The flaw of traditional network firewall

Today, knowledgeable hackers can use the network firewall open ports, cleverly escaped the network firewall monitoring, directly targeted applications. They come up with sophisticated methods of attack that can bypass traditional network firewalls. According to expert statistics, 70% of the current attack is occurring in the application layer, not the network layer. For this kind of attack, the traditional network firewall's protection effect, is not very ideal.

The traditional network firewall, there are the following deficiencies:

1, unable to detect the encrypted web traffic

If you are deploying a portal site, you want all network and application layer vulnerabilities to be masked outside the application. This requirement, for the traditional network firewall, is a big problem.

Because the network firewall is not visible to the data in the encrypted SSL stream, the firewall cannot intercept the SSL data stream quickly and decrypt it, so it cannot prevent the application from attacking, even some network firewalls do not provide the function of data decryption at all.

2, the ordinary application encryption, can easily escape the firewall detection

What the network firewall cannot see is more than SSL-encrypted data. Data that is encrypted by the application is also not visible. In most network firewalls today, a static feature library is relied on, similar to the principle of the intrusion detection system (ids,intrusion detect systems). The firewall can recognize and intercept the attack data only when the characteristics of the attack behavior of the application layer exactly match the features already in the database in the firewall.

But today, with common coding techniques, malicious code and other attack commands can be hidden and converted into a form that can deceive both the front-end network security system and the backend server. This kind of encrypted attack code, as long as the rules in the firewall rule library is not the same, can evade the network firewall, successfully avoid feature matching.

3, for Web applications, the ability to prevent inadequate

The network firewall was invented in 1990, and the commercial Web server was published a year later. A firewall based on stateful detection, which is based on the TCP and IP address of the network layer, sets up and strengthens the state Access control list (acls,access controlling Lists). In this regard, the network firewall performance is indeed very good.

In recent years, HTTP is the main transport protocol in the practical application process. Mainstream platform vendors and large application vendors have shifted to web-based architectures, and the goal of security protection is no longer just important business data. The protection scope of the network firewall, has changed.

For the regular enterprise LAN protection, the common network firewall still occupies a high market share, continue to play an important role, but for the newly emerged upper layer protocol, such as XML and SOAP applications such as the prevention, network firewall seems to be a bit powerless.

For architectural reasons, even the most advanced network firewalls cannot intercept application-level attacks because of the inability to fully control the network, applications, and data flows when defending against Web applications. Because of the lack of complete, conversational (session)-level monitoring capabilities for the overall application data stream, it is difficult to prevent new unknown attacks.

4, the application of protective features, only for simple situations

Current data center servers are often changed, such as:

★ Need to deploy new applications on a regular basis;

★ Often need to add or update software modules;

★qa often find bugs in the code, and deployed systems need to be patched regularly.

In such a dynamic and complex environment, security experts need to adopt a flexible, coarse-grained approach to implement effective protection strategies.

Although some advanced network firewall vendors, put forward the application of protection features, but only for the simple environment. A closer look will show that these features have limitations for actual enterprise applications. In most cases, the characteristics of the elastic concept (proof-of-concept) cannot be applied to real-life data centers.

For example, some firewall vendors have claimed to be able to prevent cache overflows: When hackers enter too long data in the browser's URL to try to crash the background service or make an attempt to illegally access it, the firewall can detect and stop the situation.

A closer look will find that these vendors implement this function in the 80-port data stream, which controls the length of the URL.

If you use this rule, all applications will be in effect. If a program, or a simple Web page, does need to involve a very long URL, block the rule.

The architecture of the network firewall determines that the network firewall is operated on the network port and network layer, so it is difficult to protect the application layer, unless it is some very simple application.

5, can not extend the band depth detection function

A network firewall based on stateful detection, if you want to extend only the depth detection (deep inspection) feature without corresponding increase in network performance, this is not possible.

True depth detection for all network and application traffic requires unprecedented processing power to perform a large number of computational tasks, including the following:

★SSL encryption/decryption function;

★ Full bi-directional effective load detection;

★ Ensure the normalization of all legal flows;

★ Wide range of protocol performance;

These tasks, on the basis of standard PC hardware, is not efficient operation, although some network firewall vendors are based on the ASIC platform, but further research, you can find: The old network-based ASIC platform for the new depth detection function is not supported.

Summary: The probability of the application layer being attacked is more and more, and the traditional network firewall has some deficiencies in this aspect. In this respect, a few firewall vendors are also beginning to realize the threat of application layer, adding some features of elasticity concept (proof-of-concept) to firewall product to try to guard against these threats. The traditional network firewall has not been effective to the application security, for the five deficiencies listed above, the future needs to strengthen the prevention in the network layer and application layer.