Firewalls have worked as the predominant form of security for Internet-connected networks for 25 years, but during this time attackers have climbed the protocol stack, going past the operating system or TCP/IP protocols and aiming deep into HTTP, HTML and XML protocols that make up modern distributed web applications. So it is crucial to combine intelligent, application-layer firewalls with lower level firewalls in order to be fully effective.
Application-layer firewalls detect 31 flavors of app to apply policy
What exactly is an application --– or what must you protect? Almost everything is web based, so it's not about TCP ports (it's all port 80 or 443). It's not about URLs either because so much can be crammed into a single site or page. Platforms like Facebook and Google contain dozens or even hundreds of so-called applications, including chat, video, email, games, spreadsheets, surveys, file transfer, etc. Firewalls with application intelligence must therefore be able to discern different features and capabilities within a single web platform and apply policies accordingly. If an application capability has different security implications, such as a different risk profile, it must be treated accordingly by the firewall.
The most complex and rapidly changing traffic is user-initiated web sessions, where new types of applications and threats can pop-up somewhere on the Internet, become wildly popular and attract threats overnight. Web-based applications are out of the control of corporate IT and are a hotbed of innovation. A minor change in a seemingly benign website can transform it into a prime breeding ground for new types of attacks. For example, a well- respected news site can suddenly become dangerous because the addition of a chat room for readers brings user-generated and possibly dangerous content into the site.
Companies also have to contend with corporate applications that are delivered over the web and integrated with partners, suppliers and customers. Here, XML-based protocols like SOAP and REST are used to connect Enterprise Resource Planning (ERP), Supply Chain Management (SCM), and billing- and finance-specific applications in various verticals, such as banking, manufacturing, energy, transportation etc. XML-based protocols can represent almost infinite layers of complexity and are directly tied to business processes, thereby introducing unique security risks.
Why can't one type of firewall do the whole job?
If companies need to protect against low-level attacks, web-based attacks and application-integration traffic attacks, why can't they install one firewall that takes care of it all? Why can't all the necessary features come in a single unified box? The simple answer is that it takes a lot of processing power to be able to open, inspect and identify every stream of network traffic entering or exiting a corporate network. Application-level intelligence is a constant compromise against performance. Too deep into the traffic and the firewall introduces latency and cannot process network flows fast enough to keep up with demand. Too shallow and the firewall could be missing important threats.
Combining application-aware firewalls with other network security firewalls
To achieve a balance, companies can install firewalls that specialize on different layers. Low-level network firewalls can filter broad swathes of traffic, catching the port-scanning, denial-of-service and other low-level network attacks. Traffic from users can be put through an application-level firewall to control acceptable use and risk through fine-grained policies that understand today's complex web applications. Application gateways or XML firewalls can intercept enterprise-integration traffic flowing to and from partners, inspecting the schemas and content of XML, validating signatures and encrypting/decrypting flows.
Each of the different types of traffic has different risk and performance characteristics. Security professionals must pick the right balance between performance and depth of scrutiny in each case and choose the right solution: A data-center firewall that controls internal segmentation at 10 gigabit/sec is a very different firewall than an Internet-uplink firewall for user traffic, or a partner-DMZ firewall optimized for encryption and XML.
After almost 25 years, the firewall continues to be on the front lines of security. But that's only because the word "firewall" has morphed to encompass many different types
of security device, each suitable for a different purpose. The most important security consideration is picking the right type of firewall for the right type of traffic.
About the author:Andreas M. Antonopoulos is senior vice president and founding partner with Nemertes Research, where he develops and manages research projects, conducts strategic seminars and advises key clients. Andreas is a computer scientist, a master of data communications and distributed systems, a Certified Information Systems Security Professional (CISSP) and a self-professed geek, with an engineering, programming and consulting background.
This was first published in November 2010