Sunday, August 9, 2015

Application layer inspection firewall

Routers are equipment layer 3 OSI model, currently routers are able of operate on higher layers of OSI model, such as layer 7 (Application Layer).
Among the new characteristics, vendors have introduced security features, such as application inspection.
The improvements allow us to have more control on the communication process, breaking the established HTTP = TCP 80, VNC = TCP 5900, Microsoft Terminal Server = TCP 3389...

I would like to demonstrate application inspection of two networks vendors: Cisco Systems and Kerio Technologies.
Cisco Systems introduced Zone Based Firewall on 2006, Kerio Technologies introduced Content Filter on 2013.

Below two environment labs.

A network admin did a typical configuration, using L3/L4 extended ACL allowing only TCP traffic with destination port = TCP 80 from network A to network B, next the network admin discovered a security risk, some users changed the Microsoft Terminal Server TCP service port for from default TCP 3389 to TCP 80, this is the reason to carry out a new security level through application inspectors.

Elements of this laboratory (Cisco Systems Zone Based Firewall):
- Host computer capable to virtualize
- GNS3
- - 01 router running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
- Oracle VirtualBox
- - 03 guests

Router configured with L2/L3 extended ACL:

Router configured as Application layer Firewall:

Elements of this laboratory (Kerio Control - Version 8.6.0 3693P1):
- Host computer capable to virtualize
- Oracle VirtualBox
- - Guests

Application inspection on Kerio Control is supported on differentes zones only (Trusted Vs Internet), application inspection is not able through internal routing right now.

Below two screenshots to give us a visual idea how an application inspector determine the type of traffic.

Application inspection is not an easy job, often the results are unexpected, it requires strong knowledge about networking and software running on the network, but it necessary to guarantee security.


  1. Sinceramente lo que más me gusto fue la conclusión... =)

  2. This comment has been removed by a blog administrator.

  3. This site have particular software articles which emits an impression of being a significant and significant for you individual, able software installation.This is the spot you can get helps for any software installation, usage and cracked.
    object-dock-full liense key
    kerio-control-full license key

  4. Thanks for sharing your knowledge to install & crack the aSc TimeTables, but you need to update it now because there is a 2022
    version available now: you can get it here:
    Kerio Control Crack

  5. Pretty great post. I simply stumbled upon your blog and wanted to mention that I have really loved surfing around your blog posts. Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it