Next generation feature - L7 application filtering



  • Hi all,

    I am relatively new to PfSense. Previously, I have managed Cyberguard, Cisco PIX, IPTables, FortiGate and PaloAlto firewalls. Specifically, the last two bring interesting capability for firewall rules base - add application context to each rule.

    I wonder why PfSense stopped a project to deliver the same capability. I know that Snort rules can be adjusted to deliver the same functionality but at what cost: a lot of administration leading to mistakes. Many web based applications use https protocol to deliver rich application interface to users. Imagine you could edit each firewall rule and specify an application (or applications) to match the rule; in addition or instead of a port number! Allow users to access dropbox to download but not upload any content? Not a problem :)

    Please vote to indicate you position.

    Warm regards

    Vladimir



  • @VladimirJirasek:

    Hi all,

    I am relatively new to PfSense. Previously, I have managed Cyberguard, Cisco PIX, IPTables, FortiGate and PaloAlto firewalls. Specifically, the last two bring interesting capability for firewall rules base - add application context to each rule.

    I wonder why PfSense stopped a project to deliver the same capability. I know that Snort rules can be adjusted to deliver the same functionality but at what cost: a lot of administration leading to mistakes. Many web based applications use https protocol to deliver rich application interface to users. Imagine you could edit each firewall rule and specify an application (or applications) to match the rule; in addition or instead of a port number! Allow users to access dropbox to download but not upload any content? Not a problem :)

    Please vote to indicate you position.

    Warm regards

    Vladimir

    If you've administered Palo Altos, you'll remember that there are thousands of applications that the Palo can identify, and that list grows by dozens every month. Someone (probably several someones) has to work hard to figure out how to identify these apps based on their network fingerprint. That isn't easy or fun. There isn't much incentive for anyone to maintain this database for free. Not to mention the huge amount of bandwidth required to distribute these updates to every pfsense instance in the world.



  • pfSense 2.2.x had L7 filtering, but it was buggy and very slow from what I understand.



  • Snort seems like it is a better option to invest time & money in.

    If pfSense could seamlessly incorporate better L7 functionality than Snort I would likely use it, but that seems very unlikely.



  • Missing a "No, I'm fundamentally opposed for logical reasons" option. Same reason I'm against transparent HTTPS.



  • Snort doesn't replace Layer 7 in PFsense from my point of view.

    It should be able to traffic shape on Layer 7,
    Application identify for firewall rules
    Report on bandwidth usage (Top applications or categories as this could be v large)

    Would be a really nice feature one of which paid for products do. The key thing is PAID for products and I appreciate how much effort it takes to identify and categorise traffic so maybe this is a subscription system for ident list but not function not sure.

    Ether way would be a really nice feature to have and keep PFsense up with the "Next-Gen" firewall (sorry I hate the term).

    Dev thoughts on this would be cool.



  • You may want to have a look at Sophos UTM (they have two different versions, and I'm not sure what the difference is). They are free for 50 IP addresses and under.

    They seem to have a pretty extensive list of applications to filter on.



  • Voted for "Yes, I need such a functionality now."

    Not for filtering\limiting, but for REPORTING.



  • The Sophos UTM isn't my thing.



  • Those features are really often supported or tuned to be f* fast by using ASICs or FPGAs from
    well known vendors likes Xillinx or others and only one of these FPGAs could be really expensive
    that makes it more or less more expensive for all customers or only a smaller group of them are
    using them then. For sure a add in or add on card with a FPGA could be done by ADI for sure
    but then this must be also profitable for them and not only for us.

    If I need a Next-Generation Firewall with DPI capabilities, application scanning and identification
    based on Layer 7 I will go to PaloAlto and buy one!

    Ether way would be a really nice feature to have and keep PFsense up with the "Next-Gen" firewall (sorry I hate the term).

    I love the term Next-Gen firewall, what the difference makes we all know, but to get informed
    only by the name or having something I am able to search or ask for is better then nothing or
    only talking about firewalls that are coming beside with this or that function.



  • You are very wrong about needing an asic.

    Fortinet do a VM basic unit with impressive stats. Asic is lower latency and more efficent but not a requirement to deliver such functions. A large amount of hardware firewalls mainly use them for the high throughput as it works out cheaper than more x86 power.

    As for not liking the term next gen firewall is because it doesnt 100% describe functions. Each firewall manufacturer marketing department like to use to loosely describe why they do and how they function.

    But ike saying it is a cloud router. And that means…... what? Most of the time there is some service downloaded from the net or offloaded but what you don't know.



  • You are very wrong about needing an asic.

