In this video, you will learn to; describe application
gateways and how this differ from standard
packet filtering firewalls, describe the limitations of application gateways. Application gateways, so these also are filter packets. But they are on the application data. Which is the payload right at the top level of the OSI stack, as well as these IP transport the fields that are in there. So this allows for example, select users to employee the Telnet application right outside. So effectively to do this mandate. We require all telnet connections to go through a gateway. There's an access control mechanism that says, yes this is a telnet connection and then is this user authorized or not authorized. So it is once again an access control type mechanism that is applied to an application. So there's some limitations right here. One of the things that as I said is that these are based on transport protocol, so we can masquerade or spook the IP address. This is done significantly with Internet attacks that the source destination is not in fact the true source destination but its masqueraded, it appears to becoming from either a customer or a trusted source when in fact it is anything. But these firewalls that we have been discussing. Do not have a mechanism to really validate this, but significant threat area right there. For application gateways application firewalls. This is a one-to-one relationship so that if you've got a single application like a telnet, or in broadcast UDP each one of these is going to require its own application gateways. So there's one to one relationship. This gets into a very expensive process. In addition, the client software, the applications, the web browsers, the email tools, Ftp tools, instant messaging all of them have to be smart. So they need to have the protocol predetermined to know how to communicate with the gateways whether that's an application or a packet filter. These packet filters will frequently are all or nothing application relative to UDP. There's a security thought that UDP should be largely disengaged. Because that's broadcasts, there's a number of security vulnerabilities that are associated with that. So what is the trade-off? The trade-off is open communication with the outside world. No security policies in play. As opposed to an increasing level of security. With the increasing level of security, there's more control on protocols and applications and user access. So that is the trade space that the security engineer needs to outbreak. Despite that, many highly protected sites US government sites still suffer from cyber attack.