Firewall: Step 7

Source: Internet
Author: User

Outbound: jieshiwang

Editor's note: in just a few years, the functional focus of the firewall has shifted from the network layer to the application layer. Based on the development of Microsoft ISA Server, this article describes the technical background of this change and the future trend of firewall technology.
Application Layer attacks challenge traditional firewalls
In the last two years, attackers have switched from port scanning and DoS Attack attacks to attacks against mainstream applications such as Web, E-mail, and databases. The traditional firewall only checks the IP packet header and ignores the content. If you use a letter as a metaphor, it only checks the envelope and does not check the letter paper. Therefore, such attacks on the application layer are powerless. It can be said that firewall products that only rely on layer-3 and layer-4 IP addresses and protocol port filtering have come to an end.
Fire burned to layer-7
To defend against attacks at the application layer (Layer 7 of the OSI network model), the firewall must have the filtering capability at the application layer. Microsoft ISA Server 2004 and other firewall products already have this capability.
If the computer network is compared to a building, the traditional packet filtering Firewall is a series of parallel doors between the enterprise's internal network and the Internet. Each door has a security check personnel to inspect the arrived package (IP packet) one by one. If no data packet contains abnormal code, the door is opened. A common trick for attackers is to use port scanning to check which ports are open and undefended, and then exploit them. Later, the firewall with the status detection function can check which packets are from the Internet responding to internal network access requests. That is to say, security personnel can identify parcels that are not on their own.
However, application-layer attacks are much more complex, because attack data packets are legal data packets in most cases. The difference is that the content is aggressive, and IP data packets are transmitted in segments, the determination of its content must be performed after all related packages are reorganized. Once these attack packets pass through the firewall, they usually start to methodically exploit vulnerabilities in the target system to create a buffer overflow and gain control of the system, then, the platform looks for vulnerabilities in other systems or backdoors left by other worms to launch attacks.
Firewall Countermeasures
In this regard, Microsoft ISA Server 2004 adopts a dedicated filter for each type of mainstream applications, such as HTTP, SMTP, FTP, and SQL Server database access (RPC-based, if there are new application layer threats in the future, you can add corresponding filters. Users can apply related filtering settings for each filter. For example, they can prevent some worms by limiting the buffer of any HTTP access request to no more than 3000 bytes. In this new mechanism, data packets from the Internet are sent to their respective filters, and the filters recombine the data packets for content scanning and discrimination. Take an email for example, the SMTP filter will wait for the relevant package to arrive, and then re-send the email to scan its content before forwarding to compare it with known attacks, it is allowed to pass after confirming that the traffic is normal.
The correctly configured modern firewall can block the vast majority of known virus emails and attack code. Although it is much more difficult to block unknown viruses and attacks, reasonable policy settings are usually effective. Correctly Setting policies is based on the correct understanding of your business needs. For example, most enterprise users do not have to transmit executable files and Visual Basic script code by email. You can block emails containing such executable attachments to deal with unknown viruses. All emails other than the attachment script. vbs.
Conflict between security and performance
Users have long been accustomed to regard security and performance as opposites. Just like at the airport's security inspection entrance, the more inspection steps, the longer the team waiting for security inspection. For firewalls, performance and security are always in conflict. However, the application layer filter has less impact on the performance of firewalls than most users think, microsoft ISA Server 2004 can process more than 1000 concurrent users per second, while maintaining a throughput of 27 Mbps per session. In fact, some manufacturers use hardware (ASIC) to implement the filter engine at the application layer, which can achieve processing capabilities that are closer to the line speed (which can be understood as the processing limit of Ethernet switches.
New challenges
Firewalls with the application layer filter function can more effectively block most of the current viruses and attack programs, but the emergence of new security threats poses new challenges to the firewall. The attack source is becoming more complex, and the attack methods are becoming more sophisticated. The recent combination of spam and attack code is a typical example. This requires firewall devices to have a better understanding of the content at the application layer and the ability to intelligently identify the content. On the other hand, it also needs more effective cooperation with other security devices and applications, to achieve more powerful protection.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.