Network firewall Kung-fu depth to the seventh layer _ Web surfing

Editor's note in just a few years, the core function of the firewall has evolved from the network layer to the application layer. This paper expounds the technical background of this change and the trend of firewall technology in the future.

　　Application-level attacks challenge traditional firewalls

Over the past two years, the interest of attackers has shifted significantly from port scanning and manufacturing Denial-of-service attacks (DoS Attack) to attacks on mainstream applications such as Web, e-mail, and even databases. The traditional firewall simply checks the header of the IP packet and ignores the content-if you use a letter as a metaphor, you just check the envelope without checking the stationery. Therefore, there is nothing to attack such application layers. It can be said that only the third and fourth layer of IP address and protocol Port filter firewall products have already come to an end.

　　The war burns to seven floors.

To counter the attack of the application layer (layer seventh of the OSI Network model), firewalls must have the ability to filter the application layer, which some firewall products already possess.

If you compare a computer network to a building, the traditional packet filtering firewall is a series of parallel doors between the intranet and the Internet. Each door has security personnel to the arrival of the package (IP packet) for one-check, if not found that the data contains abnormal code will open the door. The trick used by attackers is to check which doors are open and unprotected through a port scan and use them. A firewall with stateful detection at a later time can check which packets are from the Internet to respond to internal network access requests. That is to say, security personnel can identify those unsolicited parcels.

However, the application layer attack is much more complicated, because the attack packet in the vast majority of cases is a legitimate packet, the difference is that the content is offensive, and because the IP packets are segmented transmission, the content of the identification needs to be all the relevant packages to be reorganized before accurate. Once this attack packet passes through the firewall, they often begin to methodically exploit the target system's vulnerabilities to create a buffer overflow, gain control of the system, and then use this as a platform to start looking for vulnerabilities in other systems around them or the back door that other worms leave behind to launch an attack.

　　The countermeasure of the firewall

For this, some firewall products to take the response is that for each type of mainstream applications, HTTP, SMTP, FTP and SQL Server database access (RPC) are set up a dedicated filter, if the future emergence of new application layer threats, you can also increase the corresponding filter. Users can apply related filtering settings for each filter, for example, you can prevent some worm attacks by restricting the buffer of any HTTP access request to no more than 3,000 bytes. Under this new mechanism, packets from the Internet are sent to their respective filters, which will be scanned and judged after the packet is reorganized. In the case of an e-mail message, the SMTP filter waits for the relevant packet to be aligned, and the message is scanned for its contents before forwarding, and is compared against a known type of attack before it is allowed to pass after confirming that it is normal traffic.

A properly configured modern firewall can block the vast majority of known virus messages and attack code. Although it is much more difficult to block unknown viruses and attacks, a reasonable policy setting is usually effective. The basis for proper policy setting is the correct understanding of the business needs of enterprise users, for example, that most enterprise users typically do not need to deliver executable files and Visual Basic scripting code through mail. Users can deal with unknown viruses by blocking messages that contain such executable attachments. Once you really need to send this kind of file, you can also set more targeted policies, such as allowing only users in the IT department to send messages containing executable attachments, or allowing users to receive all messages except those containing script attachments named "Kournikova.jpg.vbs."

　　The contradiction between security and performance

Users have long been accustomed to looking at security and performance as opposites, like at the airport security entrance, the more steps to check, the longer the queue waiting for security. For firewalls, performance and security are indeed a pair of eternal contradictions, but the application layer filtering function on the firewall performance is not as large as most users think, some firewalls can handle more than 1000 concurrent users per second, while maintaining the throughput per session 27Mbps. In fact, some vendors implement the filtering engine of the application layer through the hardware (ASIC) to achieve closer wire speed (which can be understood as the processing limit of the Ethernet switch).

　　New challenges

Firewalls with application layer filtering function can more effectively block the current majority of viruses and attacks, but the emergence of new security threats poses new challenges to the firewall. The source of the attack is becoming more complex, and the attack is increasingly sophisticated, the recent combination of spam and attack code is a typical example. This requires the firewall device for the content of the application layer has a better understanding of the ability to identify and intelligence, on the other hand, also need more firewall and other security equipment and application of effective cooperation, so as to achieve more powerful protection.