Re: Deep Inspection Firewall / IPS



Hi,

Am a bit late to answer but i hope this helps:

1. Antivirus companies make signatures of viruses and malwares.
2. These signatures are based on application level data.
3. Port numbers are on Transport layer and can be easily changed. Such
switches are called Layer3/4 switches.
4. P2P applications are well known for such behaviour. When you block
a certain port on a L4 switch, the P2P application finds another open
port and starts communicating.
5. Deep packet inspection means a switch with the capability for L7
filtering i.e. it can look into a packet upto application layer data.
6. Such a switch will usually have a tieup with some antivirus company
or will be production its own signatures, These signatures are
normally based on some pattern in the application payload.
7. I am working on a similar product, details of which can be got from
www.nevisnetworks.com

Hope this helps!

Regards,

Anupam Chomal,
Software Developer,
Nevis Networks.

On Wed, Oct 29, 2008 at 6:45 PM, Tony Raboza <tonyraboza@xxxxxxxxx> wrote:
Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS. From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https). But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT? Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)? What if only port 80/443 was port-forwarded? Can the
attacker open up a shell?

Questions:
1. Am I correct in my statements above?
2. If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?


Thanks,
Tony




Relevant Pages

  • Re: Cat 2924
    ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
    (comp.dcom.sys.cisco)
  • Re: Cat 2924
    ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
    (comp.dcom.sys.cisco)
  • Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc.
    ... OF GB THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ...
    (sci.engr.control)
  • Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc.
    ... THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ...
    (comp.dcom.lans.ethernet)
  • Re: new BSD user
    ... A long time ago (pre auto negotiate) when the very earliest ... plug the NIC of a PC up to a switch port. ... set for DHCP as the modem/router contains a built in DHCP server. ...
    (comp.unix.bsd.freebsd.misc)