Question

Question is based on AWS Fortinet 7000

What is application ID in an application firewall and how is it used? What does a firewall signature mean?

Answer 1

Application Firewall:

Application firewalls (AFs) are sometimes confused with IPSs in that they can perform IPS-like functions. But an AF is specifically designed to limit or deny an application’s level of access to a system’s OS—in other words, closing any openings into a computer’s OS to deny the execution of harmful code within an OS’s structure. AFs work by looking at applications themselves, monitoring the kind of data flow from an application for suspicious or administrator-blocked content from specific Web sites, application-specific viruses, and any attempt to exploit an identified weakness in an application’s architecture. Though AF systems can conduct intrusion prevention duties, they typically employ proxies to handle firewall access control and focus on traditional firewall-type functions. Application firewalls can detect the signatures of recognized threats and block them before they can infect the network.

The functionality of these various application firewalls differs slightly, but a best-of-breed commercial product will provide the following:

■URL/URI access lists

■Input validation at a field level

■Protection from SQL-injection and operating system command injection

■Forceful browsing protection

■Cookie poisoning protection

■Protection from common configuration flaws (such as publishing and admin functions)

Application ID:

App-ID determines what the application is as soon as the traffic hits the firewall appliance, irrespective of port, protocol, encryption (SSL and SSH) or other evasive tactic employed.Application Id (App Id) is a way to tag multiple application end points. This enables any reporting engine to aggregate reports across the end points that have the same App Id.App Id can be configured for a service or a content routing rule. By default, the App Id takes the same value as the name that is assigned to the service or the content routing rule. This field (App Id field) is a part of all the Web Firewall Logs and Access Logs generated by the Barracuda Web Application Firewall.App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. Applications and application functions are identified via multiple techniques, including application signatures, decryption (if needed), protocol decoding, and heuristics. This allows granular control, for example, allowing only sanctioned Office 365 accounts, or allowing Slack for instant messaging but blocking file transfer.

Firewall Signature:

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks. You can easily install signatures using IDS and IPS management software such as Cisco IDM. Sensors enable you to modify existing signatures and define new ones.

The intrusion prevention system (IPS) compares traffic against signatures of known threats and blocks traffic when a threat is detected. Network intrusions are attacks on, or other misuses of, network resources. To detect such activity, IPS uses signatures. A signature specifies the types of network intrusions that you want the device to detect and report. Whenever a matching traffic pattern to a signature is found, IPS triggers the alarm and blocks the traffic from reaching its destination. The signature database is one of the major components of IPS. It contains definitions of different objects, such as attack objects, application signature objects, and service objects, which are used in defining IPS policy rules.