Beginner Question about Layer 7 Firewalling



  • Hey,
    I'm relatively new to Firewalls, so that why this Question Maybe a bit naive.

    I'm currently thinking about filtering network traffic on the 7th layer.
    I want to look at the packet and check if it contains certain values which I would then like to block.
    Is a firewall designed for this kind of task at all? If so, can Pf Sense do it the way I imagine it? And if the answer to that is also yes, where does it work?

    I am also prepared to become very intensively engaged in the topic of firewalls.



  • @Kavatch said in Beginner Question about the 7th Layer of Firewalling:

    network traffic on the 7th layer.

    You should take ownership of every device that is connected to your network. As most companies do. The user using the device should have less authority over the device.
    This way you can control what applications user can or can't install, and thus control user access.

    But you should probably read https://en.wikipedia.org/wiki/OSI_model again and redo your question.



  • @Gertjan Thanks for your answer.
    However, I'm afraid my question was somewhat misunderstood, since I did not express myself properly.
    My situation is as follows: I have a server running several services that are intended to be accessible from the Internet. ( There should be no other devices in the network ) What I want to do now is that all packets sent to the server - on port X - are checked on layer 7 for their content. (The TCP Payload)
    And as I said, I don't even know if a firewall is even suitable for this purpose. It was just the first thing that popped into my head.



  • @Kavatch said in Beginner Question about Layer 7 Firewalling:

    @Gertjan Thanks for your answer.
    However, I'm afraid my question was somewhat misunderstood, since I did not express myself properly.
    My situation is as follows: I have a server running several services that are intended to be accessible from the Internet. ( There should be no other devices in the network ) What I want to do now is that all packets sent to the server - on port X - are checked on layer 7 for their content. (The TCP Payload)
    And as I said, I don't even know if a firewall is even suitable for this purpose. It was just the first thing that popped into my head.

    The answer to your question is "yes" and also "no". Let me explain. Most application traffic today is encrypted either via SSL or sometimes via proprietary algorithms. A firewall examining Layer 7 traffic would only be able to see the encrypted data unless you implement some type of man-in-the-middle (MITM) SSL intercept. Using MITM usually breaks things, or at the very least greatly complicates a security administrator's job. MITM also violates trust. For this reason and the former ones, MITM setups are best avoided in my opinion.

    However, there are tools that can examine the start of certain application conversations, and from the header and preamble bits, these tools can make an educated guess about what type of data communication is occurring (Snapchat, Facebook, etc.). The Snort package on pfSense offers OpenAppID which implements this technology. It's not perfect and it won't catch everything, but it can be a help. Just remember that OpenAppID can only identify the type of traffic -- not the actual content. So it would detect that Mary in accounting was using Facebook, but it would not know whether Mary was maligning her boss on Facebook or talking about what a wonderful, caring human being the boss is ... 😉 .

    Here are some reference links on OpenAppID --

    Snort Team Webinar Presentation

    Netgate Blog Post on OpenAppID (follow the other links embedded within the post for configuration instructions)

    Snort Team 2014 OpenAppID Intro



  • @Kavatch The Layer 7 is the Application Layer to which your services 'talk' to. If you want to check stuff at that layer, your services should do it.

    Normally, if you want to inspect the content of a packet or segment, you do it at Layer 3 or 4. IDS and IPS will let you check the content of packets or segment, as well as a proxy filtering mechanism. Then upon packet inspection (what are you looking for?) you can take action.


Log in to reply