Advanced detection Technology of firewall

Over the years, companies have relied on stateful detection firewalls, intrusion detection systems, host-based anti-virus systems and anti-spam solutions to ensure the security of enterprise users and resources. But the situation is changing rapidly, and the traditional one-point defensive security device faces a new attack that is hard to handle. In order to detect the latest attack, the security device must improve the detection technology. This paper focuses on the detection and protection of unknown threats and harmful traffic, combining multiple frontier detection techniques in the firewall, providing heuristic scanning and anomaly detection, and enhancing anti-virus, anti-spam and other related functions.

Characteristics of a new generation of attacks

1. Hybrid attacks use a mixture of technologies-such as viruses, worms, trojans, and backdoor attacks-that are often sent through email and infected websites, and are quickly passed to variants of next-generation attacks or attacks, making it difficult to block known or unknown attacks. Examples of this hybrid attack are Nimda, codered, and bugbear.

2. Attacks on new vulnerabilities are now being generated much faster than before. It is particularly important to prevent new and unknown threats, known as "0 Hours" (zero-hour) or "0" (zero-day).

3, with social engineering trap elements of attacks, including spyware, network fraud, mail-based attacks and malicious Web sites, such as the number of significant increases. Attackers spoof legitimate application and messaging information to deceive users into running them.

Figure 1 Gartner released vulnerability and patch schedule

Traditional security methods are failing.

The most popular security products today are stateful detection firewalls, intrusion detection systems, and host-based anti-virus software. But they are less and less effective in the face of a new generation of security threats. Stateful detection firewalls work by tracking the initiation and status of a session. Stateful detection firewalls allow, deny, or forward network traffic based on a set of user-defined firewall policies by examining the packet header, analyzing and monitoring the network layer (L3) and protocol layer (L4). The problem with traditional firewalls is that hackers have developed a number of ways to circumvent firewall policies. These methods include:

(1) using the port scanner to detect the open firewall port.

(2) The attack and probe program can pass through the firewall through the open port of the firewall.

(3) on the PC infected Trojan horse program can be from the firewall of the trusted network to launch attacks. Because the initiator of the session comes from within, all related traffic from untrusted networks

Will be spared by the firewall. The current popular attack applications from trusted networks include backdoor, Trojan, and keylogger tools, which produce unauthorized access or send private information to an attacker.

Older firewalls check each packet, but do not have the ability to check the packet load. Viruses, worms, Trojans, and other malicious applications can be passed without checking.

The newer depth pack detection firewalls are often fooled when an attacker splits the attack load into fragmented packets and disrupts them sequentially.

Requirements for depth detection

In order to successfully protect the enterprise network, security defense must be deployed at all levels of the network, and adopt the updated detection and protection mechanism. Some of the new security policies used to enhance existing security defenses include:

Design smaller security areas to protect critical systems.

Increase the web-based security platform to provide online ("In-line") detection and defense.

The use of unified threat management (Unified Threat Management, UTM) provides better management, attack links, and lower maintenance costs.

Study effective security policies and train users.

Increase network-based security