Application proxy services can inspect the entire application data portion of an IP packet, unlike packet filters, which can look only at the header of a packet. The application proxy service must understand the application proto-col used. However, using an application proxy service allows you to create much more extensive rules on what network traffic is acceptable or not acceptable at the firewall.
Many firewalls support these kinds of extended rules. Some example rules are given in Table 4-4.
Table 4-4 Advanced Filter Rules
Name Action Type Site Keywords From
No music Deny HTTP/ mtv.com — —
video video
No warez Deny HTTP or — warez, filez —
FTP
No spam Deny SMTP — — getrich@
hotmail.aol
The first rule blocks HTTP video content that is obtained from the MTV Web site. The second rule blocks downloaded information that contains the word
“warez” or the word “filez” — the weird spellings here are explained in the
“Hack3r’z sp3ak” sidebar. The last rule blocks all e-mail that appears to come from an e-mail address that has sent unsolicited spam-style e-mail.
Table 4-4 expresses the extended filtering capabilities as one-line filter rules.
Because of the complexity of the filtering combinations and their dependency on specific application protocol options, most firewall products display a special application-specific representation of these rules instead of the one-line style used in Table 4-4.
Firewalls may be able to filter traffic based on the following application-specific aspects:
HTTP content type:Even though network traffic on port 80 (HTTP) may be allowed, you can restrict the list of acceptable content types.
Examples of content that you may want to disallow are video files or audio files.
File names:The firewall can block certain files from entering the internal network. Of course, this filter is useful only if the file is not renamed to something else.
File content/virus:A filter may be able to inspect the contents of files that are downloaded. Objectionable content may be blocked. The most useful example is the detection of viruses in those files.
Keywords:Certain keywords can be placed on a block list. Packets that contain keywords from the block list are disallowed.
SMTP e-mail inspection:Besides the scanning of viruses or keywords on the block list, special e-mail filters may disallow certain attachments or deny certain sender domains or addresses.
FTP get/put, SNMP get/set:Application protocols may be filtered to only allow “read” actions and block “write” operations. Examples are restric-tions on the File Transfer Protocol (FTP) or the Simple Network
Management Protocol (SNMP).
Some of these filtering options may be better performed by dedicated filter-ing software. Examples are usfilter-ing antivirus programs for virus-scannfilter-ing or using parental access control programs for maintaining a blocked list of inap-propriate keywords. Software vendors of filtering software often sell their products as plug-ins for well-known firewalls.
Besides filtering application-specific data, firewalls can also restrict network traffic based on aspects that are independent of the particular protocol used.
Examples of these are
Site name/site IP address:Packet filters are already capable of deter-mining the external source IP address or external destination IP address.
This functionality may be extended by specifying a filter that restricts access based on a site’s DNS name, such as www.bad.com. The advan-tage of this approach, besides improved readability, is that the filter blocks network traffic to all the IP addresses that the name resolves to.
A site’s name may resolve to two or more IP addresses. Note, however, that a firewall may not endlessly match names and IP addresses back and forth. If you have a rule that disallows access to the Web destination 197.2.3.66, the firewall may not notice that 197.1.7.13 actually refers to the same Web site.
Time of day:Rules can be expressed that include the time of day, which allows different restrictions for daytime, nighttime, and weekends, for example.
User name:Instead of defining rules that apply to everyone, filters may be restricted to apply only to certain users or groups of users. Of course, this restriction requires that the firewall be able to authenticate the user who is making the Internet request. The firewall may have a special rule that applies to unauthenticated users or anonymous connection attempts.
Connection quota/data quota:Filtering options that are based on accu-mulative previous Internet connections are much harder to implement.
An example is a filter that limits data transfer through the firewall to a maximum of 1000MB per user per month. This filter requires the firewall to collect and remember information per user over time and must include mechanisms for coordinating the information if multiple fire-walls are used for the same purpose.
When setting up the advanced rules mentioned in this section, make sure that you fully understand how rules are processed. A deny rule that is too specific — about whom it applies to, at what time, for which protocol and content type, and from which site on the Internet — may be easy to circumvent by just changing one aspect of the Internet request. You may have intended that a request be blocked when any of several conditions match, but the rule only applies when all conditions in the rule match.
On the other hand, a particular rule may unnecessarily block otherwise per-fectly acceptable network traffic. For example, a firewall should not just block any packet that contains the word “warez.” While this no-warez firewall rule may make it harder to download illegally obtained software, it also has the unwanted effect that an e-mail discussion about “warez” is impossible as well.