Helder Pereira, Andre Ribeiro, Paulo Carvalho*
PT INovação, S.A.Tel.: +351 253 604436
Fax.: +351 253 604471
E-mail: paulo at di.uminho.pt
The common process of classifying network traffic resorting to a set
of IP header fields and well-known communication ports is highly
fallible as some applications try to hide their true nature by, for
instance,
using dynamic, non default ports. In this paper, we argue and
demonstrate that application layer inspection is a possible and
convenient approach to derive the correct application protocol. This
detection and classification process is crucial to allow an efficient
control of traffic entering the network. Taking pfSense as a case
study, we extend its current layer 3 and 4 classification scheme with
layer 7 (L7) capabilities, providing a powerful solution to
control traffic based on application patterns. We propose the concept
and use of L7 containers so that a user can easily create a set of
rules for inspection, which will drive lower-level traffic control. In
addition, we propose and implement a mechanism to create automatically
useful application inspection scenarios.