Logout

Packet-filtering of Firewalls vs. Anomaly

Look at this with Signature Based Detection of anti-virus software.

Here with this you are not just looking at signatures of a network requests, rather you are delving deeper into the packages themselves being received.

Analogy: mail parcels. The Post Office could look just at the destination of the mail parcel and reject it from certain countries or regions, but it is better to inspect the contents of the package. So with network traffic it is much better to inspect the packets' data not just the header information such as the origin and the time to live.

Disadvantage of packet-filtering is the time and processing resources it takes to inspect packet contents. (Just think of how even with anti-virus software on your computer you may not actually wait for it to scan a flash stick that you plug in because you trust the person who gave you the flash stick, and you just don't want to wait for the scan.)

 

But in terms of packet-filtering firewalls vs. anomaly-based detection, the former actually looks at the data in the packet, whereas the later is looking for things that are un-expected in general, and not just in the data itself, but other things which may indicate a problem/attack, such as a spike in network traffic.


Neel:

15. How do packet-filtering firewalls discover threats?

Taken from the Cisco Website, Countering threats such as DDOS are as follows,

1. Mitigate, not just detect.
2. Accurately distinguish good traffic from bad traffic to preserve business continuity, not just detect the overall presence of an attack.
3. Include performance and architecture to deploy upstream to protect all points of vulnerability.
4. Maintain reliable and cost-efficient scalability.

Although firewalls are a primary defense against attacks/threats from an outside origin, they often fail or are 'overwhelmed' by the amount of traffic that is pitted against them in the case of a ddos attack. However, firewalls are also equipped with threat prevention methods such as distinguishing 'bad' packets from the 'good' packets of information that flows through them by checking the signatures of the packets as they pass through. Also, by checking the signatures of the packets as they pass through, the firewall can accurately check and detect any malware which can potentially infect the systems that it is going to or the firewall itself and therefore can prevent a potential threat.