The status detection firewall is currently using the most widely used firewall to protect hacker attacks. However, with the increase of Web attack phenomenon specifically for application layers, in attack protection, the effectiveness of the status detection firewall is getting lower and lower.
When designing the status detection of the firewall, it is not specifically for web application attacks. In order to adapt to the threat of growing web applications, the new generation of depth detection firewalls appear.
This article first introduces the evolution process of firewall technology, and then introduces four basic characteristics of deep detection technology.
1. The evolution process of firewall technology
The evolution of firewall technology, so far, there is three types of three types of filtration firewalls, state detection guards and depth detection firewalls.
1.1 Packet filter firewall (Packet Filter Firewall)
Packing the fuelwall ---- the first generation of firewall, no state concept. By packaging, administrators can allow or disable options in AcLs (Access Control Lists, Access Control List), and the filter firewall has the following properties:
★ Physical network interface arriving by packet;
★ Source IP address and port;
★ Target IP address and port;
However, there is a certain flaw in the safety of the filtered firewall, as the system does not know the application layer information, that is, the firewall does not understand the content of communication, so it may be broken by hackers.
For various reasons, people think that the bag filter firewall is not safe, so it gradually be replaced by the state detection firewall.
1.2 Status Detection Firewall (stateful inspection firewall)
The status detection firewall appears and has become the absolute leader in the market, mainly with the following reasons, including performance, deployment capabilities and expansion capabilities. They have developed rapidly in the mid-1990s. In 1993, Check Point successfully launched a status detection of firewall products in the world's first commercial.
The status detection firewall is working on the network layer, compared to the package filter firewall, the state detection firewall determines that it is also the basis for prohibiting the data stream, the source IP address, the destination IP address, source port, destination port, and communication protocols. Unlike the package filtration firewall, the state detection firewall is based on session information, not the information of the package;
When the status detects the firewall verifying the packet, it is judge whether or not the current packet meets the previously allowed session and saves this information in the status table. Status detection firewall also prevents attack behavior of network layers based on exception TCP. Network equipment, such as a router, breaking the packet into smaller data frames, and therefore, the status detection device typically requires the recombination of IP data frames, and assembles a complete packet according to its original order.
1.3 Depth Test Firewall (Deep Inspection Firewall)
Deep detection firewall, combine status detection and application firewall technology to handle the traffic of applications, prevent target systems from all kinds of complex attacks. In combination with all the functions of state detection, the depth detection firewall can quickly complete the network layer level analysis, and make access control; for the allowed data stream, make further decisions on the load according to the application layer level .
Deep detection firewall in-depth analysis of TCP or UDP packets in order to have a general understanding of the load.
2, four basic characteristics of deep detection technology
New depth detection technology is still constantly appearing to achieve different depth detection functions, but we need to understand the basic characteristics of depth detection technology.
Advanced depth detection firewall integrates all functions of the packing firewall and status detection firewall, as shown in Figure 1.
Advanced depth detection techniques typically have four features: ◆ Application layer encryption / decryption;
◆ Normalization;
◆ Protocol consistency;
◆ Two-way load detection;
These four features provide important protection for web applications. If one of the features are not implemented, the depth detection firewall will be greatly reduced when the firewall is resistant to the application layer attack.
2.1 Application layer encryption / decryption
SSL is widely used in various occasions to ensure security of relevant data. This puts new requirements for firewall: data encryption / decryption must be handled. If the SSL encrypted data is not decrypted, the firewall cannot analyze the information of the load, and it is more impossible to determine if the data packet contains application layer attack information. If there is no decryption function, all the advantages of depth detection cannot be embodied.
Since SSL encryption is high, companies often use SSL technology to ensure the security of communication data for critical applications. If depth detection does not provide depth detection security for key applications in the enterprise, the advantages of the entire depth detection will lose its meaning.
2.2 Normalization
Prevent application layer attacks, greatly depend on string matching. Incomcent matches can cause security vulnerabilities. For example, in order to detect whether a certain request is enabled, the firewall typically matches according to the requesting URL with the security policy. Once a strategy condition is fully matched, the firewall adopts the corresponding security policy. Point to the URL of the same resource may have a variety of different forms. If the encoding method of the URL is different, the comparison of binary methods does not work. Attackers will use various techniques to camouflage the input URLs, trying to avoid string matching to achieve the purpose of crossing the security device.
These attack behaviors are particularly effective in deceiving IDs and IPS, because the attack code has a little different from the safety device's characteristic library, it can achieve the purpose.
Resolving string matching problems requires normalization technology, depth detection can identify and block a lot of attacks. For attack behaviors that are hidden in frame data, Unicode, URL encoding, dual URL encoding, and multi-forms, the normalization technology must be used.
2.3 Protocol consistency
Application layer protocols such as HTTP, SMTP, POP3, DNS, IMAP, and FTP are often used in applications. Each protocol is created by the RFC (Request for Comments) specification.
Deep detection firewalls must confirm whether the application layer data stream is consistent with these protocol definitions to prevent attacks.
Deep detection is performed in the application layer. The agreement consistency is realized by decrypting the different fields of the protocol packet. When the fields in the protocol are identified, the firewall uses RFC definition application rules to check its legitimacy.
2.4 Bidirectional load detection
Deep detection has powerful functions, allowing packets to pass, reject packets, check, or modify sections 4 to 7, including headers or loads. HTTP depth detection can view information such as URLs, classes, and parameters in the message body. Deep detection firewall automatically configures to properly detect service variables, such as maximum length, hiding fields, and RADIO buttons, and more. If the requested variable does not match, if there is or incorrect, the depth detection firewall will discard the request, write the event to the log, and issue a warning message to the administrator.
Deep detection techniques allow for modifying or converting URLs, classes, and parameters, this is similar to NAT on the application layer.
3, summary
In complex web environments, in order to provide comprehensive application protection, depth detection is required. In order to prevent Web attacks, the firewall must be able to apply a security policy based on source IP addresses, destination IP addresses, ports, and application content.
Deep detection technology is still evolving, but deep detection techniques generally have four aspects of application layer encryption / decryption, normalization, protocol consistency, and bidirectional load detection. When an enterprise deploys a web application, it should be ensured that the firewall can meet the security requirements required for these applications, and the firewall can meet four basic features in depth detection techniques.
