Deep packet inspection devices reassemble and reorder multiple packets into their original traffic flows, perform application analysis, and make and enforce policy decisions based on the entire content. Reconstituting flows allows these devices to become multifunctional and offer expanded content services such as spam and virus filtering.
A variety of deep packet filtering products are coming to market, with Check Point Software Technologies Ltd. and NetScreen Technologies Inc. leading the charge. (Juniper Networks Inc. was in the process of purchasing NetScreen as this issue went to press). Prices start at $570 for NetScreen 5GT with a one-year signature subscription. Prices escalate quickly depending on network size, number of users and other factors.
eWEEK Labs believes deep packet filtering products are a good choice for boosting security, particularly for smaller networks and branch offices. However, large-enterprise network administrators should weigh the performance impact these devices will have on the network.
Currently, stateful inspection firewalls protect resources at the network layer, but the speed and efficiency provided by stateful devices come at a cost. These devices look at packet headers, making access decisions based on source, destination and traffic port. If a packet matches these criteria, it is permitted into the network, no matter what content it carries. Code Red, Slammer, Blaster and who knows how many buffer overflow exploits have capitalized on this lack of application awareness.
Most deep packet filtering devices use multiple approaches to identify these threats in the recomposed flows. These devices often employ signatures to identify known attacks. Vendors package recognizable chunks of code from exploits and make them available to the customer periodically.
However, signature-based scans require significant resources on the firewall because they must compare the entire signature database with each traffic flow. And, like anti-virus signatures, deep filtering signatures are reactive. Vendors can only create the package code once an exploit is known.
Deep packet inspection devices also look for protocol conformance. Binary data is not allowed in HTTP headers, for example, so deep packet inspection engines detect and block traffic attempting to introduce malicious code in this way.
Protocol anomaly checks are used to identify applications that hijack common network ports. For example, peer-to-peer applications have commonly usurped port 80, embedding themselves in HTTP traffic to traverse the firewall. Protocol anomaly scans identify directory traversal attacks and long HTTP header attacks.
Check Point and NetScreen have made the most noise touting their application-layer defenses, but a number of other security vendors have released multifunction appliances that increase application- and file-level security in a variety of ways.
Check Point officials claimed that the companys FireWall-1 NGAI (Next Generation with Application Intelligence) appliances signatures are not reactive because they are based on networks vulnerabilities and not on known exploits.
FireWall-1 NGAI controls application-layer operations by making granular policies based on how the application works. As a result, administrators can define rules to block FTP PUT commands while allowing GETs.
By comparison, NetScreens Deep Inspection feature uses signature-based and protocol anomaly detection capabilities. NetScreen devices do not have a hard drive, which limits the buffer space available to scan traffic to memory. To improve efficiency, NetScreen devices group signatures by traffic type, identify the type of flow under scan and apply only relevant signatures.
NetScreen officials said branch offices and midsize enterprises will get the most benefit from the added protection in an integrated solution. Larger enterprises with greater throughput demands and more expertise should look more closely at separate point solutions.
Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.