Various content filtering modes of the firewall

1. Overview
Content filtering is already a basic function of various firewalls. This article summarizes the content filtering modes of various firewalls.
Content filtering is mainly used to process content information of upper-layer protocols of TCP and UDP.
Content filtering is for plain text or pseudo-plain text, such as base64 encoding and compression. It is impossible to filter encrypted information such as SSL and SSH.

2. HTTP TCP80)
HTTP is the most widely used protocol, and the content filtering mode for HTTP is also the most.

2.1 URL filtering
URL filtering is the basic mode of HTTP filtering. URL filtering can include URL whitelist, blacklist, and keywords. It can also be used with other servers for URL filtering, such as the CheckPoint UFP protocol, webSense provides the URL database and category.

2.2 HTTP data type filtering
The HTTP data type can be the file type defined by the URL;
The type of the uploaded or downloaded file;
The Type defined by Content-Type in the HTTP header field;
Types defined in the HTML language, such as IMG, APPLET, and SCRIPT.

2.3 filter HTTP header fields
HTTP defines a large number of fields to describe HTTP information. It can filter various types of header fields.

2.4 HTTP command type filtering
HTTP commands include GET, PUT, and POST. Using command filtering, You can restrict certain HTTP functions.

2.5 keyword filtering of HTTP Content
Filter keywords in any HTTP data.

3. FTP protocol TCP21)

3.1 filter upload/download file types
Filter the file types executed by ftp get and PUT commands

3.2 FTP command Filtering
Filter FTP commands to prevent execution of certain commands. FTP protocol commands and FTP client interface commands are defined in RFC959, 2228, and 2640.

3.3 keyword filtering of FTP Command Channel content
Filter keywords in any data in the FTP Command Channel.

3.4 FTP data channel keyword Filtering
Filters Keywords of any data in the FTP data channel.

4. SMTP protocol TCP25)
The SMTP protocol can also filter many contents.

4.1 SMTP protocol header field filtering
Like HTTP, SMTP also uses multiple fields To describe the content To be transmitted and filters various types of header fields, including filtering such as Subject, To, From, keyword information such as Cc.

4.2 email Length Filtering
Limit the length of the sent email.

4.3 email content keyword Filtering
Filter the keywords in the mail data. The current SMTP transmission dubyte language and binary data are both encoded and need to be decoded and filtered.

4.4 email attachment Filtering
Filter the types and content Keywords of email attachments.

5. IMAP (TCP143)/POP3 (TCP110) Filtering
Although all emails are sent, POP3 is used in less filtering than SMTP. After all, do not delete the emails only when they are in the destination mailbox.

5.1 email content keyword Filtering
Filter the keywords in the mail data. The current SMTP transmission dubyte language and binary data are both encoded and need to be decoded and filtered.

5.2 filter attachment file types
Filter attachments of dangerous types, warn attachments of dangerous types, and prevent them from running automatically.

6. DNS protocol TCP/UDP53)
DNS filtering is actually the most restrictive method, so that domain name resolution fails, so that no protocol can be used, whether it is HTTP, TELNET, FTP, etc.

6.1 domain name Filtering
Filter domain names based on their whitelists, blacklists, and keywords.

6.2 DNS address NAT
Is to solve the problem that the Intranet server and the internal machine access the server through the domain name in the same network segment, also belongs to the scope of content filtering Processing

7. TELNET filtering (TCP23)
TELNET generally only performs keyword Filtering

8. Other protocols
For other types of protocols, the content is relatively small, basically the keyword of the protocol content is filtered.

9. Protocol legality detection and off-threshold channel Detection
It mainly checks whether the data in the protocol channel complies with the RFC standard to prevent other protocols from using this port for communication.

10. Virus Filtering
Network viruses can be spread through any network protocol, so they are listed separately.

Some firewalls carry their own virus databases and can search for data while forwarding data. Generally, they interact with the virus server, send data to the virus server, and the virus server scans and returns the results. Regardless of the form, virus detection is the processing process of the slowest and most expensive resources. You can test the virus scanning speed by yourself. If the bandwidth is 10 Mbps, the data volume is 1.25 MB per second, scan A 1.25 MB file with a single antivirus tool to see how long it takes. However, the virus database usually only contains Network viruses, not single-host viruses, which can reduce the scanning time.

11. Conclusion

The content filtering essence or keyword filtering determines the type of keyword to be detected. The speed of content filtering depends on the search speed of the keyword mode. The key to content filtering is to cut the connection when an exception is detected. There are also various ways to cut the connection. It is best to let the user know why the connection is disconnected.

1. Firewall transparent mode and transparent proxy
2. Package filtering Firewall Based on Linux
3. New firewall technology