Why do most firewalls only inspect packet headers?

The vast majority of firewalls on the market don't inspect the payload of packets - instead they attempt to make decisions based on source address, destination address and the port of the traffic.

Historically many people took the port to be a statement of intent (i.e. port 80 = HTTP) and hence firewalls based decisions on such limited information. It's always been easy to spoof packet header information and to make things worse many vendors (Microsoft included) have tunnelled traffic to ensure that applications work with the minimum configuration. As tunnelling becomes ever more popular and spoofing becomes even easier (due to the availability of automated tools) inspecting the payload is imperitive.

Microsoft has a solution to these problems (as you'd probably expect being that I work for Microsoft) in ISA Server. A small number of other vendors provide application layer firewalls too - what will it take for customers to mandate this functionality as a requirement? I'm really interested to receive your feedback.

Comments (0)

Skip to main content