of buffering rate differences, and their advantage over switched hubs is that their memory is scalable. Their memory caches incoming and outgoing packets to a degree that determines whether the appropriate access lists (filters) should be applied, as well as determining the next hop, and can also be used to cache rate differences that may exist between various network topologies.
II. Application Gateway
An application gateway is a system that translates data between different data formats in use. A typical application gateway takes input in one format, translates it, and sends it in a new format. The input and output interfaces can be discrete or use the same network connection.
An application can have multiple application gateways. For example, Email can be implemented in multiple formats, and the server that provides Email may need to interact with mail servers in various formats; the only way to accomplish this is to support multiple gateway interfaces.
Application gateways can also be used to connect LAN clients to external data sources, which provide local hosts with connections to remote interactive applications. Placing the application's logic and execution code on the LAN client avoids the drawbacks of low-bandwidth, high-latency WANs, which results in shorter response times for the client. The application gateway sends the request to the appropriate computer, obtains the data, and if needed converts the data format to the format required by the client.
This article is not an exhaustive description of all application gateway configurations; these examples should summarize the various branches of application gateways. They are often located at the intersection of network data. To adequately support such an intersection requires a combination of network technologies including LANs and WANs.Tys
Three. security gateways
Security gateways are an interesting blend of technologies with important and unique protection roles ranging from protocol-level filtering to very sophisticated application-level filtering. There are three main types of firewalls: Packet Filtering Circuit Gateway Application Gateway
Note: Only one of the three is a filter, the rest are gateways. These three mechanisms are often used in combination. Filters are mapping mechanisms that distinguish between legitimate and spoofed packets. Each has its own capabilities and limitations, and should be carefully evaluated for security needs.
1, packet filters
Packet filtering is the most basic form of security mapping, routing software can be based on the packet's source address, destination address, or port number to establish permissions, on the well-known port number of the filter can be blocked or allowed to the inter-network protocols, such as FTP, rlogin and so on. Filters can operate on incoming and/or outgoing data, and implementing filtering at the network layer means that routers can provide secure mapping capabilities for all applications. Being (in the logical sense) a resident part of the router, this kind of filtering can be freely used on any routable network, but don't mistake it for a panacea; packet filtering has many weaknesses, but it's better than nothing.
Packet filtering is hard to do well, especially when the security requirements are poorly defined and nuanced. This kind of filtering can also be easily breached. Packet filtering, which compares each packet and makes a pass/fail decision based on the header information compared to the router's access list, has a number of potential weaknesses. First, it relies directly on the router administrator to compile the permission set correctly, in which case spelling errors can be fatal, creating holes in the defenses that can be breached without any special techniques. Even if the administrator designs the permissions accurately, the logic must be flawless to do so. While designing routes may seem simple, developing and maintaining a long, complex set of permissions can be cumbersome, with daily changes having to be understood and evaluated against the firewall's set of permissions, and newly added servers that aren't explicitly protected can become points of breach.
Over time, access permission lookups can slow down a router's forwarding speed. Whenever a router receives a packet, it must identify the next-hop address that the packet needs to go through to reach its destination, which inevitably leads to another CPU-intensive task: checking the access list to see if it is allowed to reach that destination. The longer the access list, the more time this process takes.
The second flaw in packet filtering is that it assumes that packet headers are valid, and cannot verify the source of the packet. The header information can easily be tampered with by network-savvy people, and this tampering is often referred to as "spoofing.
The weaknesses of packet filtering make it inadequate to protect your network resources, and it's best used in conjunction with other, more sophisticated filtering mechanisms rather than on its own.
2. Link gateways
Link-level gateways are ideal for protecting requests originating from private, secure network environments. This gateway intercepts TCP requests, and even some UDP requests, and then obtains the requested information on behalf of the data source. The proxy server receives requests for information on the World Wide Web and fulfills them on behalf of the data source. In effect, the gateway acts as a wire that connects the source to the destination, but allows the source to avoid the risks associated with traveling through unsecured areas of the network.
3 What is a gateway
Request proxying in this way simplifies security management at the edge gateway. if access control is done properly. all outgoing data streams are blocked except for the proxy server. Ideally, this server has a unique address and does not belong to any internally used network segment. This absolutely minimizes the amount of information that is inadvertently and subtly exposed to the unsecured area, and only the network address of the proxy server is available externally, not the network address of every networked computer in the secured area.
3. Application gateways
Application gateways are the most extreme opposite of packet filtering. While packet filtering achieves generic protection of all data that passes through a network layer packet filtering device, application gateways place highly specialized application software on each host that needs to be protected, which prevents the pitfalls of packet filtering and achieves rugged security for each host.
One example of an application gateway is a virus scanner, a specialized piece of software that has become one of the staples of desktop computing. It tunes into memory at startup and resides in the background, continuously monitoring files for infection by known viruses and even changes to system files. Virus scanners are designed to protect users from the potential damage of viruses before it can occur.
This level of protection could not be achieved at the network layer, which would require examining the contents of each packet, verifying its origin, determining its correct network path, and determining whether its contents are meaningful or deceptive. This process would create an unaffordable overload that would severely impact network performance.
4. Combination Filtering Gateways
Gateways that use a combination filtering scheme provide fairly robust access control through redundant, overlapping filters that can include packet-, link-, and application-level filtering mechanisms. The most common implementation of such a security gateway is one that protects entry and exit points at the edges of private network segments like a sentry post, often referred to as an edge gateway or firewall. This important responsibility usually requires multiple filtering technologies to provide adequate defense. The figure below shows a security gateway consisting of two components: a router and a processor. Combined, they provide protocol, link and application-level protection.
These specialized gateways don't need to provide translation capabilities like other kinds of gateways. As gateways at the edge of the network, their responsibility is to control the flow of data in and out. Obviously, both the intranet and the extranet connected by this type of gateway use the IP protocol, so there is no need to do protocol conversion, and filtering is of paramount importance.
The reason for protecting the intranet from unauthorized access to the outside network is obvious. The reason for controlling access to the outside is less obvious. In some cases, there is a need to filter outbound data. For example, a user's browsing-based value-added service may generate a large amount of WAN traffic that, if left unchecked, could easily affect the network's ability to carry other applications, making it necessary to block all or part of this data.
The primary protocol for networking, IP, is an open protocol designed to enable communication between network segments. This is both its main strength and its greatest weakness. Providing an interconnect for two IP networks creates, in essence, one large IP network, and it is the job of the guards protecting the edge of the network -- the firewalls -- to discriminate between legitimate data and spoofed data.
5. Implementation considerations
Implementing a security gateway is not an easy task, and its success depends on requirements definition, careful design, and flawless implementation. The first task is to establish comprehensive rules that define acceptable compromises based on a deep understanding of security and overhead, and these rules establish the security policy.
Security policies can be loose, strict, or somewhere in between. At one extreme, the baseline commitment of a security policy is to allow all data to pass through with few, easily managed exceptions that are explicitly added to the security regime. Such a policy is easy to implement, requires no anticipatory considerations, and guarantees minimal protection even for amateurs. At the other extreme is the extremely restrictive policy that requires all data to be passed through to be explicitly stated as allowed, which requires careful and deliberate design and is expensive to maintain, but has intangible value to network security. From a security policy perspective, this is the only acceptable solution. Between these two extremes, there are many options that trade off ease of implementation, usage, and maintenance costs, and the right tradeoff requires a careful evaluation of the risks and costs.