Firewall Evolution - Deep Packet Inspection by Ido Dubrawsky last updated July 29, 2003



Similar documents
Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Firewall Market Trends

Guideline on Firewall

Chapter 9 Firewalls and Intrusion Prevention Systems

Networking for Caribbean Development

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

INTRODUCTION TO FIREWALL SECURITY

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Introduction of Intrusion Detection Systems

Fig : Packet Filtering

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Network Defense Tools

Next-Generation Firewalls: Critical to SMB Network Security

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Cisco Firewall Technology

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Chapter 15. Firewalls, IDS and IPS

From Network Security To Content Filtering

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Introducing IBM s Advanced Threat Protection Platform

8. Firewall Design & Implementation

PROFESSIONAL SECURITY SYSTEMS

How To Protect A Web Application From Attack From A Trusted Environment

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Evolutionism of Intrusion Detection

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Network Security and Firewall 1

PART D NETWORK SERVICES

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Cisco IOS Advanced Firewall

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Security threats and network. Software firewall. Hardware firewall. Firewalls

Computer Security: Principles and Practice

Configuration Example

Ficha técnica de curso Código: IFCAD111

Stateful Firewalls. Hank and Foo

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Computer Security DD2395

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Securing Cisco Network Devices (SND)

Pretend or Prevent? Intranet. Internet Router IDS Hub Firewall. Overview. Recognizing attacks. Intercepting attacks. White Paper

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Network Intrusion Prevention Systems (IPS) Frequently Asked Questions FAQ

Securing EtherNet/IP Using DPI Firewall Technology

Stateful Inspection Technology

Architecture Overview

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Netsweeper Whitepaper

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

1. Built-In SPI Firewall to Protect Your Enterprise Network 2. Multi-Spam-Filtering Function Providing High Spam-Filtering Accuracy

Securing Networks with PIX and ASA

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Network Security Management

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

NETWORK SECURITY (W/LAB) Course Syllabus

Gateway Security at Stateful Inspection/Application Proxy

Deploying in a Distributed Environment

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Check Point FireWall-1 HTTP Security Server performance tuning

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Firewall Environments. Name

Next Generation IPS and Reputation Services

Security Technology: Firewalls and VPNs

1Fortinet. 2How Logtrust. Firewall technologies from Fortinet offer integrated, As your business grows and volumes of data increase,

Building A Secure Microsoft Exchange Continuity Appliance

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Transcription:

Seite 1 von 5 Firewall Evolution - Deep Packet Inspection by Ido Dubrawsky last updated July 29, 2003 Firewalls provide a variety of services to networks in terms of security. They provide for network address tr networks (VPN), and filtering of traffic that does not conform to the network's stated security policy. There simple packet filters to circuit-level gateways to proxy firewalls. Firewalls are being asked to fill a larger and security these days than several years ago. One of the more recent innovations in firewall technology is the inspection or DPI. Deep Packet Inspection can be seen as the integration of Intrusion Detection (IDS) and I capabilities with traditional stateful firewall technology. Traditional networks have a defined boundary dema sensor sitting behind it. One of the primary benefits of the traditional firewall/ids deployment is that the failure of one component completely unprotected. Also, IDS appliances can be deployed throughout the LAN and monitor traffic insid boundary areas between networks. This design is illustrated in Figure 1 below. The IDS monitors traffic tha defined in the firewall policy) and inspects packets for malicious activity. Figure 1 - Traditional Firewall Deployment Design With Deep Packet Inspection firewalls the IDS collapses into the firewall such that the firewall provides for i eliminates an additional piece of network equipment which can fail while increasing the capabilities inheren cover one particular form (and function) of firewalls -- stateful firewalls and how deep packet inspection pro these firewalls than ever before. Stateful Firewalls -- An Overview In the early stages of firewalls all traffic had to be explicitly specified whether it was permitted. A good exa firewall was the original Linux firewall. This firewall (whether manipulated with ipfwadm or ipchains require firewall (regardless of direction) be specified. The firewall did not keep track of the various sessions that m firewall. Stateful inspection changed all that. Invented by Check Point Software Technologies in the mid-to-late 199 became an industry standard. Stateful inspection provides for the analysis of packets at the network layer a transport layer in the OSI model but the firewall may look at layers above that as well) in order to assess t information from various layers (transport, session, and network) the firewall is better able to understand t also provides for the ability to create virtual sessions in order to track connectionless protocols such as UDP RPC-based applications. Application proxy firewalls have been around for a long time but have failed to control the emerging threat Additionally, the multitude of applications requiring support as well as the additional latency have dampene

