Information Technology Reference
In-Depth Information
blocked. Increased variety of protocol adds to the complexity of the problem. It is
quite common for products to wrap a risky protocol inside a less risky one to increase
the possibility of passing through a firewall. Since inbound HTTP is so common these
days, this is often the protocol of choice. Furthermore, the information used to
identify the protocol type can also be altered. For example, port 23 is the standard
“well known port” for e-mail. Since it's usually taken for granted that other machines
use this port for such purpose, if an application uses port 23 without prior
arrangement then firewall machine will risk either blocking a benign convenient
access or allowing a malicious attempt in disguise. An insider could easily configure
an email server to a different port and bypass firewall block as long as the
correspondent knows about the port change. Under the same token, it is also possible
to modify the TCP header and even forge the TCP header checksum. There is no sure
way for the firewall or router to know how the packet is being used without detail
analysis. The previously mentioned volume issue coupled with the protocol variety
makes this an infeasible option.
HTTP
Telnet
SMTP
SecIOP
XVNEW
IOS
FTP
JavaScript
IIOP
ActiveX
SNMP
SSL
X Windows
Socks
Java
Fig. 2.
Protocol varieties create holes on firewall
3.3 Visibility
Increasing usage of encryption technology also provides another obstacle that
prevents firewall and router machines from examining the packets in detail.
Application level encryption obscures the data while leaving the packet information
alone. When monitoring, the network devices must trust the packet header
information without being able to look inside. It has no way to tell that what looks
like an normal web page being sent out from the company's public web server is
really an email or a telnet access.
The usage of application level encryption such as PGP and S/MINE encrypted
email is gaining ground. Packet level protection is being provided by protocols such
as SSL, and its successor — TLS. This provides TCP level network connection
protection. For levels above IP, IPSec is coming into play today. IPSec is designed
not only to protect data at the packet level, but also to protect the network
infrastructure itself. Thus, IPSec encrypts and digitally signs all of the header
information in the protocols that it wraps. This includes all TCP headers along with
the associated checksum, packet type and TCP port number.
