Application layer firewall
Encyclopedia
An application firewall is a form of firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

 which controls input
Input/output
In computing, input/output, or I/O, refers to the communication between an information processing system , and the outside world, possibly a human, or another information processing system. Inputs are the signals or data received by the system, and outputs are the signals or data sent from it...

, output
Output
Output is the term denoting either an exit or changes which exit a system and which activate/modify a process. It is an abstract concept, used in the modeling, system design and system exploitation.-In control theory:...

, and/or access
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...

 from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...

 which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...

 up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall
Stateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...

 which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.

Network-based application firewalls

A network-based application layer firewall is a computer networking firewall operating at the application layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....

 of a protocol stack
Protocol stack
The protocol stack is an implementation of a computer networking protocol suite. The terms are often used interchangeably. Strictly speaking, the suite is the definition of the protocols, and the stack is the software implementation of them....

, and are also known as a proxy-based or reverse-proxy firewall. Application firewalls specific to a particular kind of network traffic may be titled with the service name, such as a web application firewall. They may be implemented through software running on a host or a stand-alone piece of network hardware. Often, it is a host using various forms of proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...

s to proxy traffic before passing it on to the client or server. Because it acts on the application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses, attempts to exploit known logical flaws in client software.

Network-based application-layer firewalls work on the application level
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....

 of the network stack (for example, all web browser, telnet, or ftp traffic), and may intercept all packets traveling to or from an application. In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

Modern application firewalls may also offload encryption from servers
SSL acceleration
SSL acceleration is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware accelerator....

, block application input/output from detected intrusions or malformed communication
Mangled packet
In computer networking, a mangled or invalid packet is a packet — especially IP packet — that either lacks order or self-coherence, or contains code aimed to confuse or disrupt computers, firewalls, routers, or any service present on the network....

, manage or consolidate authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

, or block content which violates policies
Data loss prevention products
Data Loss Prevention is a computer security term referring to systems that identify, monitor, and protect data in use , data in motion , and data at rest Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g. endpoint...

.

History

Gene Spafford
Gene Spafford
Eugene Howard Spafford , commonly known as Spaf, is a professor of computer science at Purdue University and a leading computer security expert....

 of Purdue University
Purdue University
Purdue University, located in West Lafayette, Indiana, U.S., is the flagship university of the six-campus Purdue University system. Purdue was founded on May 6, 1869, as a land-grant university when the Indiana General Assembly, taking advantage of the Morrill Act, accepted a donation of land and...

, Bill Cheswick at AT&T Laboratories
AT&T Laboratories
AT&T Laboratories, Inc. was the research & development division of AT&T Corporation. It was founded in 1925 as Bell Telephone Laboratories, Inc., following the merger of the research & development divisions of American Telephone & Telegraph and Western Electric.-History:In 1996, most of Bell Labs...

, and Marcus Ranum described a third generation firewall known as an application layer firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

TIS, under a broader DARPA contract, developed the Firewall Toolkit (FWTK), and made it freely available under license on October 1, 1993. The purposes for releasing the freely-available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years' experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); and to "raise the bar" of firewall software being used.

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in any harmful way.

Host-based application firewalls

A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application. This is done by examining information passed through system calls instead of or in addition to a network stack. A host-based application firewall can only provide protection to the applications running on the same host.

Application firewalls function by determining whether a process should accept any given connection. Application firewalls accomplish their function by hooking into socket calls to filter the connections between the application layer and the lower layers of the OSI model. Application firewalls that hook into socket calls are also referred to as socket filters. Application firewalls work much like a packet filter but application filters apply filtering rules (allow/block) on a per process basis instead of filtering connections on a per port basis. Generally, prompts are used to define rules for processes that have not yet received a connection. It is rare to find application firewalls not combined or used in conjunction with a packet filter.

Also, application firewalls further filter connections by examining the process ID of data packets against a ruleset for the local process involved in the data transmission. The extent of the filtering that occurs is defined by the provided ruleset. Given the variety of software that exists, application firewalls only have more complex rulesets for the standard services, such as sharing services. These per process rulesets have limited efficacy in filtering every possible association that may occur with other processes. Also, these per process ruleset cannot defend against modification of the process via exploitation, such as memory corruption exploits. Because of these limitations, application firewalls are beginning to be supplanted by a new generation of application firewalls that rely on mandatory access control (MAC), also referred to as sandboxing, to protect vulnerable services. Examples of next generation host-based application firewalls which control system service calls by an application are AppArmor
AppArmor
AppArmor is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access...

 and the TrustedBSD MAC framework (sandboxing) in Mac OS X.

