Next generation feature - L7 application filtering

GomezAddams · Jun 21, 2016, 6:47 PM

You may want to have a look at Sophos UTM (they have two different versions, and I'm not sure what the difference is). They are free for 50 IP addresses and under.

They seem to have a pretty extensive list of applications to filter on.

Soyokaze · Jun 21, 2016, 9:08 PM

Voted for "Yes, I need such a functionality now."

Not for filtering\limiting, but for REPORTING.

Jonb · Jun 23, 2016, 10:41 PM

The Sophos UTM isn't my thing.

Guest · Jun 24, 2016, 10:08 PM

Those features are really often supported or tuned to be f* fast by using ASICs or FPGAs from
well known vendors likes Xillinx or others and only one of these FPGAs could be really expensive
that makes it more or less more expensive for all customers or only a smaller group of them are
using them then. For sure a add in or add on card with a FPGA could be done by ADI for sure
but then this must be also profitable for them and not only for us.

If I need a Next-Generation Firewall with DPI capabilities, application scanning and identification
based on Layer 7 I will go to PaloAlto and buy one!

Ether way would be a really nice feature to have and keep PFsense up with the "Next-Gen" firewall (sorry I hate the term).

I love the term Next-Gen firewall, what the difference makes we all know, but to get informed
only by the name or having something I am able to search or ask for is better then nothing or
only talking about firewalls that are coming beside with this or that function.

Jonb · Jun 26, 2016, 9:18 PM

You are very wrong about needing an asic.

Fortinet do a VM basic unit with impressive stats. Asic is lower latency and more efficent but not a requirement to deliver such functions. A large amount of hardware firewalls mainly use them for the high throughput as it works out cheaper than more x86 power.

As for not liking the term next gen firewall is because it doesnt 100% describe functions. Each firewall manufacturer marketing department like to use to loosely describe why they do and how they function.

But ike saying it is a cloud router. And that means…... what? Most of the time there is some service downloaded from the net or offloaded but what you don't know.

Guest · Jun 26, 2016, 11:20 PM

You are very wrong about needing an asic.

It will be able to pass through or do nearly the entire workload of;

IDS/IPS rules
IDS/IPS compression tasks
Layer 7 DPI tasks (this thread will be based on talking about)

Fortinet do a VM basic unit with impressive stats. Asic is lower latency and more efficent but not a requirement to deliver such functions. A large amount of hardware firewalls mainly use them for the high throughput as it works out cheaper than more x86 power.

Cheaper? A greater or bigger model of the Xillinx FPGA family is at the price for something around $3.000
only for that FPGA! And what is now cheap on using them? Not really encountered to hire good developers
with good skills to write code for this ones. There is all other but nothing called cheap.

As for not liking the term next gen firewall is because it doesnt 100% describe functions. Each firewall manufacturer marketing department like to use to loosely describe why they do and how they function.

An application based firewall will be in my eyes and for my poor understanding a Next-Generation Firewall
and not a UTM device with application filtering capabilities. For sure others might be seeing this different.

But ike saying it is a cloud router. And that means…... what? Most of the time there is some service downloaded from the net or offloaded but what you don't know.

MikroTik as an example was calling one of their models Cloud Core Router, but they mostly counting
the TCP/IP packets per second running through that device and then they are convert it into MBit/s or
GBit/s back and then really often their customers will be counting on that numbers and are really
disappointed about the real throughput. A Cloud based and offered service to customers or clients
is a totally other term and thing in my eyes.

W4RH34D · Jun 26, 2016, 11:45 PM

Philosophical question here.

To spare the one IT guy folks out there. Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

Nullity · Jun 27, 2016, 2:53 AM

@W4RH34D:

Philosophical question here.

To spare the one IT guy folks out there. Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

Absolutely, but the interesting traffic-shaping happens at the router when practically every client is considered an adversary, like a virus-infected or bittorrent client.

Guest · Jun 27, 2016, 8:41 AM

I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

If I set up Snort sensors and a server in the LAN (network based IDS) and then on top I set up also
OSSec agents on the client machines too (host based IDS) I don´t want to have the application filtering
on the client too, this must or should be done then on the firewall device that is identifying the applications
that generates traffic to and from the Internet. My personal point of view.

Jonb · Jun 28, 2016, 7:42 PM

Trubble with doing it on the client side is how you manage that. If you want to traffic shape you need to control that at the last device on the choke point which is the router.

If it is is just want application control you want allow Sophos already does this.

Whole idea of an application firewall is you can easily control and report from a central point. Doing everything from a client just make much of the process complex due to getting the live data in and out.

Jonb · Jun 28, 2016, 7:41 PM

Cheaper? A greater or bigger model of the Xillinx FPGA family is at the price for something around $3.000
only for that FPGA! And what is now cheap on using them? Not really encountered to hire good developers
with good skills to write code for this ones. There is all other but nothing called cheap.

When I say cheaper money doesn't always come into it. It was agreeing with what you said about needing a FPGA but not 100% of the time.

Low throughout make x86 perfect for software based functions IDS, layer 7 etc. However the more throughput needed x86 begins to get uneconomical for power usage, latency heat etc.

P.S I love the microtik routers but issue is you have to look at throughput vs packet size like all router throughput.

W4RH34D · Jun 28, 2016, 9:31 PM

@Jonb:

Trubble with doing it on the client side is how you manage that. If you want to traffic shape you need to control that at the last device on the choke point which is the router.

If it is is just want application control you want allow Sophos already does this.

Whole idea of an application firewall is you can easily control and report from a central point. Doing everything from a client just make much of the process complex due to getting the live data in and out.

I guess it depends on what the client's are capable of. I think norton has some sort of management interface.
OSX doesn't have that but their firewall is application based anyway.

If you want reporting of what is going on you'll need to have a syslog server going.
As far as traffic shaping - I'm not an insane scale or anything. CODEL been great for me.

Soyokaze · Jul 1, 2016, 9:56 PM

@W4RH34D:

Philosophical question here.

To spare the one IT guy folks out there. Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

Been there, done that. Microsoft ISA/TMG.
While the whole idea is okay, and even deployment in tightly controlled environment is not a very big PITA…
It works good only in "tightly controlled environment", read - AD, GPOs, workstations being deployed with in-house built images, homogeneous environment...
Guest wifi network? Nope.
Servers? Nope.
BYOD? Oh, forget it.
Non Windows machine? Nope.

So no, client based solution is not a very viable solution.

W4RH34D · Jul 1, 2016, 10:41 PM

I find that odd.

With the kind of requirements IE - milking the bone for all it's worth - you'd think there'd be some strict controls downstream as well.

Maybe I'm an idiot, though.

I don't see one without the other.

It's like having a very good symphony conductor (pfsense) and one of the world's best symphonies (managed clients) and for some reason someone wants to shoe-horn in some middle school saxophone players and still wants it to be Mozart.

adoni · Aug 17, 2016, 1:09 PM

Ive used Sinefa probes in the past to do L7 application filtering, its a dedicated solution for L7 and sits outside of the firewall. Our requirement was to be able to control the WAN as well as Internet so having it only on the firewall side of things wasn't going to work for us.