Today, knowledgeable hackers can use the ports opened by the network firewall to cleverly bypass the monitoring of the network firewall and directly target the application. They have come up with complex attack methods that can bypass traditional network firewalls. According to expert statistics, currently, 70% of attacks occur at the application layer rather than the network layer. For such attacks, the protection effect of traditional network firewalls is not ideal.
Traditional Network firewalls have the following shortcomings:
1. cannot detect encrypted Web traffic
If you are deploying a portal website, you want all network-layer and application-layer vulnerabilities to be blocked from applications. This demand is a big problem for traditional network firewalls.
Because the data in the encrypted SSL stream is invisible to the network firewall, the firewall cannot quickly intercept the SSL data stream and decrypt it, so it cannot prevent application attacks, and even some network firewalls, data decryption is not provided at all.
2. encryption of common applications can easily escape firewall Detection
What the network firewall cannot see is not only SSL-encrypted data. Data encrypted by applications is also invisible. In most network firewalls today, they rely on static feature libraries, similar to the Intrusion Monitoring System (IDS. The firewall can identify and intercept attack data only when the attack behavior characteristics at the application layer exactly match the existing features in the firewall database.
However, nowadays, the common encoding technology can be used to hide malicious code and other attack commands and convert them into some form, which can not only fool the front-end network security system, but alsoServer. This encrypted attack code can escape the network firewall and avoid feature matching as long as it is different from the rules in the firewall rule repository.
3. Insufficient defense capabilities for Web Applications
The network firewall was invented in 1990, and commercial Web servers were available one year later. A state detection-based firewall is designed to set and enhance the State Access Control list (ACLs, Access Control Lists) based on the network layer TCP and IP address ). In this regard, the network firewall is indeed outstanding.
In recent years, HTTP is the main transmission protocol in practical application. Mainstream platform vendors and big application providers have all moved to the Web-based architecture and security protection goals. They are no longer just important business data. The protection scope of the network firewall has changed.
For the prevention of conventional enterprise LAN, the general network firewall still occupies a high market share and continues to play an important role. However, for the emerging upper-layer protocols, for example, the prevention of XML, SOAP, and other applications makes the network firewall somewhat inadequate.
Due to the architecture, even the most advanced network firewall cannot fully control the network, application programs, and data streams and intercept attacks at the application layer to prevent Web applications. Due to the lack of complete Session-level monitoring capabilities for the overall application data stream, it is difficult to prevent new unknown attacks.
4. Application protection features, applicable only to simple scenarios
Currently, data center servers often change, for example:
★Regular deployment of new applications;
★Software modules often need to be added or updated;
★QA personnel often find bugs in the Code. Deployed systems must be patched on a regular basis.
In such a dynamic and complex environment, security experts need to adopt flexible and coarse-grained methods to implement effective protection policies.
Although some advanced Network Firewall vendors have proposed application protection features, they are only applicable to simple environments. Looking at it, we will find that these features have limitations for actual enterprise applications. In most cases, the features of the concept of elasticity (proof-of-concept) cannot be applied to real-life data centers.
For example, some Firewall vendors once claimed to be able to prevent cache overflow: When hackers input too long data in the browser URL to try to cause the background service to crash or attempt to access it illegally, the network firewall can detect and stop this situation.
Looking at this, we will find that these vendors use the method of controlling the URL length in the 80 port data stream to implement this function.
If you use this rule, it will take effect for all applications. If a program or a simple Web page does need to involve a long URL, this rule should be blocked.
The architecture of the network firewall determines that the network firewall operates on the network port and network layer, so it is difficult to protect the application layer, unless it is a very simple application.
5. Unable to extend the deep Detection Function
If you want to extend the deep inspection function without adding network performance for a network firewall based on status detection, this is not acceptable.
The real in-depth detection function for all network and application traffic requires unprecedented processing capabilities to complete a large number of computing tasks, including the following aspects:
★SSL encryption/Decryption;
★Complete bidirectional Load detection;
★Ensure normalization of all valid traffic;
★Extensive Protocol Performance;
These tasks cannot run efficiently on standard PC hardware. Although some Network Firewall vendors use ASIC-based platforms, we can find that: the old Network-Based ASIC platform cannot support new deep detection functions.
Conclusion: The application layer is more likely to be attacked, but traditional network firewalls have some shortcomings in this regard. In this regard, a few Firewall vendors also began to realize the application layer threats, adding some features Of the Concept Of elasticity (Proof-Of-Concept) to the firewall products, and trying to prevent these threats. Traditional Network firewalls are ineffective in preventing application security. In the future, we need to strengthen protection at the network layer and application layer for the five shortcomings listed above.