A circuit-level gateway is a firewall that offers control over network traffic predominantly in the session layer. It delivers security for TCP and UDP networks by verifying packets and connection requests on a virtual circuit between two transport layers.
Circuit-level gateway firewalls also function as handshaking devices between trusted servers and clients with untrusted hosts. The handshaking between packets helps to determine whether a session request can be deemed secure by the circuit-level gateway.
How Circuit-Level Gateways Work
When a client seeks to initiate a TCP connection with a destination server, the circuit-level gateway does three things:
- The circuit-level gateway receives the request sent by a client to establish a TCP connection.
- It then handles authentication and sometimes authorization of the client.
- If validated, it sets up a second TCP connection to a destination server on behalf of the client. Otherwise, it rejects the connection.
Here’s how the above steps take place. The firewalls check for available packets in an attempted network connection and allow a consistent open connection between two networks if they operate correctly. These firewalls can use two TCP connections to establish a connection between an inner host TCP and an outer host of TCP users.
After a connection is established, the gateway transmits TCP segments and the circuit-level gateway keeps a table to help in validating connections and checking which network packets contain data to pass when there is a match with an entry in the virtual circuit table. The firewall then attempts to get rid of an entry from the table when the firewall ends the connection, which results in the termination of the virtual circuit connection between two nodes.
After a session is allowed, the firewall steps back from supervising the TCP connection.
As a circuit-level gateway is not required to understand the application protocols in use, its implementation and deployment are typically relatively straightforward. However, it’s important to distinguish between a circuit-level gateway and a simple port forwarding mechanism. Unlike a simple port forwarding mechanism, the client in a circuit-level gateway is cognizant of an intermediate system, and the circuit-level gateway is generic.
4 Common Features of Circuit-Level Gateways
For a broader view of circuit-level gateways’ capabilities, it helps to understand their standard features, such as TCP handshaking, Layer 4 and 5 operation, and virtual circuit connection.
- TCP handshaking. Circuit-level gateways use TCP three-way handshaking between the client and the server to determine the validity of session requests.
- Layer 4 and 5 operation. Circuit-level gateway firewalls work at the transport and session layers of the OSI model.
- Virtual circuit connection. Circuit-level firewalls create virtual circuit connections to deliver anonymity to internal users.
- Table of session state and sequencing information. Circuit-level gateways keep virtual circuit tables to determine whether data packets will be allowed to pass through.
Top 5 Advantages of Circuit-Level Gateways
Circuit-level gateways provide some clear advantages for organizations, including hiding internal hosts from serving hosts, requiring comparatively minimal processing, and being relatively inexpensive and easy to implement.
- Hiding internal host from serving host. Circuit-level firewalls determine the safety of an established connection by creating a virtual connection on behalf of an internal host to ensure its identity and IP address remain hidden from the server.
- Less processing compared to application-level gateways. Circuit-level gateway firewalls put less of a burden on network performance in comparison to application-level gateways, as they reject all other traffic to process only requested transactions.
- General nature. Circuit-level gateways are capable of acting as proxy servers for any TCP-based applications and application protocols. As a result, there’s no need to have a proxy server for each application.
- Relatively inexpensive. Circuit-level gateways are often less costly compared to other types of firewalls.
- Easier implementation. Circuit-level gateways are relatively simple to implement compared to more advanced, granular firewalls.
Top 3 Disadvantages of Circuit-Level Gateways
Despite their advantages, circuit-level gateways also have some shortcomings that are important to be aware of before implementing them. These include a lack of content filtering capability, a need for constant modification, and some security vulnerabilities.
- Lack of content filtering. Circuit-level gateways do not filter individual packets. Threat actors may use this as an opportunity to infiltrate a network as this inability to inspect data packet contents makes them an insufficient standalone security mechanism.
- General nature. While their general nature increases their flexibility, it may also harm security. For example, SOCKS, a circuit-level gateway that follows a customized approach, may be unable to scan application data for various commands such as Java applets.
- Require changes. Circuit-level gateways require constant changes to ensure their regulations are up to date. Since they also work at the transport layer, they need substantial modifications to the programming that delivers transport functions.
The best use for a circuit-level gateway is as part of a full next-generation firewall (NGFW) security solution. Learn more about how NGFWs protect your data.
3 Types of Circuit-Level Gateways
It’s worth noting that circuit-level gateway firewalls are rarely implemented as standalone firewall solutions. Instead, they’re typically combined with application layer proxy services as well as packet-filtering capabilities in dedicated firewall applications.
Three notable implementations of circuit-level gateways include SOCKS, IBM Db2, and Proxy Servers.
SOCKS is arguably the most important and widespread circuit-level gateway in use today. The original SOCKS protocol was designed to offer an overall framework for TCP/IP applications to use firewalls securely. It’s a dependable circuit-level gateway that’s been around in various iterations since the 1980s. It does, however, need to be customized and modified to client software or TCP stack to serve the interception at the firewall.
IBM Db2 delivers industry-leading performance across various workloads while reducing storage, development, administration, and server costs. Its several editions satisfy the needs of different business environments, with circuit-level firewall support incorporated in Db2 in the form of SOCKS Version 4.
A proxy server refers to a firewall and content-caching server. Their features include not only circuit-level gateway support but also application layer proxy and packet filtering to deliver a complete firewall solution to secure networks. They also support the SOCKS protocol.
Who Should and Shouldn’t Use Circuit-Level Gateways?
Circuit-level gateways are an important component of any network security stack—but in most cases they should not be used on their own, since they can’t provide deeper, application-level protection.
Users with applications and application protocols for which application-level gateways are nonexistent or conceptually difficult to design and implement might consider relying on circuit-level gateways.
However, anyone seeking an extensive firewall solution or application-layer security will need to supplement. Larger organizations in particular should prioritize comprehensive firewall solutions that ensure that their networks, resources, and data are adequately secured.
Bottom Line: Using Circuit-Level Gateways in the Enterprise
Circuit-level gateways offer an intriguing approach to having applications and application protocols safely travel across firewalls. Their ability to act as a proxy server for TCP-based applications makes them particularly flexible.
These firewalls can have a standalone implementation as well as implementation within application gateways. However, to ensure a robust security posture, it’s strongly recommended to have circuit-level gateways as part of an expansive and dedicated firewall solution, as opposed to standalone solutions.
If you’re looking for a more comprehensive security package, here are the best network security companies to trust with your organization’s data.