Tilted Forum Project Discussion Community - View Single Post

bendsley · 09-26-2005, 10:18 AM

To expand on what Pragma said, which I am in complete agreeance with him, packet inspection might be happening at mutiple layers.

The reality of modern application demands and capabilities require that firewalls with a much more intimate level of knowledge of the application payload. Emerging applications utilizing XML and Simple Object Access Protocol (SOAP) require the firewall to monitor the content within the packets at wire-speed. Additionally, applications which can change their communication ports in order to bypass outbound filtering or those which tunnel within commonly allowed ports (such as 80/TCP) must be monitored as well in order to provide for the maximum amount of security within the network.

To address the limitations of Packet-Filtering, Application Proxy, and Stateful Inspection, a technology known as Deep Packet Inspection (DPI) was developed. DPI operates at L3-7 of the OSI model. DPI engines parse the entire IP packet, and make forwarding decisions by means of a rule-based logic that is based upon signature or regular expression matching. That is, they compare the data within a packet payload to a database of predefined attack signatures (a string of bytes). Additionally, statistical or historical algorithms may supplement static pattern matching.

Analysis of packet headers can be done economically since the locations of packet header fields are restricted by protocol standards. However, the payload contents are, for the most part, unconstrained. Therefore, searching through the payload for multiple string patterns within the datastream is a computationally expensive task. The requirement that these searches be performed at wirespeed adds to the cost. Additionally, because the signature database is dynamic, it must be easily updateable. Promising approaches to these problems include a software-based approach (Snort implementing the Boyer-Moore algorithm), and a hardware-based approach (FPGA's running a Bloom filter algorithm).

DPI technology can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.

I guess that was more than you really were asking for, but I am assuming the college is probably running some pretty expensive equipment to span the student/staff/ faculty body. When I worked as a network admin. for the college I was attending, we setup multiple Cisco 5505 chassis with 48 port cards, dual supervisor engines, etc. Expensive equipment as well, and it can aid in doing packet inspection.

Anyway, yeah, it looks like you don't have much of an option if the school is doing any SPI or similar.

09-26-2005, 10:18 AM	#10 (permalink)
bendsley Professional Loafer Location: texas	To expand on what Pragma said, which I am in complete agreeance with him, packet inspection might be happening at mutiple layers. The reality of modern application demands and capabilities require that firewalls with a much more intimate level of knowledge of the application payload. Emerging applications utilizing XML and Simple Object Access Protocol (SOAP) require the firewall to monitor the content within the packets at wire-speed. Additionally, applications which can change their communication ports in order to bypass outbound filtering or those which tunnel within commonly allowed ports (such as 80/TCP) must be monitored as well in order to provide for the maximum amount of security within the network. To address the limitations of Packet-Filtering, Application Proxy, and Stateful Inspection, a technology known as Deep Packet Inspection (DPI) was developed. DPI operates at L3-7 of the OSI model. DPI engines parse the entire IP packet, and make forwarding decisions by means of a rule-based logic that is based upon signature or regular expression matching. That is, they compare the data within a packet payload to a database of predefined attack signatures (a string of bytes). Additionally, statistical or historical algorithms may supplement static pattern matching. Analysis of packet headers can be done economically since the locations of packet header fields are restricted by protocol standards. However, the payload contents are, for the most part, unconstrained. Therefore, searching through the payload for multiple string patterns within the datastream is a computationally expensive task. The requirement that these searches be performed at wirespeed adds to the cost. Additionally, because the signature database is dynamic, it must be easily updateable. Promising approaches to these problems include a software-based approach (Snort implementing the Boyer-Moore algorithm), and a hardware-based approach (FPGA's running a Bloom filter algorithm). DPI technology can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet. I guess that was more than you really were asking for, but I am assuming the college is probably running some pretty expensive equipment to span the student/staff/ faculty body. When I worked as a network admin. for the college I was attending, we setup multiple Cisco 5505 chassis with 48 port cards, dual supervisor engines, etc. Expensive equipment as well, and it can aid in doing packet inspection. Anyway, yeah, it looks like you don't have much of an option if the school is doing any SPI or similar. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."