Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Beginner Question about Layer 7 Firewalling

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 671 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kavatch
      last edited by Kavatch

      Hey,
      I'm relatively new to Firewalls, so that why this Question Maybe a bit naive.

      I'm currently thinking about filtering network traffic on the 7th layer.
      I want to look at the packet and check if it contains certain values which I would then like to block.
      Is a firewall designed for this kind of task at all? If so, can Pf Sense do it the way I imagine it? And if the answer to that is also yes, where does it work?

      I am also prepared to become very intensively engaged in the topic of firewalls.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Kavatch
        last edited by

        @Kavatch said in Beginner Question about the 7th Layer of Firewalling:

        network traffic on the 7th layer.

        You should take ownership of every device that is connected to your network. As most companies do. The user using the device should have less authority over the device.
        This way you can control what applications user can or can't install, and thus control user access.

        But you should probably read https://en.wikipedia.org/wiki/OSI_model again and redo your question.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        K 1 Reply Last reply Reply Quote 0
        • K
          Kavatch @Gertjan
          last edited by

          @Gertjan Thanks for your answer.
          However, I'm afraid my question was somewhat misunderstood, since I did not express myself properly.
          My situation is as follows: I have a server running several services that are intended to be accessible from the Internet. ( There should be no other devices in the network ) What I want to do now is that all packets sent to the server - on port X - are checked on layer 7 for their content. (The TCP Payload)
          And as I said, I don't even know if a firewall is even suitable for this purpose. It was just the first thing that popped into my head.

          bmeeksB P 2 Replies Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Kavatch
            last edited by bmeeks

            @Kavatch said in Beginner Question about Layer 7 Firewalling:

            @Gertjan Thanks for your answer.
            However, I'm afraid my question was somewhat misunderstood, since I did not express myself properly.
            My situation is as follows: I have a server running several services that are intended to be accessible from the Internet. ( There should be no other devices in the network ) What I want to do now is that all packets sent to the server - on port X - are checked on layer 7 for their content. (The TCP Payload)
            And as I said, I don't even know if a firewall is even suitable for this purpose. It was just the first thing that popped into my head.

            The answer to your question is "yes" and also "no". Let me explain. Most application traffic today is encrypted either via SSL or sometimes via proprietary algorithms. A firewall examining Layer 7 traffic would only be able to see the encrypted data unless you implement some type of man-in-the-middle (MITM) SSL intercept. Using MITM usually breaks things, or at the very least greatly complicates a security administrator's job. MITM also violates trust. For this reason and the former ones, MITM setups are best avoided in my opinion.

            However, there are tools that can examine the start of certain application conversations, and from the header and preamble bits, these tools can make an educated guess about what type of data communication is occurring (Snapchat, Facebook, etc.). The Snort package on pfSense offers OpenAppID which implements this technology. It's not perfect and it won't catch everything, but it can be a help. Just remember that OpenAppID can only identify the type of traffic -- not the actual content. So it would detect that Mary in accounting was using Facebook, but it would not know whether Mary was maligning her boss on Facebook or talking about what a wonderful, caring human being the boss is ... 😉 .

            Here are some reference links on OpenAppID --

            Snort Team Webinar Presentation

            Netgate Blog Post on OpenAppID (follow the other links embedded within the post for configuration instructions)

            Snort Team 2014 OpenAppID Intro

            1 Reply Last reply Reply Quote 1
            • P
              P.J @Kavatch
              last edited by

              @Kavatch The Layer 7 is the Application Layer to which your services 'talk' to. If you want to check stuff at that layer, your services should do it.

              Normally, if you want to inspect the content of a packet or segment, you do it at Layer 3 or 4. IDS and IPS will let you check the content of packets or segment, as well as a proxy filtering mechanism. Then upon packet inspection (what are you looking for?) you can take action.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.