Status detection firewall is currently the most widely used firewall to protect against hacker attacks. However, as the number of Web attacks targeted at the application layer increases, the effectiveness of the status detection firewall is getting lower and lower in attack protection.
Status detection firewalls are not designed specifically for Web application attacks. In order to adapt to the increasing threats of Web applications, a new generation of deep detection firewalls has emerged.
This article first introduces the evolution of the firewall technology, and then introduces the four basic features of the deep detection technology.
1. Evolution of firewall technology
1 shows the evolution of firewall technology. So far, there are three types of firewalls: Packet Filtering Firewall, status detection protection wall, and deep detection firewall.
Packet filter firewall)
Packet Filtering Firewall-the first generation firewall, without the concept of status. Through packet filtering, the administrator can allow or disable the options in the ACLs (access control lists). The packet filtering firewall has the following attributes:
★Physical network interface to which data packets arrive;
★Source IP address and port;
★Target IP address and port;
However, the security of the packet filtering firewall is flawed because the system has no awareness of the application layer information. That is to say, the firewall may be cracked by hackers because it does not understand the communication content.
For various reasons, the packet filtering firewall is regarded as not safe, so it is gradually replaced by the status detection firewall.
1.2 stateful inspection firewall)
The emergence of status detection firewalls has become an absolute leader in the market for the following reasons, including performance, deployment and scalability. They developed rapidly in the middle of 1990s. In 1993, Check Point successfully launched the world's first commercial status detection firewall product.
The status detection firewall works at the network layer. Compared with the packet filtering firewall, the status detection firewall determines whether to allow or disable data streams based on the source IP address, destination IP address, source port, destination port, and communication protocol. Unlike the packet filtering firewall, the status detection Firewall makes decisions based on session information, rather than packet information;
When the status detection firewall verifies the incoming packets, it checks whether the current packet meets the previously permitted sessions and saves the information in the status table. The status detection firewall can also prevent Abnormal TCP-based network-layer attacks. Network devices, such as routers, break down data packets into smaller data frames. Therefore, status detection devices usually need to reorganize IP data frames and assemble them into complete data packets in their original order.
1.3 deep inspection firewall)
The in-depth detection firewall integrates the state detection and application firewall technologies to process application traffic and prevent the target system from various complex attacks. Combined with all the functions of status detection, the deep detection firewall can quickly analyze data traffic at the network layer and make access control decisions. For permitted data streams, based on information at the application layer, make further decisions on the load.
The deep detection firewall deeply analyzes the content of TCP or UDP packets, so as to have a general understanding of the load.
2. Four Basic Features of deep Detection Technology
New deep detection technologies are still emerging to achieve different deep detection functions. However, we need to understand the basic features of deep detection technologies.
The advanced deep detection firewall integrates all the functions of the packet filtering Firewall and the status detection firewall, as shown in 1.
Advanced deep detection technology has the following four features:
◆ Encryption/Decryption at the application layer;
◆ Normalization;
◆ Protocol consistency;
◆ Bidirectional Load detection;
These four features provide important protection for Web applications. If one of these features is not implemented, the deep detection firewall will be compromised when it is resisting application-layer attacks.
2.1 application layer encryption/Decryption
SSL is widely used in various scenarios to ensure the security of related data. This puts forward new requirements for the firewall: Data Encryption/Decryption must be processed. If SSL-encrypted data is not decrypted, the firewall cannot analyze the load information, making it even more difficult to determine whether the data packet contains application-layer attack information. Without the decryption function, all the advantages of deep detection cannot be reflected.
Due to the high security of SSL encryption, enterprises often use SSL technology to ensure the security of communication data of key applications. If deep detection does not provide deep detection security for key applications in the enterprise, the advantage of deep detection will be meaningless.
2.2 Normalization
Protection against application-layer attacks relies heavily on string matching. Abnormal Matching may cause security vulnerabilities. For example, to determine whether a security policy for a request is enabled, the firewall usually matches the request URL with the security policy. Once it exactly matches certain policy conditions, the Firewall uses the corresponding security policy. URLs pointing to the same resource may have different forms. If the URL encoding method is different, the comparison of the binary method does not work. Attackers may use various technologies to disguise the entered URL and attempt to bypass string matching to bypass the security device.
These attacks are especially effective in terms of spoofing IDs and IPS, because the attack code can achieve the goal as long as it is a little different from the feature library of the security device. 2.
To solve the problem of string matching, normalization technology is required. Deep detection can identify and block a large number of attacks. Normalization technology is required to prevent attacks that are hidden in frame data, Unicode, URL encoding, dual URL encoding, and multi-form shell, as shown in figure 3.
2.3 protocol consistency
Application layer protocols, such as HTTP, SMTP, POP3, DNS, IMAP, and FTP, are often used in applications. Each protocol is created by RFC (request for comments.
In the deep detection firewall, you must check whether the application layer data stream is consistent with the Protocol definitions to prevent attacks.
Deep detection performs status detection at the application layer. Protocol consistency is achieved by decrypting different fields of the protocol message. When the fields in the Protocol are identified, the Firewall uses the RFC-defined application rules to check their legitimacy. 4.
2.4 bidirectional Load detection
Deep detection provides powerful functions to allow data packets to pass through, reject data packets, and check or modify layer-7 to layer-7 data packets, including headers or loads. HTTP deep detection can view the URL, header, parameters, and other information in the message body. The deep detection firewall can be automatically configured dynamically to correctly detect service variables, such as the maximum length, hidden fields, and radio buttons. If the requested variable does not match, does not exist, or is incorrect, the deep detection firewall discards the request, writes the event to the log, and sends a warning to the Administrator.
The deep detection technology allows you to modify or convert URLs, headers, and parameters, similar to Nat on the application layer. 5.
3. Summary
In a complex web environment, deep detection is required to provide comprehensive application protection. To effectively prevent Web attacks, the firewall must be able to apply security policies based on the source IP address, destination IP address, port, and application content.
Deep detection technology is still developing, but deep detection technology generally has four features: application-layer encryption/decryption, normalization, protocol consistency, and bidirectional Load detection.
When deploying web applications, enterprises should ensure that the firewall can meet the security requirements required by these applications, and the firewall can meet the four basic features of deep detection technology.