First there were packet filters. Then stateful inspection firewalls; then intrusion detection. Now the latest Internet defence technology — deep packet inspection firewalls — is being touted as the best line of defence against worms that can sneak past earlier technology to wreak havoc in corporate networks.
The issue with these application-layer firewalls seems to be whether they should be placed at all Internet gateways and evaluating whether they are worth the cost.
By analyzing packets not just in isolation, but by reassembling and analyzing packet streams that make up individual application sessions, these application-layer firewalls can spot odd behaviour by particular protocols that can signal a brand-new attack.
Customers that use these products say their value is undeniable. “Now you can block malicious traffic as you detect it, at the edge. And the deep packet inspection technology can update the firewall,” says Steven Goldsby, CEO and founder of Integrated Computer Solutions, which uses Fortinet’s Complete Content Inspection gear. “If it identifies an attack, then it can automatically block the IP address.”
Deep packet inspection firewalls are the latest stage in the evolution of firewall technology, says Richard Steinnon, an analyst for Gartner credited with coining the term, deep packet inspection. Steinnon says Check Point Software, Fortinet, NetScreen and others do this, and as do intrusion-prevention systems, such as those from IntruVert Networks, NetContinuum and TippingPoint Technologies. Devices such as those made by Radware and Teros also fall under the same umbrella.
Battling malicious traffic
Application firewalls can find malicious traffic that stateful inspection firewalls miss. For example, stateful firewalls don’t detect worms that send strings of malicious code within legitimate protocols because stateful firewalls just look at network-layer packet headers. However, deep packet inspection can find such attacks by looking for telltale signatures further inside packets.
Intrusion-detection systems already do this, but their response is to trigger alerts for network administrators to decide whether suspicious traffic means an attack is really under way. Deep packet inspection firewalls differ in that they automatically take steps to block the attacks they detect.
Steinnon says application firewalls analyze how protocols are behaving and whether that behaviour honours policies set for how that traffic should be acting.
“Worms required a deeper look for signatures and created a need to look at whole sessions, streams. They require the firewall to do what the end server does and make a decision based on everything it learns,” he says.
This is where the term deep packet inspection breaks down, Steinnon says. Application firewalls don’t just look deeply into individual packets. The firewall assembles packets into streams that represent sessions and analyzes whether the behaviour of the session is atypical of appropriate use of the application.
For instance, the Blaster worm exploited the Remote Procedure Call (RPC) protocol to do its work. It would send messages to ranges of IP addresses looking for more machines to infect. Legitimate use of RPC typically does not call for this systematic sending of messages.
Check Point says its RPC inspection software, available since April, was effective against Blaster when it hit in August. Looking for odd behaviour of RPC sessions made it effective even though no one had seen Blaster before to capture a signature, Check Point says.
Similarly, WatchGuard Technologies says its application-protection software blocked attacks against 38 of 52 Microsoft vulnerabilities last year, protecting networks even if the Microsoft software hadn’t been patched.
Once application layer firewalls detect attacks, they must deal with them appropriately, Steinnon says. Blocking only the IP address that is the source of an attack, for instance, is more desirable than blocking all traffic trying to use that port, he says.
In the case of Blaster, the worm sends on TCP Port 135, and some recommended remedies call for blocking Port 135, even though it can interfere with legitimate Microsoft applications that use RPC.
Application layer concerns
By addressing application layer concerns, these application firewalls make it possible for more users to access corporate networks, customers say. For example, NetScreen’s 5XT deep inspection firewall appliances make it possible for remote offices of a hospital to gain full access to billing and medical applications without exposing the network to unnecessary risk, says Mark Rein, director of IT at the hospital.
The hospital had used Cisco Systems VPN software on remote machines to give users remote access, but the VPN did nothing to protect the remote machines from worms and viruses. Infected machines could launch attacks that might invade the hospital network via the VPN, Rein says. As a result, hospital policy forbade full access to records via remote access. “We would give them view privileges, but not allow them to modify files,” he says.
Now with the NetScreen boxes in place, those remote machines and the traffic they send are deemed clean, he says. Physicians who extend their workday take a NetScreen appliance home if they think they’ll log on to the hospital network, Rein says.
The hospital also has NetScreen’s more comprehensive application-layer screening Intrusion Detection and Prevention (IDP) device at the hospital. It can find potential malicious traffic that the appliances might miss, but at $US400, the 5XT appliances are affordable at every site, he says, and reduce the number of alarms that the IDP triggers.
Some customers say application firewalls can protect servers even if the servers have known flaws. In the case of a cinema chain, Check Point’s Application Intelligence software was so effective that a security consultant hired to try to take down the servers could not exploit a known vulnerability caused by missing patches on a particular server.
The Check Point software headed off the application-layer attacks that the consultant tried through Port 80 before they got to the server, says Andrew Bagrin, director of security and network management for the chain. “It’s still critical to patch, but now we can be more flexible so we’re not so worried,” he says.
Vendors such as NetScreen are putting versions of their application inspection software on low-cost appliances for sites where risk is deemed lower than would warrant a more expensive IDP system. These boxes include stateful firewalls, virus protection and VPN support. Such an appliance costs $US1700 vs an IDP box that can cost 10 times as much.
A new way of looking at protection
While established vendors are working on pricing and features, a new company called WebCohort is touting a new way of looking at the same problem. The company’s software, called SecureSphere, culls individual suspicious events to find enough evidence of a malicious user to conclude that an attack is under way.
The company’s CEO, Schlomo Kremer, says the appliances can protect custom applications that represent most traffic in large corporate networks — something its competitors can’t do.
The device learns any application by discovering such things as what URLs applications use, their structure and how they employ cookies, and then builds a profile of how the application works and how it is used, according to Kremer. It builds a model to analyze actual behaviour and spot anomalies that can be blocked automatically or be flagged for IT staff to check out, he says.
Kremer says other intrusion protection technology protects against known attacks against commonly used applications. “They are useless against targeted attacks on custom code,” he says.