Deep Inspection Firewall / IPS

["Tony Raboza" <tonyraboza () gmail com>]

Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS.  From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https).  But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT?  Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)?  What if only port 80/443 was port-forwarded?  Can the
attacker open up a shell?

Questions:
1.  Am I correct in my statements above?
2.  If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?


Thanks,
Tony