From the simplest packet filtering firewall to the application layer gateway, since the date of birth, the firewall has increasingly assumed more and more network security role. In recent years, an innovative firewall technology is widely used, which is known as depth packet detection of dip (Deep Packet Inspection) technology.
Historical Review
Before delving into the depth-pack detection technology, let's review the history of the development of firewall detection technology. These testing techniques are not disappearing as technology progresses. On the contrary, it is based on these technologies, the development of more advanced functional elements.
The first-generation firewall can be called a packet-filtering firewall that appears and is widely used. The most basic packet filtering firewall checks the packets through the network according to the parameters of the third layer (such as source IP address and destination IP address), and then the packet filtering rules built into the firewall determine which packets are released and which packets are blocked. Then there is the application-tier gateway firewall, which is often referred to as a proxy-based firewall because it performs application-tier connections on behalf of a variety of network clients, which provides proxy services. Application-tier gateways work much differently from packet filtering techniques, all of which are controlled in the application layer (layer seventh of the OSI model), and no network client can communicate directly with the server, as shown in Figure 1.
Fig. 1 Principle of firewall detection
At present, the most widely used filtering technology is state detection (Stateful inspection). It works like a packet filtering firewall, but employs more sophisticated access control algorithms. State detection firewalls and packet filtering firewalls are essentially through the control of decision-making to provide security protection, but the state-detection firewall in addition to the use of the third layer of network parameters to carry out decision-making, but also the use of network connectivity and the various states of the application services to implement decision-making. In addition, the decisions taken are not limited to the release and blocking of packets, but such processing as encryption can be performed as a control decision, as shown in Figure 2.
Figure 2 State detection
The stateful detection firewall can not only decide whether the information transmission is release or reject according to the third layer parameter, but also can understand the current state of the connection (for example, whether the related connection is in the establishment phase or the data transfer phase). All data transmissions processed by the firewall are transmitted to a status detection engine, which brings together the corresponding access rules.
By maintaining a connection state table, identifies each active connection through the firewall and the third layer of parameters associated with it. If the connection state table does contain a record of a connection, the status detection engine allows the connection's return information to pass. And after the connection is established, the firewall can verify that the relevant information transfer does match the basic third-tier parameters by checking for more advanced connection properties such as the TCP sequence number, which is legal and not fraudulent.
Compared with the application layer gateway, the state detection firewall has the same level of security protection as the application layer gateway, and the state detection firewall is more flexible than the application layer gateway, because the state detection engine understands the application layer. Because it guarantees the integrity of the communication at the application level, it does not need to proxy all connections on behalf of the client/server at both ends of the connection. Therefore, the use of State detection technology designed by the firewall provides a packet filtering firewall processing speed and flexibility, but also the application-level gateway to understand the application state of the ability and high security.
Survey of depth packet detection technology
In general, deep Packet detection technology examines each packet through the firewall and its application payload in depth. Although it is a more economical way to detect only the Baotou section, many malicious acts may be hidden in the data payload, which can cause serious damage within the security system through defensive boundaries. Because the data load may be full of spam, advertising video and enterprises do not appreciate peer-to-peer transmission, and a variety of E-commerce programs in the HTML and XML format data may be loaded with backdoor and Trojan program in the network node Exchange. Therefore, in the application form and its format to increase the explosion rate today, just according to the third layer of information to determine whether the access, it can not meet the security requirements.
The depth packet detection engine determines how packets are processed based on a set of rules, such as fingerprint matching, heuristic techniques, anomaly detection, and statistical analysis. For example, the detection engine compares the data in the packet payload with a predefined attack fingerprint to determine whether a data transmission contains malicious attacks, while the engine uses the existing statistics data to perform pattern matching to assist in the execution of this judgment. Depth packet detection technology can be used to identify and protect buffer overflow attacks, denial of service attacks, deceptive technologies and worm viruses like Nimda more effectively. In essence, deep packet detection incorporates intrusion detection (IDS) functionality into the firewall, enabling us to create an integrated security device, as shown in Figure 3.