October 3, 2010 at 7:11 pm #5650manoj9372Participant
I have a doubt regarding how Firewalls actually filtering out Traffic based on Applications?
Assume U have restricted or filtered the use of fire-fox browser in the network(Kind of application filtering in the firewall)
So Assume a user has installed mozilla fire-fox Application in a pc on the network and started using internet,
In this case how actually an firewall can detect the traffic is orginated from the fire-fox application?
and how it differentiates traffic from 2 different browsers?
Thinked some thing regarding how it get filtered on firewalls ,but i can’t able to figure out how?
So please help me by making this thing clear…
hope i will get some explanations….
October 3, 2010 at 10:44 pm #35544dynamikParticipant
It could look at the user agent that’s being reported, but that’s something that’s easy to change. Application in this context doesn’t really refer to a specific application that the client is using, but rather the protocol that is in use. It’s referring to the application layer of the OSI/TCP models. For example, a packet filtering firewall could be configured to do something like only allow outbound traffic with a destination port of port 80 (standard HTTP).
However, I could do something like run SSH on that port and create a semi-covert channel. The firewall wouldn’t have any problems with that since I’m adhering to the rules. However, an application-level firewall would actually perform deeper packet inspection and notice that I’m not making HTTP connections. If it was configured to only allow HTTP, my connection would be denied and logs/alerts would be generated.
October 8, 2010 at 12:45 pm #35545COm_BOYParticipant
Generally speaking there are modules available into firewall which would help you do content inspections . like Cisco ASA is a frewall and CSC-SSM is a content inspection module . Other open source firewall distro. are also offering inspection features . I dont think content inspection is typically a part of firewall but days are changing and we would soon see almost all network based firewalls having content inspections 🙂 since its becoming a must these days apart from the costing factor
October 12, 2010 at 2:56 pm #35546former33tParticipant
It sounds like you might be trying to detect illicit software installs on your client machines. There are much more reliable ways to do that than using a firewall. Look at client side solutions to protect the endpoint. These are much more reliable for detecting the sorts of changes you mention.
October 12, 2010 at 4:51 pm #35547COm_BOYParticipant
Can u tell us which firewall you are having ? Cisco is offering NBAR for its firewall and routers but basically its not something to block , it like MPF offering different policies on different sets however NBAR can also be used to block application . It all depends which kind of equipment you are having
- You must be logged in to reply to this topic.