Security Basics mailing list archives
Re: Deep Inspection Firewall / IPS
From: "Anupam Chomal" <anupamchomal () gmail com>
Date: Tue, 4 Nov 2008 11:58:00 +0530
Hi, Am a bit late to answer but i hope this helps: 1. Antivirus companies make signatures of viruses and malwares. 2. These signatures are based on application level data. 3. Port numbers are on Transport layer and can be easily changed. Such switches are called Layer3/4 switches. 4. P2P applications are well known for such behaviour. When you block a certain port on a L4 switch, the P2P application finds another open port and starts communicating. 5. Deep packet inspection means a switch with the capability for L7 filtering i.e. it can look into a packet upto application layer data. 6. Such a switch will usually have a tieup with some antivirus company or will be production its own signatures, These signatures are normally based on some pattern in the application payload. 7. I am working on a similar product, details of which can be got from www.nevisnetworks.com Hope this helps! Regards, Anupam Chomal, Software Developer, Nevis Networks. On Wed, Oct 29, 2008 at 6:45 PM, Tony Raboza <tonyraboza () gmail com> wrote:
Hi, I'm trying to get my company to buy a firewall with deep-inspection capabilities or IPS. From my research what is really needed is a deep inspection firewall/IPS - because a stateful packet inspection will not do. For example for a web server - you close off all the ports except port 80 /443 (http/https). But threats/malware can come in through port 80 disguising itself as normal http traffic, so we need a firewall which would inspect this - hence the need for deep packet inspection/IPS. But what if we also do NAT? Can malware still come in through port 80? I've been reading this - "Red Hat 8 Compromise" - http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my thought on this one is that if the honeypot RH8 was NATted could the attacker have opened up a shell which might either be port 22 (ssh) or 23 (telnet)? What if only port 80/443 was port-forwarded? Can the attacker open up a shell? Questions: 1. Am I correct in my statements above? 2. If I am correct - can you give me real-world examples of exploits that come in through port 80/port 443 which can compromise a Unix/Linux webserver as well as a Windows web server? Thanks, Tony
Current thread:
- Re: Deep Inspection Firewall / IPS Anupam Chomal (Nov 04)