Sunday, August 9, 2015

Application layer inspection firewall

Routers are equipment layer 3 OSI model, currently routers are able of operate on higher layers of OSI model, such as layer 7 (Application Layer).
Among the new characteristics, vendors have introduced security features, such as application inspection.
The improvements allow us to have more control on the communication process, breaking the established HTTP = TCP 80, VNC = TCP 5900, Microsoft Terminal Server = TCP 3389...

I would like to demonstrate application inspection of two networks vendors: Cisco Systems and Kerio Technologies.
Cisco Systems introduced Zone Based Firewall on 2006, Kerio Technologies introduced Content Filter on 2013.

Below two environment labs.

Scenario:
A network admin did a typical configuration, using L3/L4 extended ACL allowing only TCP traffic with destination port = TCP 80 from network A to network B, next the network admin discovered a security risk, some users changed the Microsoft Terminal Server TCP service port for from default TCP 3389 to TCP 80, this is the reason to carry out a new security level through application inspectors.

Elements of this laboratory (Cisco Systems Zone Based Firewall):
- Host computer capable to virtualize
- GNS3
- - 01 router running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
- Oracle VirtualBox
- - 03 guests

Router configured with L2/L3 extended ACL:





Router configured as Application layer Firewall:





Elements of this laboratory (Kerio Control - Version 8.6.0 3693P1):
- Host computer capable to virtualize
- Oracle VirtualBox
- - Guests

Application inspection on Kerio Control is supported on differentes zones only (Trusted Vs Internet), application inspection is not able through internal routing right now.








Below two screenshots to give us a visual idea how an application inspector determine the type of traffic.





Conclusion:
Application inspection is not an easy job, often the results are unexpected, it requires strong knowledge about networking and software running on the network, but it necessary to guarantee security.