A security primer

To evaluate firewalls or virtual private networks (VPN), you have to learn a new vocabulary. Most of today's firewall products forward or block traffic by implementing application proxy, packet filtering or circuit-level gateways.

Application-level firewalls, commonly referred to as proxy-level firewalls, are generally thought to offer better security from hackers by providing application-level awareness. However, throughput may suffer while the firewall device conducts the analysis.

Packet-filtering firewalls are typically the fastest and can block or forward traffic by IP address, packet type or service. However, because packet filtering operates on a packet-by-packet basis, packet-filtering firewalls can't monitor connections or offer the data analysis that other technologies can.

Circuit-level gateways forward or block traffic at the session layer. Most applications use a well-known port, so a circuit-level gateway assumes that the port is being used by its associated application and forwards or blocks traffic based on requested port access. This assumption isn't always well founded because hackers can use trusted ports to mount sophisticated attacks for improper activities.

There are several proposed security standards for VPNs. IP Security (IPSec), an encryption scheme that uses 56-bit Digital Encryption Standard (DES) or 168-bit Triple-DES keys, is the most commonly used. While Triple-DES offers superior security, it may reduce throughput under heavy load.

Other proposed VPN standards include ISAKMP/Oakley, which adds key management to IPSec; and SKIP, which was developed by Sun and uses a hierarchy of constantly changing keys and key management.