Stateful packet inspection (SPI) firewalls control traffic flow based upon link, network and transport layer fields like interface, protocol type, IP address, and port number. Proxy firewalls can go further, acting as the source and sink for application messages so that they can enforce application-specific rules.
These firewalls do a good job of mitigating common network threats, from IP spoofing and ping of death to port scans and SYN flooding. But, as network firewalls have grown more robust, persistent intruders have adjusted their targets. Today's most dangerous attacks are aimed at specific application protocols, coding flaws, and configuration errors. Application firewall appliances can help network engineers defeat these increasingly focused and specialized application attacks.
What is an application firewall?
Over the past few years, many conventional SPI firewalls have morphed into "deep packet inspection" firewalls that peer into application payload to spot forbidden or malformed URLs and virus-laden mail messages. Conventional proxy firewalls have been expanded as well, looking more closely at messages relayed between client and server applications. Both have been called application layer firewalls because they control traffic flow and deflect attacks based on policy, signature, and/or behavior associated with application protocols. But, while these firewalls have raised their sights, they are still general-purpose firewalls.
By comparison, a specialized application firewall is a security system specifically designed to protect and defend a specific business application. For example, Web application firewalls examine HTTP/HTTPS/SOAP/XML requests and responses, looking for known and zero-day attacks against Web servers and the Web applications they support. VoIP firewalls filter and proxy SIP/SIPS/ RTCP/RTP streams, mapping calls to registered user agents and defending VoIP servers from the outside world. In short, any sensitive business application can be associated with heightened threat and risk, creating an opportunity for application firewalls.
Deploying application firewall appliances
Appliances that focus on firewalling a specific business application do not replace general-purpose firewalls. Instead, application firewall appliances complement existing network defenses. Deployment models depend upon the business application, existing network architecture, and firewall appliance capabilities.
For example, a Web application firewall appliance may operate as a transparent bridge, dropped right in front of an existing Web server pool. Or the appliance may be deployed as a NAT-ing router, providing one external IP address through which all Web servers are reached. Or it may operate as a reverse proxy, accelerating SSL and load balancing HTTP across a server pool. In all three cases, inbound traffic may still be screened by a general-purpose network firewall (at the perimeter) before reaching the application firewall (in a DMZ) that is dedicated to Web defenses.
Choosing the right application firewall appliance
Many considerations that apply when shopping for a general-purpose network firewall appliance still apply to application firewall appliances, including hardened platforms and operating systems, secure administrative interfaces, ASIC processing to reduce data latency, high availability, granular rules that can implement your defined traffic policy, and audit capabilities that can satisfy regulatory reporting needs. Industry certification programs like Common Criteria detail IT security requirements like these for general-purpose firewalls. Beyond this baseline, application firewalls must meet specialized requirements that reflect the target business application.
To illustrate, let's drill into features expected from a Web application firewall, as specified by the Web Application Security Consortium. Web Application Firewall Evaluation Criteria (WAFEC) covers deployment architectures, HTTP/HTML/XML support, detection and protection techniques, logging and reporting capabilities, management, and performance. For example, Web firewalls are required to support common HTTP versions, encoding types, file transfer methods, and web authentication schemes. They must provide protocol validation, be able to filter HTTP by content/character set/length, detect signature evasion attempts, and transform input data into normalized form. They should defend Web servers against attacks that use poisoned cookies, hidden form fields, cross-site scripting, SQL injection, and buffer overflows.
Finding a Web application firewall appliance
Like general-purpose network firewalls, application firewalls are available in both software and hardware form factors. Continuing with Web application firewalls as our example, ModSecurity is a popular open source firewall designed to protect Apache servers. Appliances that provide dedicated protection for Web applications (including related services like XML) include those from Citrix, F5, Forum, Impervia , Netcontinuum, Reactivity, Sarvega and Vordel.
To learn more about general-purpose and specialized application firewalls, consult SearchNetworking.com's Firewall Resource Guide, which includes tips exploring VoIP firewalls and email firewalls.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs, mobile security and virtual private networking at many industry conferences and on-line webinars. Lisa's WLAN Advisor column is published by SearchNetworking.com, where she is a site expert on wireless LANs. She also has written extensively about network infrastructure and security technologies for numerous publications including Wi-Fi Planet, ISP-Planet, Business Communications Review, Information Security and SearchSecurity.com.
