|
| Multi-Layer Inspection (SM) |
| Multi-layer inspection is a packet and connection verification process developed by Stonesoft to ensure maximum security without compromizing system throughput. StoneGate's security policies determine when to use stateful connection tracking, packet filtering, or application-level security. The system expends the resources necessary for application-level security only when the situation demands it and without unnecessarily slowing or limiting network traffic.
Comparing Firewall Technologies
This table lists the techniques used by current firewalls and gives their advantages and disadvantages. More detail is given in the text below.
|
|
 |
|
Technology |
|
Pros |
|
Cons |
|
Found
in... |
|
|
|
Packet Filtering |
|
- Fast for simple rule-bases
|
|
- Scales poorly to large rule-bases
- Only 'basic' data inspected
- No concept of 'connections'
|
|
Routers |
|
|
|
Stateful Inspection |
|
- Scales well to large rule-bases
- Understands connection oriented protocols
|
|
- No knowledge of underlying application
|
|
Most modern
firewalls |
|
|
|
Application Proxies |
|
- Can verify that traffic is valid for a given application
- Best security
|
|
- Slower than other methods
- An agent needs to be written for each supported application
|
|
Proxy
servers |
|
|
|
Multi-Layer
Inspection (SM) |
|
- Combines the above technologies intelligently for the best overall solution
- Protocol Agents provide the advantages of Application Proxies, without sacrificing performance
|
|
|
|
Unique to
StoneGate |
|
|
|
|
| Packet Filtering |
| Packet filtering is one of the oldest, and one of the most common types of firewall technologies. Packet filters inspect each packet of information individually, examining the source and destination IP addresses and ports. This information is compared to access control rules to decide whether the given packet should be allowed through the firewall.
Packet filters consider only the most basic attributes of each packet, and they don't need to remember anything about the traffic since each packet is examined in isolation. For this reason they can decide packet flow very quickly.
Because every packet of every connection is checked against the access control rules, larger, complex rule bases decrease performance. And because packet filters can only check low-level attributes, they are not secure against malicious code hiding in the other layers. Packet filters are often used as a first defense in combination with other firewall technologies, and their most common implementation today is seen in the access control lists of routers at the perimeters of networks.
For simple protocols or one-sided connections, like ICMP or SNMP traps, it is still useful to use packet filtering technology. StoneGate's multi-layer inspection allows administrators to define where packet filtering is sufficient to meet the demands of the security policy, while still providing the benefits of other firewall technologies.
|
|
| Stateful Inspection |
| Stateful inspection firewalls were developed in the early 1990s to overcome some of the limitations of packet filters. Most of the well-known firewalls in the marketplace today use this technology.
Stateful inspection firewalls are 'connection-aware'. They understand that a single connection between two computers generally consists of many packets, and that they only need to compare the first packets of a given connection against the defined security policies. Once a connection has been established, it is recorded in a table. This table is checked for each packet that arrives at the firewall and if the packet belongs to an existing connection it is allowed to pass. Since the security policy is only consulted once for each connection, complex security policies don't greatly impact performance.
Although stateful inspection firewalls have improved scalability over simple packet filters, they still have several disadvantages. They still provide no application level security. The upper layers are not examined, and malicious code hiding there can still pass undetected. Stateful inspection systems also inspect, record and monitor state tables for every connection protocol, whether it makes sense to do so or not. For simple protocols where there is no connection (e.g., ICMP or UDP), packet filters are more appropriate.
With StoneGate, the administrator again has a choice. Stateful inspection is used in those situations where it makes sense.
|
|
| Application Level Firewalls |
| Application level firewalls are the third firewall technology traditionally seen in the market. These firewalls, also known as application proxies, provide the most secure type of data connection because they can examine every layer of the communication, including the application data. To achieve this security proxies, as their name suggests, actually mediate connections. The connection from a client to a server is intercepted by the proxy. If the proxy determines that the connection is allowed, it opens a second connection to the server from itself, on behalf of the original host. The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection.
This thorough examination and handling of packets means that proxy firewalls are very secure and generally slow. Proxies are also limited as firewalls, because they must understand the application layer. As new protocols are developed, new proxies must be written and implemented to handle them.
|
|
| Multi-layer Inspection and Protocol Agents |
| StoneGate's multi-layer inspection takes a new approach proxy technology. In addition to being able to select packet filtering or stateful inspection technologies, application level security can be applied to specific rules in the security policy when needed. However, StoneGate provides this security without the severe performance penalties normally associated with proxy firewalls. StoneGate's unique 'protocol agents' mean that two separate data connections are no longer required.
Protocol agents are a flexible, configurable, and extensible component of the StoneGate security gateways. When application-level security is required by the administrator, protocol agents can be assigned to perform the additional scrutiny required. They also assist the firewall with handling complex connections, such as Oracle® or FTP, redirection of traffic to content inspection systems (e.g., anti-virus servers), enforcing protocol standards, and modifying the data payload if necessary.
One of the most useful security benefits of protocol agents is the ability to enforce protocol standards. For example, many traditional firewalls can allow SSH connections to pass through the firewall. But because SSH creates encrypted connections, many proxies or stateful inspection firewalls simply examine the destination port to determine that the connection is SSH. Since it is an encrypted connection, it is assumed that there is little else to be done. In other words, an intruder can get malicious code or packets through the firewall by disguising them as an SSH connection. With StoneGate, the SSH protocol agent is called upon at the beginning of the connection. The protocol agent in this case assists the firewall by examining the first few packets and ensuring that they conform to the SSH standard in other words, that the connection is really SSH, and not something else. Unlike proxies, the protocol agent can be ended once the encryption starts, freeing resources on the firewall gateway for other packet handling operations.
Another ability of protocol agents is the ability to redirect traffic to content inspection systems. Content inspection systems are commonly used to provide anti-virus protection or Web address filtering. They are designed to prevent attacks against servers using malicious content that is syntactically correct from a protocol perspective, yet from the perspective of the applications, semantically dangerous. In StoneGate, protocol agents can be configured at the rule level to redirect traffic to such an inspection system for further analysis; the administrator can choose to only have this redirection take place when it is necessary to do so.
In addition to inspecting the protocol in more detail than traditional systems provide, and adding the ability to redirect traffic to content inspection systems for further analysis, multi-layer inspection also provides the ability to modify application data through protocol agents. Complex protocols, such as H.323, which is used by voice over IP applications (e.g., Microsoft® NetMeeting®), do not pass through packet filters or stateful inspection firewalls when the IP addresses are translated using network address translation (NAT). Such protocols often contain address information about associated voice gateways and call endpoints within the data of the packet data which is not translated by firewalls because they are not designed to do so. With StoneGate's multi-layer inspection, protocol agents can examine and modify such application data yet, because the system does not establish two separate connections, the performance and translation problems associated with application proxies do not affect the firewall.
Other complex protocols which require multiple yet related connections, such as Oracle® database connections or even FTP, are also handled more efficiently with multi-layer inspection. Protocol agents monitor connections for these protocols, and can instruct the firewall to allow related connections. With such assistance, the firewall does not need to perform additional checks against the security policy, and all connections required for the protocol are handled without the firewall inadvertently rejecting them.
With StoneGate and multi-layer inspection, the best aspects of each type of firewall technology, from basic packet filters to stateful inspection and robust, high performance application proxy technologies have been combined. Each of these can be implemented in security policies, giving today's network administrators the highest level of configurability to meet the needs of 21st century networks.
|
|
|
|
|
|
