Re: Firewalls- Deep Packet Inspection (L7)

[Soumen Paul <soumenpaul1977 () googlemail com>]

Juniper screen OS based FWs use two methods:
1: screening - it's pre defined within it's software code and configurable with limited option. This checks header but 
juniper claims it does payload to some extent. As you update software of firewall, this baseline gets updated otherwise 
this is pretty static
2. Deep inspection: signature based and inspect payload. The signature database is the same one which they use for 
IDS/IPS products

Checkpoint has more options 
1: smart defence - signature based and can look at header and payload.
2: web intelligence: can read pay load. Good for web farms and http services
3: CP also have pre defined protocol inspection which it inspects better than other vendors. Base.def file has these 
definition. A good example would be, if you use FTP pre defined service in rule base and if the FTP implementation has 
issue (non RFC implementation) CP will drop the packet. Either you turn off CP default FTP service or fix your FTP 
server.
This is again not true DPI but beyond normal header checking

Juniper does this as well using ALG but not good like checkpoint

Cisco FW just have fix up in pix family and inspect in asa . Not good as the others. It's just protocol inspection. No 
payload and intelligent header Checking


Regards
Soumen



On 2 Apr 2011, at 02:52 AM, cybersecure4561 () gmail com wrote:

> I'm posting to the forum to ask the opinion of senior FW experts on which firewalls truly perform DPI. I've done some 
> research & it appears that their is no industry standard that identifies what DPI is or does. 
>
> Those with FW experience on CP, Cisco, Juniper products, which are fw that do DPI of the payload? I ask this question 
> because Cisco IOS CBAC/Inspect or Zone Based rules do use signatures but do not update packet signatures. Cisco 
> relies on the edition of IPS packet inspection (updates by SmartNet contract)to achieve the claim of performing DPI. 
> IPS/IDS do have their place in the infrastructure but they are not FW's. Enterprise security people would not say 
> forget the FW let's use an IDS/IPS instead.
>
> Do check point & Juniper also rely on an IPS as an integral part of DPI or is this function & process carried out 
> only by the FW. I know that CP has bundled an IPS into their suite but their IPS is renowned for false positives. 
> It's my humble opinion that in the high end firewalls Check Point & Juniper really do DPI(L7).
>
> Are their any independent organizations/labs that have tested vendor claims & performance of firewalls that do DPI? 
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------