What risks will I run by not implementing an application-layer firewall? Am I leaving myself wide open by not using an application-layer firewall?
Application-layer filtering firewalls are required to protect networks from modern attackers because attackers now focus their efforts on developing exploits against weaknesses in the services they attack. Since the application layer is the least protected layer, attackers use a variety of application-specific exploits and target the known and unknown weaknesses in server services in order to take control. For example: Stateful inspection firewalls just don't detect worms that are injected as a malicious code within the protocols, since they only look at network-layer packet headers. Worms require a deep inspection for identifying the signatures and the stream to that particular session to analyze the content. An application-layer filtering firewall is able to examine the application-layer commands and data to determine whether the content or commands being sent to a server on the corporate network fall outside the bounds of valid connection attempts.
Another good example of the application layer-risk is buffer overflow attacks against server services. This is one of the most common methods attackers use to disable a network service and potentially take control of the server running the network service. For instance, to initiate an attack, the attacker can craft a packet containing oversized SMTP commands and then send them to an SMTP mail server. If the mail server implementation has a known or unknown buffer overflow weakness, the attack could disable or take over the server. An application-layer firewall is capable of filtering the SMTP traffic and blocks the buffer overflow attempt at the firewall itself, preventing the attack to get past the firewall.
This was first published in November 2007