Firewall/proxyserver

[CohenT]

can anyone tell me why a "firewall" is different from a "proxy server"

ty

[MxxCon]

and why can't you go to www.google.com and do basic 3 word search to find a perfect answer? :no:

[rAz dA FAz]

hey you there, a forum is here for ppl to ask the members of the community questions which they do not understand, in future i think u should respect peoples questions

But sorry i dont no the answer....

Edited November 28, 2002 by rAz dA FAz

[mAcOdIn Veteran]

Short version:

Firewall = A layer between you and the internet that monitors incoming and outgoing traffic, with the intention of blocking unauthorized access, either in or out. All transactions are still done directly between you and the remote PC so you still give up your IP. A firewall is almost a necessity now for single machines as well as networks.

Proxy= A layer between you and the internet that acts as an intermediary of sorts by relaying your request to the remote pc for you. Some proxies have firewalls to protect thier users, caches for common web pages to speed up access, and privacy features such as header blocking. Most people will never use a proxy unless using some sort of internet sharing, or needing to get by a restrictive gateway.

[Inertia]

edit "when i started to write this post, the post above it was not there :) , i broke my right arm btw ;)"

a proxy server simply diverts network traffic tcp/ip from one computer to another, therefore allowing many computers to access the internet via one computer the "proxy server" which is connected to the internet, proxy servers can allow http only or a range of services, or NAT nativa aplication transfer which allows any aplication seeking the internet to pass through the proxy server as internet traffic on the LAN/WAN.

A firewall controls which ports of tcp/ip data is allowed to travel through and in which direction, this can be done in many ways, it can be an integral part of a proxy server to block ports known trojans use, it can also run on a client machine to disallow and allow specific programs to a) access the internet and b) be accessed from the internet

[PeterHammer]

All transactions are still done directly between you and the remote PC so you still give up your IP. A firewall is almost a necessity now for single machines as well as networks.

You provided a pretty good explanation but the statement above is not exactly true. Most firewalls will present their IP address to the Internet, not the IP address of the Individual Machines it is protecting. This is called Network Address Translation (NAT). Sure firewalls can be configured to not do NAT but unless you have three or four real Public IP addresses (which is not your case if you have a home based Cable or DSL network) you will be using NAT as your firewall needs to double as a router/gateway. Even if you have several real IP's chances are you will do NAT anyway, and use a private IP space behind the firewall. It is a security measure. The public address of your machine is only routable through the translation layer at your firewall, where unwanted/insecure traffic can be blocked.

A firewall (like a router) will typically have two IP addresses it responds to: One on the external network and one on the Internal. The external address is the address that gets presented to websites etc... whenever a request for a webpage is made from behind the firewall (regardless of the machine that made it). And people wanting to talk to your network will make requests using (one of) the firewall's IP address. The firewall then decides based on its rules whether to allow the connections.

Proxy servers, in contrast, are only useful for outbound traffic. A proxy server typically will not monitor incoming traffic

[mAcOdIn Veteran]

Very true PeterHammer, and I should add to your post and clarify on mine that most hardware firewalls don't do outbound protection, just usually NAT and incoming protection, so a hardware firewall, while usually more secure from the outside than software firewalls, will generally still leave your computer wide open if you were to download a trojan or allow something stupidly insecure to be ran on your PC.

[PeterHammer]

Good point.

In my opinion the best security option for your LAN is a combination of Hardware and Software Firewalls plus a good Antivirus program like Norton.

Hardware firewall are extremely efficient routers and NAT devices (more so than a PC running the Internet Connection Gateway and two NICs) and they are very good at port blocking (they are not susceptible to buffer overflow and other attacks that you can perpetrate against software blockers). As you point out they are not so good at Outbound blocking. Most software firewalls (Tiny firewall is my favorite though Zone Alarms is pretty good too) do an extremely good job at outbound blocking, not only preventing outgoing traffic via specific ports, but also blocking specific applications from making outbound connections. This will prevent a trojan from entering your network and then randomly advertising its presence so that others can connect to it (thereby circumventing the hardware based port block).

Having good Antivirus is the third piece of the puzzle. Norton is particularly good as it is not only on the lookout for know viruses but also for suspicious activity, such as overwritting system resources, random writes to the registry, etc... That will make sure that a trojan does not get into your network, and clobber your software firewall.

[CohenT]

thanks.

[Scott]

i must say

Inertia that was a very good explination but what PeterHammer said is true but other than that it was pretty good hope you understand it now CohenT

[Inertia]

lol@ this gettig woken up again :)

[Daybreak]

Actually, most of the definitions above are probably wrong...

I would believe the real definition of a firewall is an appliance/device/software that inspects data generated by protocols at the various layers of the OSI model.

Hence, technically speaking, a proxy is a firewall since it inspects Layer 7 of the OSI model ( the Application layer).. What most of you call a firewall is probably a SPF firewall, since it inspects data at Layer 3 (the Network layer).

[Krome]

Off-topic: Daybreak, SES girls are cute... lol

Ok.. another Off-topic... but related to firewalls...

I want to create a different post but seems most of you are very good in explaining the firewall... can anyone tell me where I can get free "filters" for the hardware based NIC to do filtering? I am not sure what Layer I am talking about but I sure need filters to filter traffic directly from NIC card at hardware level... not software... Can anyone supply me a link to such filters? I could not find it anywhere...

[Daybreak]

Krome :: Yeah!! SES is *cute*. You Asian by any chance?

I'm not really a network security expert (though dabbled in it for a brief while), but I don't think its possible for your NIC to implement filtering, since a NIC operates at layer 1 and 2 (correct me if I'm wrong), and you need to be at layer 3 to actually see the packets.

