Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Deep Inspection Firewall / IPS

From: "Anupam Chomal" <anupamchomal () gmail com>
Date: Tue, 4 Nov 2008 11:58:00 +0530
Hi,

Am a bit late to answer but i hope this helps:

1. Antivirus companies make signatures of viruses and malwares.
2. These signatures are based on application level data.
3. Port numbers are on Transport layer and can be easily changed. Such
switches are called Layer3/4 switches.
4. P2P applications are well known for such behaviour. When you block
a certain port on a L4 switch, the P2P application finds another open
port and starts communicating.
5. Deep packet inspection means a switch with the capability for L7
filtering i.e. it can look into a packet upto application layer data.
6. Such a switch will usually have a tieup with some antivirus company
or will be production its own signatures, These signatures are
normally based on some pattern in the application payload.
7. I am working on a similar product, details of which can be got from
www.nevisnetworks.com

Hope this helps!

Regards,

Anupam Chomal,
Software Developer,
Nevis Networks.

On Wed, Oct 29, 2008 at 6:45 PM, Tony Raboza <tonyraboza () gmail com> wrote:

Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS.  From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https).  But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT?  Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)?  What if only port 80/443 was port-forwarded?  Can the
attacker open up a shell?

Questions:
1.  Am I correct in my statements above?
2.  If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?


Thanks,
Tony
Previous By Date Next
Previous By Thread Next

Current thread: