These firewalls do a good job of mitigating common network threats, from IP spoofing and ping of death to port scans and SYN flooding. But, as network firewalls have grown more robust, persistent intruders have adjusted their targets. Today's most dangerous attacks are aimed at specific application protocols, coding flaws, and configuration errors. Application firewall appliances can help network engineers defeat these increasingly focused and specialized application attacks.
What is an application firewall?
Over the past few years, many conventional SPI firewalls have morphed into "deep packet inspection" firewalls that peer into application payload to spot forbidden or malformed URLs and virus-laden mail messages. Conventional proxy firewalls have been expanded as well, looking more closely at messages relayed between client and server applications. Both have been called application layer firewalls because they control traffic flow and deflect attacks based on policy, signature, and/or behavior associated with application protocols. But, while these firewalls have raised their sights, they are still general-purpose firewalls.
By comparison, a specialized application firewall is a security system specifically designed to protect and defend a specific business application. For example, Web application firewalls examine HTTP/HTTPS/SOAP/XML requests and responses, looking for known and zero-day attacks against Web servers and the Web applications they support. VoIP firewalls filter and proxy SIP/SIPS/ RTCP/RTP streams, mapping calls to registered user agents and defending VoIP servers from the outside world. In short, any sensitive business application can be associated with heightened threat and risk, creating an opportunity for application firewalls.
Deploying application firewall appliances
Appliances that focus on firewalling a specific business application do not replace general-purpose firewalls. Instead, application firewall appliances complement existing network defenses. Deployment models depend upon the business application, existing network architecture, and firewall appliance capabilities.
For example, a Web application firewall appliance may operate as a transparent bridge, dropped right in front of an existing Web server pool. Or the appliance may be deployed as a NAT-ing router, providing one external IP address through which all Web servers are reached. Or it may operate as a reverse proxy, accelerating SSL and load balancing HTTP across a server pool. In all three cases, inbound traffic may still be screened by a general-purpose network firewall (at the perimeter) before reaching the application firewall (in a DMZ) that is dedicated to Web defenses.
Choosing the right application firewall appliance
Many considerations that apply when shopping for a general-purpose network firewall appliance still apply to application firewall appliances, including hardened platforms and operating systems, secure administrative interfaces, ASIC processing to reduce data latency, high availability, granular rules that can implement your defined traffic policy, and audit capabilities that can satisfy regulatory reporting needs. Industry certification programs like Common Criteria detail IT security requirements like these for general-purpose firewalls. Beyond this baseline, application firewalls must meet specialized requirements that reflect the target business application.
To illustrate, let's drill into features expected from a Web application firewall, as specified by the Web Application Security Consortium. Web Application Firewall Evaluation Criteria (WAFEC) covers deployment architectures, HTTP/HTML/XML support, detection and protection techniques, logging and reporting capabilities, management, and performance. For example, Web firewalls are required to support common HTTP versions, encoding types, file transfer methods, and web authentication schemes. They must provide protocol validation, be able to filter HTTP by content/character set/length, detect signature evasion attempts, and transform input data into normalized form. They should defend Web servers against attacks that use poisoned cookies, hidden form fields, cross-site scripting, SQL injection, and buffer overflows.
Finding a Web application firewall appliance
Like general-purpose network firewalls, application firewalls are available in both software and hardware form factors. Continuing with Web application firewalls as our example, ModSecurity is a popular open source firewall designed to protect Apache servers. Appliances that provide dedicated protection for Web applications (including related services like XML) include those from Citrix, F5, Forum, Impervia , Netcontinuum, Reactivity, Sarvega and Vordel.
About the author:
This was first published in September 2006