WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 20-02-2004 ]
Category
[ Information Technologies ]
sub-Categoy
[ Networking ]
      [Firewalls Gain New Depth, Security
      By Andrew Garcia
      February 16, 2004

      Deep packet filtering technology represents the newest weapon in the arsenal against blended application attacks, arming perimeter firewalls with a layer of application-aware security services.

      Deep packet inspection devices reassemble and reorder multiple packets into their original traffic flows, perform application analysis, and make and enforce policy decisions based on the entire content. Reconstituting flows allows these devices to become multifunctional and offer expanded content services such as spam and virus filtering.

      A variety of deep packet filtering products are coming to market, with Check Point Software Technologies Ltd. and NetScreen Technologies Inc. leading the charge. (Juniper Networks Inc. was in the process of purchasing NetScreen as this issue went to press). Prices start at $570 for NetScreen 5GT with a one-year signature subscription. Prices escalate quickly depending on network size, number of users and other factors.
      eWEEK Labs believes deep packet filtering products are a good choice for boosting security, particularly for smaller networks and branch offices. However, large-enterprise network administrators should weigh the performance impact these devices will have on the network.
      Currently, stateful inspection firewalls protect resources at the network layer, but the speed and efficiency provided by stateful devices come at a cost. These devices look at packet headers, making access decisions based on source, destination and traffic port. If a packet matches these criteria, it is permitted into the network, no matter what content it carries. Code Red, Slammer, Blaster and who knows how many buffer overflow exploits have capitalized on this lack of application awareness.

      Most deep packet filtering devices use multiple approaches to identify these threats in the recomposed flows. These devices often employ signatures to identify known attacks. Vendors package recognizable chunks of code from exploits and make them available to the customer periodically.

      However, signature-based scans require significant resources on the firewall because they must compare the entire signature database with each traffic flow. And, like anti-virus signatures, deep filtering signatures are reactive. Vendors can only create the package code once an exploit is known.

      Deep packet inspection devices also look for protocol conformance. Binary data is not allowed in HTTP headers, for example, so deep packet inspection engines detect and block traffic attempting to introduce malicious code in this way.

      Protocol anomaly checks are used to identify applications that hijack common network ports. For example, peer-to-peer applications have commonly usurped port 80, embedding themselves in HTTP traffic to traverse the firewall. Protocol anomaly scans identify directory traversal attacks and long HTTP header attacks.

      Check Point and NetScreen have made the most noise touting their application-layer defenses, but a number of other security vendors have released multifunction appliances that increase application- and file-level security in a variety of ways.

      Check Point officials claimed that the company's FireWall-1 NGAI (Next Generation with Application Intelligence) appliance's signatures are not reactive because they are based on networks' vulnerabilities and not on known exploits.

      FireWall-1 NGAI controls application-layer operations by making granular policies based on how the application works. As a result, administrators can define rules to block FTP PUT commands while allowing GETs.

      By comparison, NetScreen's Deep Inspection feature uses signature-based and protocol anomaly detection capabilities. NetScreen devices do not have a hard drive, which limits the buffer space available to scan traffic to memory. To improve efficiency, NetScreen devices group signatures by traffic type, identify the type of flow under scan and apply only relevant signatures.

      NetScreen officials said branch offices and midsize enterprises will get the most benefit from the added protection in an integrated solution. Larger enterprises with greater throughput demands and more expertise should look more closely at separate point solutions.

      Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com]


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)