What Is Application-Layer Filtering?
Application-layer filtering enables the firewall to inspect the application data in a TCP/IP packet for unacceptable commands and data. For example, a Simple Mail Transport Protocol (SMTP) filter intercepts network traffic on Port 25 and inspects it to make sure the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls that are capable of application-layer filtering can stop dangerous code at the edge of the network before it can do any damage.
Advantages and Disadvantages of Application-Layer Filtering
Application-layer filtering can be used to stop attacks from sources such as viruses and worms. To the packet-filtering firewall, most worms look like legitimate network traffic. The headers of the packets are identical in format to those of legitimate traffic. It is the payload that is malicious; only when all the packets are put together can the worm be identified as malicious code, so these exploits often travel straight through to the private network because the firewall allowed what appeared to be legitimate application data.
But the advantages of application-layer filtering transcend the prevention of attacks. It can also be used to protect your network and systems from the harmful actions often taken by unaware employees. For example, you can configure filters that prevent potentially harmful programs from being downloaded through the Internet, or ensure that critical customer data does not leave the network in an e-mail.
Application-layer filtering can also be used to more broadly limit employee actions on the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer fileexchange services. These types of services can consume substantial network resources and raise legal liability concerns for your organization.
What Is Intrusion Detection?
Intrusion detection is a means of detecting when an attack against a network is attempted or in progress. If you detect an intrusion attempt early enough, you may be able to prevent a successful intrusion. If an intrusion does occur, you must be alerted as soon as possible to reduce the potential impact of the intrusion and to eliminate the vulnerability in your network security.
An intrusion-detection system (IDS) that is located at the edge of a network inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack. An IDS is usually configured with information about a wide variety of known attacks, then monitors the network traffic for signatures indicating that a known attack is occurring. An IDS can also be configured with information about normal network traffic and then be configured to detect variations from the normal traffic.
A complete IDS includes several layers. One device may be located at the network perimeter and monitor all traffic entering and leaving the network. Additional devices may be deployed on the internal networks, or on routers connecting networks. A final layer of protection is provided by host-based systems in which an IDS is configured on individual computers. The most sophisticated IDS can collect information from all the layers and correlate data to make the most accurate intrusion-detection decisions.
Intrusion-detection systems also provide options for configuring alerts or responses to intrusion attempts. At the very least, an IDS should alert an administrator when an attack is detected. More sophisticated IDSs provide additional responses to attacks, including shutting down or limiting the functionality of the systems under attack.
ISA Server and Intrusion Detection
ISA Server includes intrusion-detection functionality that monitors for several wellknown vulnerabilities. ISA Server detects intrusions at two different network layers. First, ISA Server detects intrusions at the network layer. This enables ISA Server to detect vulnerabilities that are inherent to the IP layer. Second, ISA Server uses application filters to detect intrusions at the application layer. You can use third-party application filters to add more intrusion detection or create your own application filters using the filter application programming interfaces (APIs) defined in the ISA Server software development kit (SDK).
Application-layer filtering enables the firewall to inspect the application data in a TCP/IP packet for unacceptable commands and data. For example, a Simple Mail Transport Protocol (SMTP) filter intercepts network traffic on Port 25 and inspects it to make sure the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls that are capable of application-layer filtering can stop dangerous code at the edge of the network before it can do any damage.
Advantages and Disadvantages of Application-Layer Filtering
Application-layer filtering can be used to stop attacks from sources such as viruses and worms. To the packet-filtering firewall, most worms look like legitimate network traffic. The headers of the packets are identical in format to those of legitimate traffic. It is the payload that is malicious; only when all the packets are put together can the worm be identified as malicious code, so these exploits often travel straight through to the private network because the firewall allowed what appeared to be legitimate application data.
But the advantages of application-layer filtering transcend the prevention of attacks. It can also be used to protect your network and systems from the harmful actions often taken by unaware employees. For example, you can configure filters that prevent potentially harmful programs from being downloaded through the Internet, or ensure that critical customer data does not leave the network in an e-mail.
Application-layer filtering can also be used to more broadly limit employee actions on the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer fileexchange services. These types of services can consume substantial network resources and raise legal liability concerns for your organization.
What Is Intrusion Detection?
Intrusion detection is a means of detecting when an attack against a network is attempted or in progress. If you detect an intrusion attempt early enough, you may be able to prevent a successful intrusion. If an intrusion does occur, you must be alerted as soon as possible to reduce the potential impact of the intrusion and to eliminate the vulnerability in your network security.
An intrusion-detection system (IDS) that is located at the edge of a network inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack. An IDS is usually configured with information about a wide variety of known attacks, then monitors the network traffic for signatures indicating that a known attack is occurring. An IDS can also be configured with information about normal network traffic and then be configured to detect variations from the normal traffic.
A complete IDS includes several layers. One device may be located at the network perimeter and monitor all traffic entering and leaving the network. Additional devices may be deployed on the internal networks, or on routers connecting networks. A final layer of protection is provided by host-based systems in which an IDS is configured on individual computers. The most sophisticated IDS can collect information from all the layers and correlate data to make the most accurate intrusion-detection decisions.
Intrusion-detection systems also provide options for configuring alerts or responses to intrusion attempts. At the very least, an IDS should alert an administrator when an attack is detected. More sophisticated IDSs provide additional responses to attacks, including shutting down or limiting the functionality of the systems under attack.
ISA Server and Intrusion Detection
ISA Server includes intrusion-detection functionality that monitors for several wellknown vulnerabilities. ISA Server detects intrusions at two different network layers. First, ISA Server detects intrusions at the network layer. This enables ISA Server to detect vulnerabilities that are inherent to the IP layer. Second, ISA Server uses application filters to detect intrusions at the application layer. You can use third-party application filters to add more intrusion detection or create your own application filters using the filter application programming interfaces (APIs) defined in the ISA Server software development kit (SDK).
