Application firewall tips and tricks

Hardware vs. software
Application firewalls come in many different flavors, but really fall into two main categories: hardware and software. Hardware firewalls run on a dedicated appliance, often having a hardened operating system designed specifically for the task of firewalling. Software firewalls are installed on a general-purpose machine located between trust zones such as at the network perimeter, or in the case of a personal firewall, on the actual desktop machine.

Purpose-built hardware appliances generally deliver better performance, but are more complex to set up and configure. If you choose a software-based solution, make sure it runs on a platform your IT department is familiar with in order to avoid additional training and support issues. Software solutions often provide more flexibility than hardware solutions, but you need to ensure that the operating system the firewall is running on is patched and maintained on a regular basis.

Set up and rule sets

More information Learn about the different varieties of firewalls in this tip on choosing a firewall. Learn about the pros and cons of application firewalls in this tip. Browse more Network & Systems Management tips. Browse more tips on network security.

When it comes to setting up your firewall, most IT security books will tell you to start by denying all traffic by default, and then only allowing traffic that is expressly required -- the classic access model used in information security. However, you should be aware of how such an implicit deny rule affects and changes how a firewall behaves. For example, when a packet matches a rule in the access list, the packet is immediately dropped by a deny rule or forwarded by a permit rule. Because it isn't tested against any other rules you may have set in the access list, it is essential that you always put specific filters before general filters. Otherwise, a general rule might allow a packet access that may have been denied by a more specific rule later in the access list.

It helps if you build your set of rules in advance, putting the implicit deny rule at the end, as adding rules ad hoc can radically change how your firewall manages traffic. Approaching the access list rules from a "allow what you need" rather than "deny what you don't" perspective can also make the purpose of each rule that much more reasoned.

You should also implement rules for outbound traffic, ensuring that only packets with your network's source address leave the network. This egress filtering is essential to stop spyware and botnets from phoning home.

Whitelisting, blacklisting and auditing
Whitelists and blacklists define which sites, IP addresses, applications, etc., are to be trusted and which are not, respectively. You can use one or the other, or both. A whitelist approach is more restrictive and is ideal for a network that has a limited need for Internet access and a stable application requirement. However, while a whitelist is generally a more secure approach than a blacklist, it can give a false sense of security because malicious code can turn a trusted machine or application into an untrusted one in seconds by giving control to a hacker via Trojan or Zombie programs. Blacklists have a higher administrative overhead as they need regular updates to be effective and are of no use at all against a new unknown threat.

To help keep white and blacklists up to date, it is essential to log and audit the traffic passing through your application-layer firewall. Logs are invaluable for verifying that the firewall is operating effectively and for analyzing problems or attacks when they occur. Make sure you have the ability to audit and analyze your logs regularly. Even on a small network, the volume of traffic will create log files that are too large to manually audit, so you will need a full-featured log analyzer and the time to review its output.

This article originally appeared on SearchSecurity.com.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Management Green enterprise: Three networking investments that make a difference Distributed network management means no more hard NOCs Green data center networks: Smarter architecture, not expensive devices Internal cloud computing on the cheap: Free automated provisioning? With virtual OS and virtual applications, who needs virtual machines? Application switch testing: An easy RFP guide Virtualization: The next generation of application delivery challenges Improving the performance of Web traffic and application delivery The link between network management and application delivery How to align network usage information to business processes Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.