19

I'm thinking about going with a security vendor for hosted sites on my VPS, and I'm having a hard time understanding something. (Yes I know this is OSI terminology, and the sites in question are basic dental and medical practice websites with no eCommerce and no private info (SSN, etc).

Their basic plan has a Layer 7 firewall (and I get that that's HTTP, HTTPs, etc), but their advanced plan has layer 3,4 coverage as well (and I get that that is IP and TCP/UDP).

1) What I don't understand is the big picture -- does a Layer 7-only firewall ignore problems with Layer 3/4? Is packet inspection skipped?

2) And if so, how necessary is a layer 3/4 firewall if you already have a layer 7 in place?

If there's a book or resource I can read to understand this that would also be great. I want to understand what I'm doing before I make a purchase!

Flup
  • 7,978
  • 2
  • 32
  • 43
David A. Wank
  • 193
  • 1
  • 1
  • 4
  • 7
    I don't know how you can have a layer 7 firewall without having a layer 3 firewall, but my _guess_ is that they have a WAF and only expose the WAF rules to you unless you pay them more. – Mark Henderson Jul 28 '16 at 20:54
  • 3
    I would check though that even if you don't take the layer 3/4 firewall that your entire server is not naked and exposed on the internet. They should still firewall everything except 80/443 – Mark Henderson Jul 28 '16 at 20:55
  • 1
    Exactly. That's what I don't get -- because the basic plan is layer 7. And the pro plan is layer 3,4 and 7. I would figure that they'd give you the level 3,4 as the baseline, and then add the level 7 WAF as the add-on. But it's reversed! – David A. Wank Jul 28 '16 at 21:02
  • 2
    They probably throw Cloudflare infront of your site, which basically gives you a WAF for free. More complicated ACLs require additional services. Just my guess. I would ask their sales team for the explanation. – Mark Henderson Jul 28 '16 at 21:08

2 Answers2

31

It sounds like you're getting a bit of misleading jargon. The technical definitions for these types of firewalls are:

  • Layer 3 firewalls (i.e. packet filtering firewalls) filter traffic based solely on source/destination IP, port, and protocol.
  • Layer 4 firewalls do the above, plus add the ability to track active network connections, and allow/deny traffic based on the state of those sessions (i.e. stateful packet inspection).
  • Layer 7 firewalls (i.e. application gateways) can do all of the above, plus include the ability to intelligently inspect the contents of those network packets. For instance, a Layer 7 firewall could deny all HTTP POST requests from Chinese IP addresses. This level of granularity comes at a performance cost, though.

Since the proper definitions don't line up with their pricing scheme, I think they're using Layer 7 as a (technically incorrect) reference to a software firewall running on your VPS. Think along the lines of iptables or Windows Firewall. Should you pony up the extra fees, they'll put your VPS behind a proper network firewall. Maybe.

If they can't be bothered to use proper terminology when describing their VPS solution to potential customers, I'd question their competence in other areas as well.

immortal squish
  • 476
  • 4
  • 6
  • 4
    Stateful Packet Inspection isn't just TCP, it encompasses all layer 4 communication tracking. If I see an outbound UDP packet on 53 to X I expect get an inbound UDP packet from X on 53 in the near future and will allow it. Conversely unmatched inbound UDP traffic on 53 will be dropped. – Dev Jul 28 '16 at 23:54
  • 5
    On top of improper terminology, they also can't be bothered to present the services they're offering in a way that users can actually figure out what they're buying. Also not a good sign. – jpmc26 Jul 29 '16 at 04:05
  • 1
    @Dev, You're correct about stateful packet inspection not just being limited to TCP. I've updated answer appropriately. – immortal squish Jul 29 '16 at 14:43
  • 1
    Yes! I spoke with the company and apparently there was some "marketing" jargon that got in the way -- all of their firewalls are 3,4,7. Thank you! – David A. Wank Jul 31 '16 at 03:23
  • 1
    I question the characterization in the last paragraph. Even the most competent technical departments can find it difficult to convince marketing to use precise terminology. – Barmar Aug 02 '16 at 18:35
  • The intention isn't to imply that incorrect terminology is an automatic sign that you should go elsewhere. It is an indicator that the business may have internal issues with communication and/or technical capabilities, though. – immortal squish Aug 02 '16 at 20:59
3

The first is an application layer firewall. It probably works as an HTTP(s) proxy where the requests are made to the proxy, that filters all the request and than send them to your server. If the company you're going to buy use an http proxy, your server IP will be totally hidden from the web, whats really good. If you just need to protect your websites this is the most simple solution you can have and "just works". This is the method that CloudFlare use, for example.

The second is a network layer firewall. It's a more advanced firewall, that filter all trafic before reaching your server. This one is by far the most effective an efficient, as you can protect any kind of aplication, but you'd need a really big setup with BGP announces, filtered IPs blocks, tunnels and so on. This is commonly used with services that receive big DDoS attacks and host critical aplications, ecommerce and games.

Keeping it shot: If you just need to secure your websites use the Layer 7 solution. If you need an advanced firewall that filter any kind of application, protection against DDoS attacks and so on, use the Layer 3-4 solution.

Here you can read more about CloudFlare, that I think it's the right solution to you: https://www.quora.com/How-does-CloudFlare-work

Aldemaro Campos
  • 44
  • 4