This chapter contains an overview of current firewall technologies, and gives you a basic insight into Zorp architecture.
In this section we try to give you an overview of current firewall technologies and trends.
Bastion host
Bastion host is a protected server or workstation, having two connections simoultaneously: 1) with a protected network, and 2) the internet. There is no direct way between the networks. If a client on the protected network wants to access a service on the Internet, he has to enter the bastion host. Bastion hosts are built in case of special needs of security.
Today they are not at all wide-spread, because their installation, usage and preventive maintenance are difficult, demanding much expertise.
Packet filtering firewall
Packet filtering firewalls - as their name suggests - filters network traffic on the packet level. This means that the decision about the packet's further processing is made based on the information available in the packet header (IP, UDP and TCP headers).
This information is not enough in environments with higher-than-low risk, because the packet contents are not checked.
Stateful packet filtering
Stateful packet filtering was designed to eliminate the disadvantages of simple packet filters. These firewalls try to track associated packets (TCP connections for example) and make decisions on stream contents in addition to packet headers.
The problem with stateful packet inspection is that interpreting a TCP stream in the same way as a client does cannot be done, since some clients interpret some parts of the protocol differently.
Proxy firewall
Proxy firewalls don't forward packets. They accept a given connection, and connect to the server end on their own. They read protocol requests, interpret them and in case a given request is allowable they send it on to the server. The real difference between proxy firewalls and packet filtering is that the two connections (client->proxy, proxy->server) or completely independent of each other, and that greater detail of the stream contents can be analyzed.
It is much easier to change stream contents, while an SPF can only insert or remove some bytes to/from the stream, a proxy firewall can easily change it completely. (For instance convert POP3 requests to imap and vice versa)
Modular proxy firewall
A proxy firewall becomes modular when proxies can be connected in any way. This means that if we have a main protocol having some subprotocol (think of an SSH connection with a forwarded POP3 stream, or a HTTP protocol embedded in SSL, or PPP within telnet) we can attach a proxy to the embedded part.
Making proxies modular allows many protocols to correctly analyse, which weren't possible before.
For example, many corporate firewalls disallow using SSH, because of its portforwarding feature, using an SSH tunnel one can easily subvert corporate policies and open up the whole protected network to an outsider.
This is a disadvantage, but completely disallowing SSH has some serious drawbacks too. We lose the on-wire encryption provided by SSH, which is a must for protocols sending passwords in the clear.
Zorp was built from the ground up to be modular, proxies can be stacked within each other in case the parent protocol permits some kind of embedded protocol/data. The ssh proxy to be implemented will allow a POP3 proxy to be attached to the tunneled TCP connection. This way you can control which features of ssh is allowed, and although the possibility to create a tunnel through the firewall is closed, the on-wire encryption provided by SSH is not.