Firewalls Gain New Depth, Security

By Andrew Garcia  |  Posted 2004-02-16 Print this article Print

Deep packet filtering technology represents the newest weapon in the arsenal against blended application attacks, arming perimeter firewalls with a layer of application-aware security services.

Deep packet filtering technology represents the newest weapon in the arsenal against blended application attacks, arming perimeter firewalls with a layer of application-aware security services. Deep packet inspection devices reassemble and reorder multiple packets into their original traffic flows, perform application analysis, and make and enforce policy decisions based on the entire content. Reconstituting flows allows these devices to become multifunctional and offer expanded content services such as spam and virus filtering.

A variety of deep packet filtering products are coming to market, with Check Point Software Technologies Ltd. and NetScreen Technologies Inc. leading the charge. (Juniper Networks Inc. was in the process of purchasing NetScreen as this issue went to press). Prices start at $570 for NetScreen 5GT with a one-year signature subscription. Prices escalate quickly depending on network size, number of users and other factors.

eWEEK Labs believes deep packet filtering products are a good choice for boosting security, particularly for smaller networks and branch offices. However, large-enterprise network administrators should weigh the performance impact these devices will have on the network.

Currently, stateful inspection firewalls protect resources at the network layer, but the speed and efficiency provided by stateful devices come at a cost. These devices look at packet headers, making access decisions based on source, destination and traffic port. If a packet matches these criteria, it is permitted into the network, no matter what content it carries. Code Red, Slammer, Blaster and who knows how many buffer overflow exploits have capitalized on this lack of application awareness.

Most deep packet filtering devices use multiple approaches to identify these threats in the recomposed flows. These devices often employ signatures to identify known attacks. Vendors package recognizable chunks of code from exploits and make them available to the customer periodically.

However, signature-based scans require significant resources on the firewall because they must compare the entire signature database with each traffic flow. And, like anti-virus signatures, deep filtering signatures are reactive. Vendors can only create the package code once an exploit is known.

Getting multifunctional

Although their technologies differ, each of these vendors offers content- and application-aware firewalls. Most vendors sell several models targeted to different segments of the network.
Check Point
FireWall-1 NGAI
Crossbeam Systems Inc.
Fortinet Inc.
Inkra Networks Inc.
Virtual Service Switches
Internet Security Systems Inc.
iPolicy Networks
Unified Security System
Screen OS 5.0 with deep inspection
Symantec Corp.
Symantec Gateway Security
Deep packet inspection devices also look for protocol conformance. Binary data is not allowed in HTTP headers, for example, so deep packet inspection engines detect and block traffic attempting to introduce malicious code in this way.

Protocol anomaly checks are used to identify applications that hijack common network ports. For example, peer-to-peer applications have commonly usurped port 80, embedding themselves in HTTP traffic to traverse the firewall. Protocol anomaly scans identify directory traversal attacks and long HTTP header attacks.

Check Point and NetScreen have made the most noise touting their application-layer defenses, but a number of other security vendors have released multifunction appliances that increase application- and file-level security in a variety of ways.

Check Point officials claimed that the companys FireWall-1 NGAI (Next Generation with Application Intelligence) appliances signatures are not reactive because they are based on networks vulnerabilities and not on known exploits.

FireWall-1 NGAI controls application-layer operations by making granular policies based on how the application works. As a result, administrators can define rules to block FTP PUT commands while allowing GETs.

Check out eWEEK.coms Security Center at for security news, views and analysis. By comparison, NetScreens Deep Inspection feature uses signature-based and protocol anomaly detection capabilities. NetScreen devices do not have a hard drive, which limits the buffer space available to scan traffic to memory. To improve efficiency, NetScreen devices group signatures by traffic type, identify the type of flow under scan and apply only relevant signatures.

NetScreen officials said branch offices and midsize enterprises will get the most benefit from the added protection in an integrated solution. Larger enterprises with greater throughput demands and more expertise should look more closely at separate point solutions.

Technical Analyst Andrew Garcia can be reached at

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel