What Layer(s) Are You Filtering?
 In
its most rudimentary form, a firewall is designed to keep specified
types of traffic from passing from the external network (typically
the Internet) to the internal network. This allows administrators
to control what enters the local network and keep undesirable data
out. In addition to filtering this inbound traffic, a firewall can
also keep specified types of traffic from passing from the internal
network to the external (outbound traffic), thus preventing internal
users from sending various types of data, or sending data to particular
destinations.
The traditional firewall uses packet filtering, which works at the
network layer of the OSI networking model. Modern firewalls use
an improved version called stateful packet filtering. This technology
works at the network and transport layers. Thus such packet filters
make it possible for you to allow or deny traffic based on source
or destination IP address and other header information such as source
and destination TCP and UDP port numbers, as well as the connection
state. Dynamic packet filtering makes it possible to open and close
ports on the firewall as needed, in comparison to static packet
filtering, in which ports must be manually opened and closed.
| Have your listing
reach beyond the saturated portals and search engine destination
sites into the Internet's best content sites ->learn
more |
Packet filtering lets you set several different
criteria by which a data packet can be allowed or rejected:
You can block or allow traffic sent from a particular source IP
address
You can block or allow traffic sent to a particular destination
IP address
You can block traffic that uses a particular TCP or UDP port
Because different applications use “well known” ports for their communications,
you can use packet filtering to block, for example, FTP communications
(by blocking port 20) or Telnet (by blocking port 23) or SMTP (by
blocking port 25).
Another level of filtering is done by circuit level gateways. Circuit
filtering examines information exchanged during the TCP handshake
to evaluate its legitimacy.
What you can’t do with packet filtering or circuit filtering
is examine the actual contents of the data and block messages based
on those contents. For that, you need to filter at the application
layer. In other words, you need ALF.
What ALF Does
Application layer filtering goes beyond packet filtering and allows
you to be much more granular in your control of what enters or exits
the network. While packet filtering can be used to completely disallow
a particular type of traffic (for example, FTP), it cannot “pick and
choose” between different FTP messages and determine the legitimacy
of a particular FTP message.
ALF, a more “intelligent” technology, can do just that. It can be
used to look for abnormal information in the headers of a message
and even within the data itself, and it can be set to look for specific
character strings (words or phrases) within the message body and block
messages based on that information. Thus, you can use ALF to prevent
network attacks, or even to prevent internal users from sending particular
sensitive information outside the network.
Advantages
of ALF
Let’s look at how that plays out in practice. We’ll use spam prevention
as an example. Your firewall can be a first line of defense against
spam (in conjunction with a good server-based spam filtering program
and/or client-side anti-spam utilities). With a traditional packet
filtering firewall, you need to know the source addresses of all spammers,
or block all messages using the e-mail protocol that the spammers
use. Neither of these solutions is very practical.
With ALF, you can actually block messages at the firewall level according
to keywords (character strings), making your firewall a much more
powerful component in your spam control strategy. By performing the
preliminary filtering at the firewall level, you can take some of
the processing load off the server on which your primary spam filtering
software is installed (the mail server or a separate server).
NOTE: When you use ALF to block keywords,
be very judicious to avoid false positives (messages blocked as spam
that are not really spam). You might wish to do most keyword filtering
at the server or client level, where sophisticated anti-spam software
will let you set up white lists of senders whose messages should always
be allowed through even if they contain “spam” keywords. Keyword filtering
at the firewall should be limited to those words/strings that never
appear in legitimate messages.
What else can you do with ALF? Most importantly, by examining the
content of data an application layer filtering firewall can prevent
attacks that rely on the application layer protocols, including:
- SMTP, POP3 and DNS buffer overflows
- Web server attacks based on information in
HTTP headers and requests
- Attack code hidden within SSL tunnels
ALF can examine specific commands within the application layer
protocols. For example, the HTTP:GET command could be blocked, while
the HTTP:POST command is allowed.
Application layer filtering, used in conjunction with filtering
at the lower layers, provides for the highest possible level of
security.
Get
POWERFUL one-way links without participating
in a link exchange program - > start
here |
Disadvantages of ALF
The primary disadvantage of application layer filtering is its effect
on performance. Examining the contents of packets requires time and
thus slows down processing. ALF requires more powerful hardware resources
than a traditional packet filtering firewall.
Another undeniable disadvantage is administrative overhead. Because
ALF adds complexity, there is a potential for misconfiguration leading
to access problems. As with any security solution, if it is improperly
implemented ALF can block communications that you never intended to
block.
Where Do You Get ALF?
More and more firewall and VPN product vendors are incorporating ALF
into their products. These integrated products are often referred
to as stateful multilayer inspection firewalls. They include the major
firewall solutions such as CheckPoint, Cisco and Microsoft’s Internet
Security and Acceleration (ISA) Server. ISA Server, in particular,
offers a reasonably priced full featured ALF solution for today’s
businesses. For a detailed description of how ALF works in ISA Server
2000, see the ISA Server 2000 Application Layer Filtering Kit at http://www.isaserver.org/articles/spamalfkit.html.
*This article originally appeared at WindowSecurity.com.
About the Author
DEBRA LITTLEJOHN SHINDER, MCSE, is a technology consultant, trainer
and writer who has authored a number of books on computer operating
systems, networking, and security. These include Scene of the Cybercrime:
Computer Forensics Handbook, published by Syngress, and Computer
Networking Essentials, published by Cisco Press. She is co-author,
with her husband, Dr. Thomas Shinder, of Troubleshooting Windows
2000 TCP/IP, the best-selling Configuring ISA Server 2000, and ISA
Server and Beyond. Deb is also a tech editor, developmental editor
and contributor to over 15 books on subjects such as the Windows
2000 and Windows 2003 MCSE exams, CompTIA Security+ exam and TruSecure’s
ICSA certification. She formerly edited the Brainbuzz A+ Hardware
News and currently edits Sunbelt Software’s WinXP News, and is regularly
published in TechRepublic’s TechProGuild and Windowsecurity.com.
Deb currently specializes in security issues and Microsoft products
and writes product documentation and marketing material for Microsoft.
She lives and works in the Dallas-Ft Worth area and occasionally
teaches computer networking and security courses at Eastfield College
(Mesquite, TX). Her personal web site is at www.shinder.net.
WindowSecurity.com: WindowSecurity.com
provides Windows security news, articles, tutorials, software listings
and reviews for information security professionals covering topics
such as firewalls, viruses, intrusion detection and other security
topics.
|
|
