• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Beginner Question about Layer 7 Firewalling

Scheduled Pinned Locked Moved Firewalling
5 Posts 4 Posters 675 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    Kavatch
    last edited by Kavatch Dec 27, 2019, 7:38 AM Dec 26, 2019, 10:49 PM

    Hey,
    I'm relatively new to Firewalls, so that why this Question Maybe a bit naive.

    I'm currently thinking about filtering network traffic on the 7th layer.
    I want to look at the packet and check if it contains certain values which I would then like to block.
    Is a firewall designed for this kind of task at all? If so, can Pf Sense do it the way I imagine it? And if the answer to that is also yes, where does it work?

    I am also prepared to become very intensively engaged in the topic of firewalls.

    G 1 Reply Last reply Dec 27, 2019, 6:31 AM Reply Quote 0
    • G
      Gertjan @Kavatch
      last edited by Dec 27, 2019, 6:31 AM

      @Kavatch said in Beginner Question about the 7th Layer of Firewalling:

      network traffic on the 7th layer.

      You should take ownership of every device that is connected to your network. As most companies do. The user using the device should have less authority over the device.
      This way you can control what applications user can or can't install, and thus control user access.

      But you should probably read https://en.wikipedia.org/wiki/OSI_model again and redo your question.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      K 1 Reply Last reply Dec 27, 2019, 7:31 AM Reply Quote 0
      • K
        Kavatch @Gertjan
        last edited by Dec 27, 2019, 7:31 AM

        @Gertjan Thanks for your answer.
        However, I'm afraid my question was somewhat misunderstood, since I did not express myself properly.
        My situation is as follows: I have a server running several services that are intended to be accessible from the Internet. ( There should be no other devices in the network ) What I want to do now is that all packets sent to the server - on port X - are checked on layer 7 for their content. (The TCP Payload)
        And as I said, I don't even know if a firewall is even suitable for this purpose. It was just the first thing that popped into my head.

        B P 2 Replies Last reply Dec 27, 2019, 2:50 PM Reply Quote 0
        • B
          bmeeks @Kavatch
          last edited by bmeeks Dec 29, 2019, 3:14 AM Dec 27, 2019, 2:50 PM

          @Kavatch said in Beginner Question about Layer 7 Firewalling:

          @Gertjan Thanks for your answer.
          However, I'm afraid my question was somewhat misunderstood, since I did not express myself properly.
          My situation is as follows: I have a server running several services that are intended to be accessible from the Internet. ( There should be no other devices in the network ) What I want to do now is that all packets sent to the server - on port X - are checked on layer 7 for their content. (The TCP Payload)
          And as I said, I don't even know if a firewall is even suitable for this purpose. It was just the first thing that popped into my head.

          The answer to your question is "yes" and also "no". Let me explain. Most application traffic today is encrypted either via SSL or sometimes via proprietary algorithms. A firewall examining Layer 7 traffic would only be able to see the encrypted data unless you implement some type of man-in-the-middle (MITM) SSL intercept. Using MITM usually breaks things, or at the very least greatly complicates a security administrator's job. MITM also violates trust. For this reason and the former ones, MITM setups are best avoided in my opinion.

          However, there are tools that can examine the start of certain application conversations, and from the header and preamble bits, these tools can make an educated guess about what type of data communication is occurring (Snapchat, Facebook, etc.). The Snort package on pfSense offers OpenAppID which implements this technology. It's not perfect and it won't catch everything, but it can be a help. Just remember that OpenAppID can only identify the type of traffic -- not the actual content. So it would detect that Mary in accounting was using Facebook, but it would not know whether Mary was maligning her boss on Facebook or talking about what a wonderful, caring human being the boss is ... 😉 .

          Here are some reference links on OpenAppID --

          Snort Team Webinar Presentation

          Netgate Blog Post on OpenAppID (follow the other links embedded within the post for configuration instructions)

          Snort Team 2014 OpenAppID Intro

          1 Reply Last reply Reply Quote 1
          • P
            P.J @Kavatch
            last edited by Dec 31, 2019, 6:24 PM

            @Kavatch The Layer 7 is the Application Layer to which your services 'talk' to. If you want to check stuff at that layer, your services should do it.

            Normally, if you want to inspect the content of a packet or segment, you do it at Layer 3 or 4. IDS and IPS will let you check the content of packets or segment, as well as a proxy filtering mechanism. Then upon packet inspection (what are you looking for?) you can take action.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received