IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.75 Selection of a suitable application gateway
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
An application gateway is a computer which uses the information in the
application layer to filter connections.
This can, for example, be user names in connection with a strong
authentication, special information in the transmitted data (e.g. check for
computer viruses) or information of the application layer. An application
gateway also offers the possibility of creating a unified access to the subnetwork
requiring protection and of concealing this network. The filter
processes running on the application gateway are called proxy processes.
In the event that an application gateway is required for a firewall, the
following demands should be made upon purchase:
- All important protocols (such as Telnet, FTP, SMTP, DNS, NNTP, HTTP)
of the application layer must be treated.
- Filtering must be possible for each supported protocol according to all
information stipulated in measure S 2.76 Selection and Implementation of
Suitable Filter Rules. In particular, it must be possible to formulate the
filter rules dependent on the user and to merge several users into one
group.
- Filtering for contents should be supported, so that a central virus scan and
the blockage of active contents is possible (see T 5.23 Computer Viruses).
- When using an application gateway, no changes should be necessary to the
software in the network requiring protection or in the external network.
- The entry and control of filter rules must be simple and clear, e.g. by
symbolic service and protocol names.
- The programs used must be well documented.
- It must be easy to add new protocols.
- It must be possible to record IP numbers, service, time and date for
established and denied connections, with limitations on certain connections
(e.g. for a special user).
- It must be possible to send all logging information to an external host.
- Special, adjustable events must lead to an immediate warning (e.g.
repeated incorrect authentication attempts).
- Strong authentication methods must be used for user identification.
- The application gateway must support virtual private networks.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000