Sage Firewall Upgrade Friday Aug 7th

Fire+cartoon

Sage Firewall Upgrade

On Friday, August 7 at 4PM we will be upgrading our Troy Campus Firewall.  We have tested it thoroughly and we are anticipating only a few minutes of downtime.  All internet and web services in Troy will be affected but phones will not.  We will performing the same upgrade to Albany’s firewall in 2 weeks.

It has been 6 years since our last firewall upgrade and a lot has changed.  If you are interested in why we are performing a Firewall upgrade, please read below for further explanation on differences in firewall technology.

As a general rule, the more advanced the firewall technology, the higher up in the OSI Model it works.

  • Packetfilter — Leval 3 of the OSI
  • Stateful Inspection — Level 4 of the OSI
  • Deep Packet Inspection —  level 7 of the OSI

Our current Firewall is a Stateful Inspection Firewall and we are upgrading to Deep Packet Inspection Firewall.

Packet Filters

The first and most basic type of firewall to come about is simply referred to now as a packet filter. These firewalls worked at Layer 3 of the OSI model, aka the network layer.  Packet filters worked primarily off of two parameters within packets — the source and destination IP addresses — but they were able to look at (and filter on) the protocol field in the IP header as well.

The key here, however, is that very few checks were done on packets, and they were only done at the network layer. As a result, spoofing, fragmenting, and various other sorts of tinkering allow an attacker to get traffic through simple packet filters that they were set up to block.

Stateful Inspection

The original forms of stateful inspection dealt predominantly with layers 4 and below.  In short, stateful firewalls keep track of open, legitimate connections and compare traffic moving through the firewall to these known-good entries. The firewall knows all about the connections in its “state table” (the list of legitimate connections) — and anything deemed not part of one on the list is discarded.

This was a major advance over basic packet filtering in terms of security. It suddenly became much more difficult to inject spoofed packets into legitimate connections and have them accepted by the firewall because stateful inspection looks at TCP sequence numbers, TCP Flags, etc. rather than just source and destination IP and port numbers.

Deep Packet Inspection

To make a long story short, deep inspection is stateful inspection — but with visibility into the application layer (layer 7). In other words, deep inspection allows the firewall to see the actual data passing through it rather than just keeping track of connection information.

So what’s the practical advantage of deep inspection over stateful inspection? Content filtering. Is the client that just made a connection to our webserver trying to propagate a worm? Is a website trying to install malware via an HTTP session?

These are questions that stateful inspection cannot answer and that deep inspection can.

Once the firewall can see into the application layer fully, it can start matching what it sees against a list of known bad content. This is signature-based analysis, and it’s the backbone of all antivirus technology. The advantage here is the ability to catch a whole lot of known nastiness, along with the relative ease of updates.

 

John Harris

Director of IT

*****************Update*********************

Our firewall upgrade on Friday night was not successful.  There appears to be an a bug in the software and we have to get the manufacture support involved.  We will trying the upgrade again on Tuesday, August 11th, but we will not be starting until 10PM just in case we need to do some troubleshooting.

Sources:  https://danielmiessler.com/study/firewalls/