What's more traditionally done is to put an appliance in front of your NIC that does the filtering. I would suggest hauling up an old system (doesn't have to be too powerful, 486es, Pentiums would do) and then putting either xBSDs or Linux on them..

Alternatively, you can try these pre-packaged Linux based firewalls - Linux Router Project and floppyfw

[tomwarren Veteran]

and why can't you go to www.google.com and do basic 3 word search to find a perfect answer? :no:

This forum is designed for people to ask questions to people who may know a lot about different types of stuff and may be able to give un-biased information. For that reason neowins community exists as it is. Appreciate it if there are none of these posts like "use google.com" or "use the search button".

[OPaul]

thankyou, I can't stand it when some cocky user comes in and says "google" or "can't you learn to use the seach buttom"

[Krome]

Krome :: Yeah!! SES is *cute*. You Asian by any chance?

I'm not really a network security expert (though dabbled in it for a brief while), but I don't think its possible for your NIC to implement filtering, since a NIC operates at layer 1 and 2 (correct me if I'm wrong), and you need to be at layer 3 to actually see the packets.

What's more traditionally done is to put an appliance in front of your NIC that does the filtering. I would suggest hauling up an old system (doesn't have to be too powerful, 486es, Pentiums would do) and then putting either xBSDs or Linux on them..

Alternatively, you can try these pre-packaged Linux based firewalls - Linux Router Project and floppyfw

Daybreak, Symantec gives out this free filter for IIS and shows you how to configure it to work with the IIS Server... I want a similar filter that is for Ethernet based... And yes on the Ethernet card, you can apply filters to monitor and reject such packets at hardware level - in turn, you making your system like it was a hardware router... but you have to have a good filters (in dll format) to help with the configuration... Check this link out for a sample of what I mean...

http://securityresponse.symantec.com/avcen...002.03.01d.html

[xWeston]

and why can't you go to www.google.com and do basic 3 word search to find a perfect answer? :no:

im also tired of people using neowin forums (as well as any other forum) as search engines!

[Daybreak]

IMHO, using the forums to ask redundant questions if and should be allowed. Why? Simply saying use search is not an answer.

The core of the problem is that search results tend to reference old threads . The information contained within is often (a) outdated (b) non-applicable. By posting a new thread, you can refresh the topic and get information on the LATEST versions and newer tricks/opinions that weren't highlighted on the original thread.

At the same time, you can reach out for people who didn't post the first time round.

I would guess this is especially true for those Best program threads - a new version often means a new opinion, and also, after using one version for some time, you get the hang of it, understanding the pros and cons which you can then impart unto others.

------------

Krome, the link you bounced me to is an ISAPI filter for IIS. It requires the prescence of a Symantec Intruder Alert agent as well. I'm not too sure since I've never used Intruder Alert before. I only know that its an IDS, but I believe Microsoft has a similar tool to drop IIS CGI/Unicode attack strings in URLScan, which is now partially merged into IIS Lockdown Wizard..

As for hardware level filtering, what I thought you meant was something along the lines of CISCO IOS filtering.. I don't know anything about it though, but Googling turns nothing up. I would imagine that to do any filtering on the hardware level, you would still need software on top, unless your NIC intrinsically supports filtering, or you can obtain BIOSes which do, neither of which I've really heard of. So I'm clueless :(

[LaraBoft]

and why can't you go to www.google.com and do basic 3 word search to find a perfect answer? :no:

Because he wants a answer from the community and not from google :no:

[Krome]

IMHO, using the forums to ask redundant questions if and should be allowed. Why? Simply saying use search is not an answer.

The core of the problem is that search results tend to reference old threads . The information contained within is often (a) outdated (b) non-applicable. By posting a new thread, you can refresh the topic and get information on the LATEST versions and newer tricks/opinions that weren't highlighted on the original thread.

At the same time, you can reach out for people who didn't post the first time round.

I would guess this is especially true for those Best program threads - a new version often means a new opinion, and also, after using one version for some time, you get the hang of it, understanding the pros and cons which you can then impart unto others.

------------

Krome, the link you bounced me to is an ISAPI filter for IIS. It requires the prescence of a Symantec Intruder Alert agent as well. I'm not too sure since I've never used Intruder Alert before. I only know that its an IDS, but I believe Microsoft has a similar tool to drop IIS CGI/Unicode attack strings in URLScan, which is now partially merged into IIS Lockdown Wizard..

As for hardware level filtering, what I thought you meant was something along the lines of CISCO IOS filtering.. I don't know anything about it though, but Googling turns nothing up. I would imagine that to do any filtering on the hardware level, you would still need software on top, unless your NIC intrinsically supports filtering, or you can obtain BIOSes which do, neither of which I've really heard of. So I'm clueless :(

Yeah somtimes the search does not come up with the info needed

---

The ISAPI (ITA) filter does not require the presence of Symantec Intruder Alert agent... I put it to use and it works wonder... And I don't have Symantec product on my system as of now... The filter seems to block and drop those attacks fine... I don't rely on Lockdown... Lockdown alone can not do the work... Microsoft have a page to configure the system to be very secure without using Lockdown... Lockdown is just a tool to make sure those IT people done it correctly... Lockdown disable a lot of service too... crippling your IIS dramatically...

I was refering to the filter for IPSec and TCP/IP filtering... This I believe will enable your system to be like a hardware router. It would be so nice if I can find a filters for the proxy server as well... MS proxy server comes with a built-in filter that does not work quite correctly... Hacker can still get by...