Application firewall tips and tricks

Hardware vs. software
Application firewalls come in many different flavors, but really fall into two main categories: hardware and software. Hardware firewalls run on a dedicated appliance, often having a hardened operating system designed specifically for the task of firewalling. Software firewalls are installed on a general-purpose machine located between trust zones such as at the network perimeter, or in the case of a personal firewall, on the actual desktop machine.

Purpose-built hardware appliances generally deliver better performance, but are more complex to set up and configure. If you choose a software-based solution, make sure it runs on a platform your IT department is familiar with in order to avoid additional training and support issues. Software solutions often provide more flexibility than hardware solutions, but you need to ensure that the operating system the firewall is running on is patched and maintained on a regular basis.

Set up and rule sets

More information Learn about the different varieties of firewalls in this tip on choosing a firewall. Learn about the pros and cons of application firewalls in this tip. Browse more Network & Systems Management tips. Browse more tips on network security.

When it comes to setting up your firewall, most IT security books will tell you to start by denying all traffic by default, and then only allowing traffic that is expressly required -- the classic access model used in information security. However, you should be aware of how such an implicit deny rule affects and changes how a firewall behaves. For example, when a packet matches a rule in the access list, the packet is immediately dropped by a deny rule or forwarded by a permit rule. Because it isn't tested against any other rules you may have set in the access list, it is essential that you always put specific filters before general filters. Otherwise, a general rule might allow a packet access that may have been denied by a more specific rule later in the access list.

It helps if you build your set of rules in advance, putting the implicit deny rule at the end, as adding rules ad hoc can radically change how your firewall manages traffic. Approaching the access list rules from a "allow what you need" rather than "deny what you don't" perspective can also make the purpose of each rule that much more reasoned.

You should also implement rules for outbound traffic, ensuring that only packets with your network's source address leave the network. This egress filtering is essential to stop spyware and botnets from phoning home.

Whitelisting, blacklisting and auditing
Whitelists and blacklists define which sites, IP addresses, applications, etc., are to be trusted and which are not, respectively. You can use one or the other, or both. A whitelist approach is more restrictive and is ideal for a network that has a limited need for Internet access and a stable application requirement. However, while a whitelist is generally a more secure approach than a blacklist, it can give a false sense of security because malicious code can turn a trusted machine or application into an untrusted one in seconds by giving control to a hacker via Trojan or Zombie programs. Blacklists have a higher administrative overhead as they need regular updates to be effective and are of no use at all against a new unknown threat.

To help keep white and blacklists up to date, it is essential to log and audit the traffic passing through your application-layer firewall. Logs are invaluable for verifying that the firewall is operating effectively and for analyzing problems or attacks when they occur. Make sure you have the ability to audit and analyze your logs regularly. Even on a small network, the volume of traffic will create log files that are too large to manually audit, so you will need a full-featured log analyzer and the time to review its output.

This article originally appeared on SearchSecurity.com.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption Network Management More remote scripting tricks: Managing Windows networks using scripts, Part 11 IP-based services: Curse or blessing for NOC staff? Virtual machines present dynamic environment issues for network pros Network architecture and capacity planning for server virtualization Keeping it green: Design principles for efficient network architectures How green is my network? -- A look at the cost-savings benefit of green IT IEEE P802.3az Energy Efficient Ethernet: Small network power savings add up Governance, compliance, security: How are these network problems? Application delivery controllers: Moving toward the application-centric network Server virtualization and the network: Site consolidation's impact on latency Network Security Best Practices SIEM platform secures university's open network Shifting defenses and dynamic perimeters challenge network security Securing the new network architecture How to block porn with ISA-server firewalls Why implementing adequate security challenges LAN administration Securing the new network architecture: Security for distributed, dynamic networks How to set passwords on folders in Windows 2003 servers What are the best methods for handling rogue access points? How to configure Windows Server 2008 advanced firewall MMC snap-in Governance, compliance, security: How are these network problems? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.