Application layer attacks challenge traditional firewalls
In the past two years, attackers' interest has clearly shifted from port scanning and manufacturing denial of service attacks (DoS Attack) to attacks on mainstream applications such as web, E-mail and even databases. Traditional firewalls only check the headers of IP packets, but ignore the content - if you use letters as an analogy, that is, you only check the envelope without checking the letter paper. Therefore, there is no way to attack this type of application layer. It can be said that firewall products that rely solely on IP addresses and protocol ports of the third and fourth layers have come to an end.
The war burns to the seventh floor
In order to combat attacks from the application layer (Layer 7 of the OSI network model), firewalls must have application layer filtering capabilities, and some firewall products already have this capability.
If computer networks are compared to a building, a traditional packet filtering firewall is a series of side-by-side doors between the internal network of the enterprise and the Internet. Each door has security personnel checking the arrival packages (IP data packets) one by one. If no data contains abnormal codes, the door will be opened and released. A common trick for attackers is to check which doors are open and unguarded through port scanning, and then use them. A firewall with status detection that appears later can check which packets are from the Internet's response to internal network access requests. In other words, security personnel can identify uninvited packages.
However, application-level attacks are much more complicated, because attack packets are legitimate packets in most cases, the difference is that the content is offensive, and because IP packets are transmitted in segments, the content judgment requires reorganization of all relevant packets before they can be carried out accurately. Once this attack packet passes through the firewall, they usually begin to methodically exploit the vulnerabilities of the target system to create buffer overflows, gain control of the system, and then use this as a platform to start looking for vulnerabilities in other systems or backdoors left by other worms, and then launch an attack.
Firewall countermeasures
In this regard, the response measures taken by some firewall products are to set up special filters for each type of mainstream applications (based on RPC). If new application-layer threats appear in the future, corresponding filters can be added. Users can apply relevant filtering settings for each filter, for example, preventing attacks by some worms by limiting the buffer of any HTTP access requests to no more than 3000 bytes. Under this new mechanism, packets from the Internet are sent to their respective filters, which will reorganize the packets and scan and discriminate content. Take an email as an example. The SMTP filter will wait for the relevant packets to arrive, and reorganize the email before forwarding to scan the content, compare it with known types of attacks, and only allow it to pass after confirming that this is normal traffic.
A properly configured modern firewall can block the vast majority of known virus mail and attack code. While blocking unknown viruses and attacks is much more difficult, it is usually effective after reasonable policy settings. The basis for correctly setting up a strategy is the correct understanding of the business needs of enterprise users. For example, most enterprise users usually do not need to pass executable files and Visual Basic script code through email. Users can deal with unknown viruses by blocking emails containing such executable attachments. Once you really need to send such files, you can also set up more targeted policies, such as allowing only users of the IT department to send emails with executable files, or allowing users to receive all emails except script attachments named "".
The contradiction between safety and performance
Users have long been accustomed to regarding safety and performance as oppositions, just like at the airport’s security check entrance, the more inspection steps, the longer the team waiting for security checks. For firewalls, performance and security are indeed a permanent contradiction, but the impact of application layer filtering on firewall performance is not as great as most users imagine. Some firewalls nominally can handle more than 1,000 concurrent users per second while maintaining a throughput of 27Mbps per session. In fact, some manufacturers implement application-layer filtering engines through hardware (ASIC), which can achieve processing capabilities that are closer to the linear speed (which can be understood as the processing limit of Ethernet switches).
New challenges
Firewalls with application layer filtering can more effectively block most current viruses and attack programs, but the continuous emergence of new security threats has posed new challenges to the firewall. The source of attacks is becoming more complex, and the methods of attacks are becoming more and more clever. The recent combination of spam and attack code is a typical example. On the one hand, firewall devices need to have a better understanding of the content of the application layer and intelligently distinguish the ability of the firewalls. On the other hand, firewalls need to cooperate more effectively with other security devices and applications to achieve more powerful protection.