Getting Deeper into Network Traffic

Corey Nachreiner, CISSP and Director of Security Research, WatchGuard suggests that it is not always right to judge a book by its cover First impressions only tell us...

Corey Nachreiner, CISSP and Director of Security Research, WatchGuard suggests that it is not always right to judge a book by its cover

First impressions only tell us so much. A book cover for example, may give you some idea of what to expect — but you won’t really know what it’s all about until you read it. But in the world of traditional network security, many solutions treat network traffic a bit like people who judge books by their cover.

These legacy appliances look at just enough of the network traffic to make educated guesses about its risk; but they lack sufficient context to make robust security decisions. To get enough security intelligence to protect against today’s sophisticated threat landscape, you have to dig deeper. You have to go to Layer-7.

Layer-7 is the application layer of the Open Systems Interconnection (OSI) model that characterises network communications in seven abstract layers. Most traditional network security appliances, like stateful firewalls, only pay attention to the first three or four OSI layers. The networking Layer-3 tells you about the IP addresses and ports associated with a particular communication while the transport Layer-4 provides information about the state of connections.

But the information found in these first four layers only gives you basic knowledge about network traffic. It tells you the sending and receiving IP addresses and the network port the traffic uses but this is barely enough to decide whether to block or allow it. And it is what it allows that causes the problem.

Today, changes in the threat landscape and IT environment have significantly lessened the protection four-layer inspection offers. Attackers and software developers have realised that everyone allows certain business-critical protocols —things like Web, DNS, and email. And as a result, new attacks and business tools exploit these protocols to ensure communications can get through.

For example, the rise of Web 2.0 has resulted in thousands of network applications communicating using standard web ports; port 80 (HTTP) and 443 (HTTPS). To a traditional four-layer security appliance, Facebook, SalesForce, Dropbox, Skype and Bittorrent all look the same. If you allow any web traffic through these legacy devices, your users can reach all these applications despite their differing risk and productivity profiles.

From a threat perspective, if attackers know web traffic is allowed, they will exploit drive-by download flaws to infect browsers and leverage web application flaws to steal data from servers. Since Layer-4 security appliances only act as an on/off switch for traffic, if you let any web traffic through, it all gets through.

Modern security appliances analyse all seven layers of network traffic, including the application layer. By understanding the application layer, these devices offer more intelligence about communications passing through ports. For instance, they can identify specific applications being uses, what files are transferred, users associated with the communication and even do security scanning at an application level to tell the difference between good and malicious traffic. This extra intelligence provides the context necessary to catch modern threats and to create more business-based security policies.

Security professionals can no longer rely on first impressions and rules simply based on ports and IPs. Layer-7 inspection is the only way to provide the necessary level of intelligence to create granular policies based on users, applications and risk.

For more information on WatchGuard and their products, click here.

In this article

Join the Conversation