Application Level Gateway (or "proxy gateway") - Much of the software on the Internet works in a store-and-forward mode; mailers and USENET news collect input, examine it, and forward it. Application level gateways are service-specific forwarders or reflectors, which usually operate in user mode rather than at a protocol level. Generally, these forwarding services, when 4 running on a firewall, are important to the security of the whole. The famous sendmail hole that was exploited by the Morris Internet worm is one example of the kinds of security problems an application level gateway can present. Other application level gateways are interactive, such as the FTP and telnet gateways run on the Digital Equipment Corporation firewalls. In general, the term "application level gateway" will be used to describe some kind of forwarding service that runs across a firewall, and is a potential security concern. In general, crucial application level gateways are run on some kind of bastion host.
Hybrid Gateways - Hybrid gateways are the "something else" category in this list. Examples of such systems might be hosts connected to the Internet, but accessible only through serial lines connected to an ethernet terminal server on the private network. Such gateways might take advantage of multiple protocols, or tunneling one protocol over another. Routers might maintain and monitor the complete state of all TCP/IP connections, or somehow examine traffic to try to detect and prevent an attack. The AT&T corporate firewall[1] is a hybrid gateway combined with a bastion host. Taking the components described above, we can accurately describe most of the forms that
firewalls take, and can make some general statements about the kinds of security problems each approach presents. Assuming that a firewall fulfills its basic purpose of helping protect the network, it is still important to examine each type of firewall with respect to:
Damage control - If the firewall is compromised, to what kinds of threats does it leave the private network open? If destroyed, to what kinds of threats does it leave the private network open?
Zones of risk - How large is the zone of risk during normal operation? A measure of this is the number of hosts or routers that can be probed from the outside network.
Failure mode - If the firewall is broken into, how easy is this to detect? If the firewall is
destroyed, how easy is this to detect? In a post mortem, how much information is retained that can be used to diagnose the attack?
Ease of use - How much of an inconvenience is the firewall?
Stance - Is the basic design philosophy of the firewall "That which is not expressly permitted is prohibited" or is it "That which is not expressly prohibited is permitted?"
Summary
With the many dicisions that need to be made before a firewall is purchased it is important to get cnsultation from a qualified security professional. This decision should be made only after a network audit. Friendware Security Technologies will guide you in the best solution and most secure solution for your company.