Breaking Sessions at the Firewall

The filter rules listed in the previous sections do an effective job of limiting the sessions that can be established between the inside network and the outside networks. However, if some type of sessions are permitted, there is always the possibility of an ingenious hacker misusing them. It is a good practice to break the session at the firewall. For one thing it means that you can hide the details of internal addresses and names, because the systems on the outside can only see the session as far as the break. Secondly, it means you can create another barrier that the attacker has to surmount, by requiring authentication at the firewall.

One of the more common reasons for breaking sessions at the firewall, or within a DMZ is not directly a security issue. Often TCP/IP networks inside companies have grown in a haphazard way, meaning that they may not use properly assigned addresses or subnet schemes. When you come to attach such a network to the Internet, you are faced with rebuilding it using valid addressed (which may be further complicated by the fact that the address ranges now available tend to be small; meaning that the network needs not only to be re-addressed, but also re-designed). Breaking sessions at the firewall circumvents these problems, because the only addresses that are exposed are outside of the firewall and the server addresses in the DMZ.

There are two general techniques for breaking sessions at the firewall:

1. Proxy servers, which are special applications that appear as a server to the client machine and appear as the client to the sever.
2. SOCKS, which performs the same function as a proxy, except that t does it at the session layer of the network, instead of the application layer.

There are other aspects to this problem, such as relay applications for SMTP mail and Domain Name Service. These are very important security features, but they are outside the scope of this book. We recommend you refer to Building a Firewall with the IBM Internet connection Secure Network Gateway, SG24-2577 for more complete details.