    It will be able to pass through or do nearly the entire workload of;

    • IDS/IPS rules
    • IDS/IPS compression tasks
    • Layer 7 DPI tasks (this thread will be based on talking about)

    Fortinet do a VM basic unit with impressive stats. Asic is lower latency and more efficent but not a requirement to deliver such functions. A large amount of hardware firewalls mainly use them for the high throughput as it works out cheaper than more x86 power.

    Cheaper? A greater or bigger model of the Xillinx FPGA family is at the price for something around $3.000
    only for that FPGA! And what is now cheap on using them? Not really encountered to hire good developers
    with good skills to write code for this ones. There is all other but nothing called cheap.

    As for not liking the term next gen firewall is because it doesnt 100% describe functions. Each firewall manufacturer marketing department like to use to loosely describe why they do and how they function.

    An application based firewall will be in my eyes and for my poor understanding a Next-Generation Firewall
    and not a UTM device with application filtering capabilities. For sure others might be seeing this different.

    But ike saying it is a cloud router. And that means…... what? Most of the time there is some service downloaded from the net or offloaded but what you don't know.

    MikroTik as an example was calling one of their models Cloud Core Router, but they mostly counting
    the TCP/IP packets per second running through that device and then they are convert it into MBit/s or
    GBit/s back and then really often their customers will be counting on that numbers and are really
    disappointed about the real throughput. A Cloud based and offered service to customers or clients
    is a totally other term and thing in my eyes.



  • Philosophical question here.

    To spare the one IT guy folks out there.  Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

    I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.



  • @W4RH34D:

    Philosophical question here.

    To spare the one IT guy folks out there.  Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

    I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

    Absolutely, but the interesting traffic-shaping happens at the router when practically every client is considered an adversary, like a virus-infected or bittorrent client.



  • I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

    If I set up Snort sensors and a server in the LAN (network based IDS) and then on top I set up also
    OSSec agents on the client machines too (host based IDS) I don´t want to have the application filtering
    on the client too, this must or should be done then on the firewall device that is identifying the applications
    that generates traffic to and from the Internet. My personal point of view.



  • Trubble with doing it on the client side is how you manage that. If you want to traffic shape you need to control that at the last device on the choke point which is the router.

    If it is is just want application control you want allow Sophos already does this.

    Whole idea of an application firewall is you can easily control and report from a central point. Doing everything from a client just make much of the process complex due to getting the live data in and out.



  • Cheaper? A greater or bigger model of the Xillinx FPGA family is at the price for something around $3.000
    only for that FPGA! And what is now cheap on using them? Not really encountered to hire good developers
    with good skills to write code for this ones. There is all other but nothing called cheap.

    When I say cheaper money doesn't always come into it. It was agreeing with what you said about needing a FPGA but not 100% of the time.

    Low throughout make x86 perfect for software based functions IDS, layer 7 etc. However the more throughput needed x86 begins to get uneconomical for power usage, latency heat etc.

    P.S I love the microtik routers but issue is you have to look at throughput vs packet size like all router throughput.



  • @Jonb:

    Trubble with doing it on the client side is how you manage that. If you want to traffic shape you need to control that at the last device on the choke point which is the router.

    If it is is just want application control you want allow Sophos already does this.

    Whole idea of an application firewall is you can easily control and report from a central point. Doing everything from a client just make much of the process complex due to getting the live data in and out.

    I guess it depends on what the client's are capable of.  I think norton has some sort of management interface.
    OSX doesn't have that but their firewall is application based anyway.

    If you want reporting of what is going on you'll need to have a syslog server going.
    As far as traffic shaping - I'm not an insane scale or anything.  CODEL been great for me.



  • @W4RH34D:

    Philosophical question here.

    To spare the one IT guy folks out there.  Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

    I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

    Been there, done that. Microsoft ISA/TMG.
    While the whole idea is okay, and even deployment in tightly controlled environment is not a very big PITA…
    It works good only in "tightly controlled environment", read - AD, GPOs, workstations being deployed with in-house built images, homogeneous environment...
    Guest wifi network? Nope.
    Servers? Nope.
    BYOD? Oh, forget it.
    Non Windows machine? Nope.

    So no, client based solution is not a very viable solution.



  • I find that odd.

    With the kind of requirements IE - milking the bone for all it's worth - you'd think there'd be some strict controls downstream as well.

    Maybe I'm an idiot, though.

    I don't see one without the other.

    It's like having a very good symphony conductor (pfsense) and one of the world's best symphonies (managed clients) and for some reason someone wants to shoe-horn in some middle school saxophone players and still wants it to be Mozart.



  • Ive used Sinefa probes in the past to do L7 application filtering, its a dedicated solution for L7 and sits outside of the firewall.  Our requirement was to be able to control the WAN as well as Internet so having it only on the firewall side of things wasn't going to work for us.


Log in to reply