Network security
Network security

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Network security

9.5 Application level gateways

An application level gateway is implemented through a proxy server, which acts as an intermediary between a client and a server. A client application from within the protected network may request services originating from less secure networks such as the internet. After the client's authentication has been confirmed, the requests for services are relayed onwards by the proxy server, provided that they are allowed by the security policies in force. All subsequent data exchanges in relation to the service request are handled by the proxy server.

An application level gateway relays requests for services at the application level. Policy decisions to block or permit traffic are based on features identified in the application. For instance, electronic mail will be associated with a variety of mail applications and an application level gateway will act on criteria such as the message size, header fields or likely content, as indicated by key words. Application level gateways typically provide proxy services for email, Telnet and the World Wide Web.

Normally, each supported service is rigorously defined so that any undefined services are not available to users. Each internal host allowed to use or provide the specified services must also be defined. The term ‘application level gateway’ is appropriate because, from the view of both the clients within the protected network and the remote servers, the proxy server is seen as the end user. The originating client and the remote server are hidden from each other.

Because an application level gateway is exposed to greater risk than the hosts it protects, the proxy server normally takes the form of a specially secured host, referred to as a bastion host. This is specifically designed to be more resistant to attacks than other hosts on the protected network. For instance, a bastion host will run a secure version of the operating system, and may allow only essential services to be installed with a restricted set of Telnet, DNS, FTP and SMTP protocols. (DNS is the domain name system used on the internet to convert between the names of devices and their IP addresses. FTP is file transfer protocol, an application protocol in the TCP/IP family used, for example, to connect file servers.) In addition, a strong user authentication process is employed along with audit facilities that record any attempts to intrude.

Code specifically designed to enhance regular checking for software bugs is used, and each proxy service is designed to operate independently of others so that installation or removal of a service can be undertaken without affecting other services. Viruses and worms may also be screened.

Access to memory drives on the gateway is severely restricted to minimise threats from Trojans, and user log-on is not allowed. Other threats that could be countered using this type of firewall include those arising from importing macros (a software macro defines how a sequence of operations can be condensed into a single command), or inbound packets that include executable files (containing EXE or COM extensions), because of the possibility of introducing virus and worm files into a network.

SAQ 14

What do you think could be the disadvantages of the application level gateway approach compared with the packet-filtering approach?


An application level gateway is more demanding in terms of the necessary hardware and software because of the burden of acting as a proxy. It is therefore likely to be more expensive than packet filtering and also to incur longer processing delays. The enforcement of strict policies may also be seen as restricting the options of users behind the firewall or of legitimate ones outside. This type of firewall is less user-friendly and less transparent than a packet-filtering firewall.


Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371