Smarter firewalls

Our Special Focus author (tgreene@nww.com) this week takes a look at the world of deep packet inspection.

First there were packet filters. Then stateful inspection firewalls; then intrusion detection.

Basically deep packet inspection lets an application traffic management device peer into the content of a TCP or User Datagram Protocol (UDP) packet. The idea is to let the device filter, track or discard traffic based on content encapsulated in a packet’s header or payload, regardless of the protocol or application type.

Greene writes that by analyzing packets not just in isolation, but by reassembling and analyzing packet streams that make up individual application sessions, these application-layer firewalls can spot odd behavior by traffic using a particular protocol that can signal a brand new attack.

Deep packet inspection firewalls are the latest stage in the evolution of firewall technology, says Richard Steinnon, an analyst for Gartner Group credited with coining the term deep packet inspection. Steinnon says Check Point Fortinet and NetScreen do this as well as intrusion prevention systems (IPS) such as Tipping Points’, Intruvert’s and NetContinuum’s. Devices such as those made by Teros and Radware also fall under the same broad umbrella.

Application firewalls can find malicious traffic that stateful inspection firewalls miss. For example, stateful firewalls don’t detect worms that send strings of malicious code within legitimate protocols because stateful firewalls just look at network-layer packet headers. Deep packet inspection, however, can find such attacks by looking for telltale signatures farther inside packets.

For more on our Special Focus see: https://www.nwfusion.com/news/2004/0202specialfocus.html