First there were packet filters. Then stateful inspection firewalls; then intrusion detection. Now the latest Internet defense technology - deep packet inspection firewalls - is being touted as the best line of defense against worms that can sneak past earlier technology to wreak havoc in corporate networks. The issue with these application-layer firewalls seems to be whether they should be placed at all Internet gateways and evaluating whether they are worth the cost. By analyzing packets not just in isolation, but by reassembling and analyzing packet streams that make up individual application sessions, these application-layer firewalls can spot odd behavior by particular protocols that can signal a brand-new attack. Customers that use these products say their value is undeniable. "Now you can block [malicious traffic] as you detect it, at the edge. And the deep packet inspection [technology] can update the firewall," says Steven Goldsby CEO and founder of Integrated Computer Solutions in Montgomery, Ala., which uses Fortinet's Complete Content Inspection gear. "If it identifies an attack, then it can automatically block the IP address."
展开▼