Protocol analysis

Some malicious traffic may share the same network characteristics as authorized traffic. Such traffic cannot be blocked simply with filter rules without impacting legitimate traffic. SNS firewalls are equipped with protocol analysis features that enable modular filtering. The way traffic processed by a filter rule is inspected can be configured according to one of three inspection levels: Firewall, IPS or IDS.

In firewall inspection, the SNS firewall only performs superficial compliance checks. It monitors in particular the direction in which connections are set up. It will not check the flags used, sequence numbers or TCP options.

In firewall inspection, when the SNS firewall aborts a session, it sends a reinitialization packet that contains a null sequence number. The peer, not being able to associate this number with any existing connection, will not close any connections.

In IPS inspection, the SNS firewall performs additional checks on compliance with protocol standards, as well as analyses that rely on known attack patterns. Inspection modules dedicated to each protocol conduct these analyses. Depending on its settings, the module in question may block traffic that is deemed malicious.

IDS level inspections are the same as those in IPS inspections, but will only raise alarms if traffic seems malicious without blocking it. The IDS inspection level can be used in pre-production to analyze traffic that passes through a system, thereby easing the administrator's task of configuring inspection modules.

There are several operating modes in IDS and IPS inspection levels:

  • Inspection modules are automatically loaded by default, depending on the ports used in filter rules and the characteristics of the traffic analyzed by the SNS firewall. This will be referred to as “automatic mode” in the rest of this document,

  • The number of modules loaded can also be restricted by specifying only those that need to be used in the filter rule. In this case, the SNS firewall will only conduct the analyses corresponding to the requested protocol. The term “transport mode” will be used in this document when the indicated modules are only transport protocols such as TCP, UDP, etc.

  • The modules may also concern a particular application protocol. We will use the concept of “application mode” later on. When loaded modules are evaluated as part of a qualification process, the term “qualified application mode” will be used. This refers to modules relating to FTP, HTTP (including WebDAV), SIP, SMTP, DNS, Modbus, S7 and UMAS.

The IPS inspection level in automatic mode is selected by default when a filter rule is created. Without an inspection profile, all protocol analysis modules may be loaded during the inspection of traffic processed by the filter rule, which can increase the SNS firewall's CPU load. If necessary, limit the load on these modules by using an inspection profile, as with the IPS inspection level in transport mode. Where possible, protocol analysis functions should be conducted by dedicated firewalls such as proxy servers to minimize the risk of compromising the SNS firewall.

R31 | SNS-SMC | Adapt inspection type to the role of the SNS firewall
IPS in application mode, IPS in transport mode or qualified Frewall inspection mode are the recommended inspection levels, in line with the role of the SNS firewall in the architecture of the analyzed information system. Particular care is required with regard to its exposure to threats, its role and the criticality of the resources to be protected.

IP anti-spoofing is disabled with the Firewall inspection level.

The analysis level and associated mode must be set for each filter rule and vary according to the role of the SNS firewall. For example:

  • If the firewall is used only as a VPN gateway at the perimeter of the IS and is itself protected by other firewalls, the Firewall inspection level makes it possible to dedicate resources to cryptographic functions while reducing the attack surface,

  • If the firewall is located between a corporate IS and the Internet, the IPS inspection level in transport mode makes it possible to restrict the SNS firewall’s attack surface while guaranteeing thorough filtering of connections,

  • If the firewall protects application servers that can only be reached from an organization’s internal network, IPS inspection in qualified application mode can be used.

The inspection level can be selected in the Security inspection column in filter rules (Configuration > Security policy > Filtering and NAT > Filtering menu). For IPS and IDS inspection levels, the Protocol column allows the analysis level to be restricted. When the Protocol type option is set to IP protocol, a transport protocol can be chosen in the IP protocol menu. If this option is set to Application protocol, the menu of the same name will allow users to select the application protocol that the SNS firewall will analyze. Only one protocol (application or transport) can be chosen for each filter rule.

Firewall, IPS and IDS inspection levels rely on the use of inspection profiles, which make it possible to configure the behavior of the SNS firewall according to the type of traffic processed, e.g., types of alarms to raise or traffic to block. Before switching the protocol inspection to a production environment deemed safe (typically, a pre-production environment), it is better to disable alarms that legitimate traffic would generate unnecessarily. This will avoid polluting security monitoring traffic after the inspection goes into production. Using multiple profiles will make it possible to adjust configurations to the use context. More granular and therefore more restrictive inspection profiles are recommended for the most critical applications.

R32 | SNS-SMC | Adapt inspection profiles to the SNS firewall’s use context
When protocol analysis is enabled, the policy should be adjusted as closely as possible to the networks that require protection, by relying on the various inspection profiles.

Out of the pre-configured inspection profiles, two are used by default: the profile 00 for traffic sent by an external network and the profile 01 for traffic sent by an internal network. Profiles are chosen for each filter rule in the Inspection tab. These profiles can be configured in Configuration > Application protection > Inspection profiles, by selecting Go to profiles. Each profile is then based on the policies defined in Configuration > Application protection > Protocols. These policies define the general analyses of various protocols, such as default ports, restricted commands, types of analyses, etc. Moreover, Configuration > Application protection > Applications and protections defines more specific analyses such as the detection of buffer overflow or encoding format, etc. This menu offers views by profile or by context.