Seite 2 von 5 firewalls. The reality of modern application demands and capabilities require that firewalls with a much more intimate application payload. Emerging applications utilizing XML and Simple Object Access Protocol (SOAP) require content within the packets at wire-speed. Additionally, applications which can change their communication outbound filtering or those which tunnel within commonly allowed ports (such as 80/TCP) must be monitore the maximum amount of security within the network. In order to meet these new demands stateful firewall Deep Packet Inspection Deep Packet Inspection is a term used to describe the capabilities of a firewall or an Intrusion Detection Sy application payload of a packet or traffic stream and make decisions on the significance of that data based engine that drives deep packet inspection typically includes a combination of signature-matching technolog the data in order to determine the impact of that communication stream. While the concept of deep packet not so simple to achieve in practice. The inspection engine must use a combination of signature-based anal statistical, or anomaly analysis, techniques. Both of these are borrowed directly from intrusion detection te traffic at the speeds necessary to provide sufficient performance newer ASICs will have to be incorporated These ASICs, or Network Processors Units (NPUs), provide for fast discrimination of content within packets classification. Deep Packet Inspection capable firewalls must not only maintain the state of the underlying n state of the application utilizing that communication channel. For example, consider an SMTP connection between a mail client and a server shown in Figure 1(a) below. with the typical TCP three-way handshake. The firewall allows the connection because it has the ruleset sta on the mail server host is permitted. In Figure 1(b)b. the connection has been entered into the state table

Seite 3 von 5 Figure 2 - Stateful Firewall Connection For most stateful firewalls the establishment of the connection and the monitoring of it for when connection However, such firewalls do not look further up the protocol stack for events that may be considered "out-of a firewall that is capable of Deep Packet Inspection the firewall can look at the SMTP protocol and monitor i in Figure 2 below. In Figure 2(a) the client establishes the SMTP connection by following the RFC defined pr waiting for the response by the mail server. The client may then issue a variety of commands include sendi SMTP command MAIL FROM:. In Figure 2(b) the client tries to issue a VRFY command. The firewall moni between the client and the mail server may raise an alarm or respond to the VRFY command by disallowin exploit the sendmail address token overflow (discussed in the CERT bulletin CA-2003-12) in order to gain s firewall, because it is capable of Deep Packet Inspection, is able to identify the exploit attempt and deny th may deny the connection from the client altogether.

Seite 4 von 5 Figure 3 - Deep Packet Inspection Firewall In order to be successful with Deep Packet Inspection the firewall must provide significant intrusion detectio These capabilities include performing anti-virus screening in-line and at wire-speeds. Additionally the firewa analyze, and, if necessary, filter Extensible Markup Language (XML) traffic, dynamically proxy instant mess Yahoo IM, and MSN IM. Additionally the firewall will have to provide for wire-speed Secure Socket Layer (S filtering. This will obviously require the capability to decrypt an SSL session and then re-establish it once th The need for this technology and this capability in firewalls stems from such data-driven attacks as Code Re SQL Slammer worm. Current IDS technology, while able to detect these attacks, provided very little preven attacks. Each of these worms infected a significant number of systems within a relatively short period of tim infection routes posed serious difficulties for IDS in particular. While IDS provided some relief from each of detection and response directly to the firewall through Deep Packet Inspection provides for immediate term the line of communication at a network demarcation point. Next Generation Firewalls While current stateful firewall technology provides for tracking the state of a connection, most current firew analysis of the application data. Several firewall vendors, including Check Point, Cisco, Netscreen, Network acquired Intruvert), and TippingPoint, are moving in the direction of integrating this analysis into the firewa provide for some Deep Packet Inspection capabilities in the PIX firewall. For example, the command: fixup to perform several functions including:

Seite 5 von 5 URL logging of GET messages URL screening through N2H2 or Websense Java and ActiveX filtering For the last two functions above the firewall must also be configured with the filter command. These functi capabilities which must be included in firewalls in order to provide a greater degree of protection to networ new capabilities rely on pattern-matching techniques to identify attacks and, also as with traditional IDSs, a in the detection methods to avoid raising alarms. As Deep Packet Inspection technology continues to improve the capability to provide more robust and dyna will only continue to increase. Moving the inspection of the data in packets to the network firewall provides flexibility in defending their systems from malicious traffic and attacks. Such firewalls do not eliminate the Systems, they merely collapse the IDS that should sit directly behind the firewall into the firewall itself. How network as part of an overall defense-in-depth approach remains unchanged. Author Credit View more articles by Ido Dubrawsky on SecurityFocus.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information