Application Firewall

Posted in Technopedia, Application Security

Application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to monitor one or more specific applications or services (such as a web or database service), unlike a stateful network firewall which can provide some access controls for nearly any kind of network traffic. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.

Application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the central processing unit (CPU), examining each packet and determining whether or not to forward it toward a particular destination. An application firewall offers additional protection by controlling the execution of files or the handling of data by specific applications.

For best performance, a conventional firewall must be configured by the user. The user must know which ports unwanted data is likely to enter or leave through. An application firewall prevents the execution of programs or DLL (dynamic link library) files which have been tampered with. Thus, even though an intruder might get past a conventional firewall and gain entry to a computer, server, or network, destructive activity can be forestalled because the application firewall does not allow any suspected malicious code to execute.
Network-based application firewalls

Network-Based Application FirewallA network-based application layer firewall is a computer networking firewall operating at the application layer of a protocol stack, and are also known as a proxy-based or reverse-proxy firewall. Application firewalls specific to a particular kind of network traffic may be titled with the service name, such as a web application firewall. They may be implemented through software running on a host or a stand-alone piece of network hardware. Often, it is a host using various forms of proxy servers to proxy traffic before passing it on to the client or server. Because it acts on the application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses, attempts to exploit known logical flaws in client software.

Network-based application-layer firewalls work on the application level of the network stack (for example, all web browser, telnet, or ftp traffic), and may intercept all packets traveling to or from an application. In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

Modern application firewalls may also offload encryption from servers, block application input/output from detected intrusions or malformed communication, manage or consolidate authentication, or block content which violates policies.

History

Application FirewallGene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC's first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

TIS, under a broader DARPA contract, developed the Firewall Toolkit (FWTK), and made it freely available under license on October 1, 1993. The purposes for releasing the freely-available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years' experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); and to "raise the bar" of firewall software being used.

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in any harmful way.
Host-based application firewalls

A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application. This is done by examining information passed through system calls instead of or in addition to a network stack. A host-based application firewall can only provide protection to the applications running on the same host.

An example of a host-based application firewall which controls system service calls by an application is AppArmor or the Mac OS X application firewall.

Host-based application firewalls may also provide network-based application firewalling.
Examples

To better illustrate the concept, this section enumerates some specific application firewall examples.

Database firewall

A database firewall is an application firewall which protects databases from application attacks- for example, SQL injection, database rootkits, and unauthorized information disclosure.

A database firewall is a computer application firewall operating at the database application layer of a protocol stack. Also known as a proxy-based firewall, it may be implemented as a piece of software running on a single computer, or a stand-alone piece of hardware. Often, it is a host using various forms of reverse proxy services to proxy traffic before passing it to a gateway router. Because it acts on the database application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses, attempts to exploit known logical flaws in client software.

Most often, database firewalls work on the SQL application level atop the TCP/IP stack, all applications' connection to the database or SQL management interfaces, and may intercept and enforce all packets traveling to or from a database network or application interface.

Some database firewalls include automated SQL learning capabilities, which assist in policy configuration. The learning capabilities will list queries directed to a specific Database.
Implementations

There are various application firewalls available, including both free and open source software and commercial products.

Mac OS X

As of Mac OS X v10.5.1, Apple has included an application firewall as part of the OS. This level of protection is enabled by default and runs on top of the standard ipfw port-level firewall that has been part of the FreeBSD OS on which Mac OS X is based. While the default ipfw configuration 'out-of-the-box' is minimal, it is user-configurable and affords a two layer protection scheme.

Linux

This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:
  • AppArmor
  • Gufw
  • ModSecurity - Also works under Mac OS X, Solaris and other versions of Unix.
  • Systrace
  • Zorp
Windows
  • WinGate
  • WinRoute
Network appliances

These devices are sold as hardware network appliances.

Specialized application firewalls

Specialized application firewalls offer a rich feature-set in protecting and controlling a specific application. Most specialized network appliance application firewalls are for web applications.

Web application firewalls
  • Radware AppWall Web Application Firewall
  • Barracuda Web Application Firewall
  • Cisco Application Control Engine (ACE) Web Application Firewall
  • Citrix NetScaler Application Firewall
  • [Bee Ware|i-Sentry] Web Application Firewall
Combination network and application firewalls

Combination network and application firewalls typically offer fewer features than specialized application firewalls. Many of these require separate licenses to activate the full application firewall functionality.
  • Astaro
  • Cisco Adaptive Security Appliance
  • Fortinet FortiGate firewalls
  • Juniper Networks SRX services gateway and SSG firewalls
  • SonicWALL firewalls
  • WatchGuard firewalls

References:
http://en.wikipedia.org/wiki/Application_firewall
http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci1188694,00.html

Share This

Comments (0)

Leave a comment

Please login to leave a comment. Optional login below.