App Switches Boost Firewall Security

Application switches have come a long way from the early days of performing simple load balancing of Web traffic. Now, they are capable of intelligently load balancing various types of application traffic (e.g., streaming, voice over IP, database, Web services, wireless, etc.). However, a new need has arisen for application switches that can leverage deep-packet Layer 7 inspection capabilities to perform application-layer security.

Standard firewalls have long been able to enforce security policies based on who or what is allowed to connect to a specific service or machine. But the content of the packets allowed to pass through a firewall has typically been invisible to the firewall. This is because firewalls generally look only at header information. The header information is described as Layer 2 (e.g., MAC addresses), Layer 3 (e.g., IP addresses of the sender and the receivers), and Layer 4 (e.g., TCP and UDP port numbers that indicate requested applications).

Standard firewalls are limited in their ability to block attacks based on the content of a packet. New viruses, worms, malicious code, buggy applications, and cyber-attacks have now started targeting application weaknesses. A good example is the weakness enabled by the standard practice of opening services such as HTTP (TCP port 80) and HTTPS (TCP port 443) through most firewalls.

Many applications and protocols, both legitimate and illegitimate, are tunneling through firewalls by connecting over standard TCP port 80 (such as the Code Red virus) or encapsulating in SSL tunnels (HTTPS). Packets aimed at these services pass through the network without being identified by typical firewalls. Many of these application vulnerability attacks are initiated by deliberately building malformed packets such as those containing illegal fields in the IP header (e.g., nullscan, xmascan, scan SYNFIN, etc.).

As application-layer attacks and viruses become more sophisticated, it is imperative that the Layer 7 deep packet inspection capability of application switches is utilized to assist standard firewalls. The intelligent application-layer security inspection enabled by application switches in conjunction with standard firewall perimeter security, enables a level of layered security that effectively protects networks against application-layer attacks. Application switches need to be very robust if they are to provide the level of security required without adding latency to the network. They should also have the power to look deep inside a packet in real time, and the intelligence to detect complex patterns and signatures at different locations within a packet payload.To accomplish application-layer security, application switches need to be able to process not just Layer 2 and Layer 3 packets at wire speed. They also need to sustain a similar type of processing performance while handling the more complex task of opening up a packet and inspecting the packet payload.

To enable application-layer security with an application switch, it must first be configured with a predefined set of security rules. These rules can be as simple as a Layer 2-4 access list or as complex as denying Layer 7 patterns that are embedded inside the payload. Once packets (either legitimate or attacks) enter the switch, the switch inspects each packet by comparing the security rules to the content of the packet. To increase the performance of the inspection, complex security rules can be defined with an offset value so that the switch inspection engine can go directly to the location in the packet to be inspected.

Often, a virus pattern is a combination of multiple patterns within the payload. Therefore, the application switch must be flexible enough to be configured to inspect multiple compound patterns located at different offsets within the payload. When the attack pattern is matched, the application switch drops this packet and creates a session table entry in the switch. This means that subsequent packets of the same session (e.g., TCP) will be dropped without going through any additional inspection. Creating the illegitimate application session table entry enables the application switch to accelerate the denial of subsequent packets in the session by inspecting the session table without the need to perform the initial complex security rule check.

This same application-layer security inspection capability enables an application switch to provide rate limiting of complex protocols such as those used in peer-to-peer (P2P) applications. KaZaA, Edonkey, and Gnutella are examples of popular P2P file sharing applications, which leverage protocols that use dynamic ports to enable client-to-client communication. Many enterprises want to limit the use of P2P applications because they can be significant bandwidth hogs and are often used to illegally transfer copyrighted files (music, movies, etc.). Standard firewalls are not able to detect these P2P applications because their unique protocol signature does not appear at the Layer 4 port level. Many of these protocols have signatures that are embedded in the HTTP header or, in some cases, embedded in the data payload itself.

Ultimately, an application switch can help standard firewalls detect P2P protocol patterns and restrict the traffic. Alternatively, the switch can act as a bandwidth management device that identifies P2P traffic and provides rate limiting and shaping functionality to control the amount of the total traffic generated by these applications. This is especially useful in cable, ISP, and university networks, where P2P traffic can account for as much as 70 percent of total network traffic.Pat Patterson, Director, Ethernet Switching Marketing, Nortel Networks Corp.