Host-based application firewalls may also provide network-based application firewalling.

Examples

To better illustrate the concept, this section enumerates some specific application firewall examples.

Implementations

There are various application firewalls available, including both free and open source software and commercial products.

Mac OS X

Mac OS X, as of Leopard, includes an implementation of the TrustedBSD MAC framework, which is taken from FreeBSD. The TrustedBSD MAC framework is used to sandbox some services, such as mDNSresponder, much like AppArmor is used to sandbox services in some Linux distributions. The TrustedBSD MAC framework provides a default layer of firewalling given the default configuration of the sharing services in Mac OS X Leopard and Snow Leopard.

The Application firewall located in the security preferences of Mac OS X starting with Leopard provides the functionality of this type of firewall to a limited degree via the use of code signing apps added to the firewall list. For the most part, this Application firewall only manages network connections by checking to see if incoming connections are directed toward an app in the firewall list and applies the rule (block/allow) specified for those apps.

Linux

This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:
  • AppArmor
    AppArmor
    AppArmor is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access...

  • ModSecurity
    ModSecurity
    ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.- External links :**...

     - Also works under Mac OS X, Solaris and other versions of Unix
    Unix
    Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...

    .
  • Systrace
    Systrace
    Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities...

  • Zorp
    Zorp firewall
    Zorp is a proxy firewall suite developed by Balabit IT Security. Its core framework allows the administrator to fine-tune proxy decisions , and fully analyze embedded protocols .The FTP, HTTP, FINGER, WHOIS, TELNET, and SSL protocols are fully supported with an application-level gateway.Zorp aims for...


Specialized application firewalls

Specialized application firewalls offer a rich feature-set in protecting and controlling a specific application. Most specialized network appliance application firewalls are for web applications.

History

Large-scale web server hacker attacks, such as the 1996 PHF CGI exploit, lead to the investigation into security models to protect web applications. This was the beginning of what is currently referred to as the web application firewall (WAF) technology family. Early entrants in the market started appearing in 1999, such as Perfecto Software’s AppShield, (who later changed their name to Sanctum and in 2004 was acquired by Watchfire (acquired by IBM in 2007), which focused primarily on the ecommerce market and protected against illegal web page character entries. NetContinuum (acquired by Barracuda Networks
Barracuda Networks
Barracuda Networks, Inc. is a privately held company providing security, networking and storage solutions based on appliances and cloud services. The company’s security products include solutions for protection against email, web surfing, web hackers and instant messaging threats such as spam,...

 in 2007) approached the issue by providing pre-configured ‘security servers’. Such pioneers faced proprietary rule-set issues, business case obstacles and cost barriers to wide adoption, however, the need for such solutions was taking root.

In 2002, the open source project, ModSecurity
ModSecurity
ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.- External links :**...

 run by Thinking Stone (acquired by Breach Security in 2006), was formed with a mission to solve these obstacles and make WAF technology accessible for every company. With the release of the core rule set, a unique open source rule set for protecting Web applications, based on the OASIS
OASIS (organization)
The Organization for the Advancement of Structured Information Standards is a global consortium that drives the development, convergence and adoption of e-business and web service standards...

 Web Application Security Technical Committee’s (WAS TC) vulnerability work, the market had a stable, well documented and standardized model to follow.

In 2003, the WAS TC’s work was expanded and standardized across the industry through the work of the Open Web Application Security Project’s (OWASP) Top 10 List. This annual ranking is a classification scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact, and a way to describe conditions that can be used by both assessment and protection tools, such as a WAF. This list would go on to become the industry benchmark for many compliance schemes.

In 2004, large traffic management and security vendors, primarily in the network layer space, entered the WAF market through a flurry of mergers and acquisitions. Key among these was the mid-year move by F5 to acquire Magnifire WebSystems and the integration of the latter’s TrafficShield software solution with the former’s Big-IP traffic management system. This same year, F5 acquired AppShield and discontinued the technology. Further consolidation occurred in 2006 with the acquisition of Kavado by Protegrity, and Citrix Systems’ buying of Teros.

Until this point, the WAF market was dominated by niche providers who focused on web application layer security. Now the market was firmly directed at integrating WAF products with the large network technologies – load balancing, application servers, network firewalls, etc. – and began a rush of rebranding, renaming and repositioning the WAF. Options were confusing, expensive and still hardly understood by the larger market.

In 2006, the Web Application Security Consortium was formed to help make sense of the now widely divergent WAF market. Dubbed the Web Application Firewall Evaluation Criteria project (WAFEC), this open community of users, vendors, academia and independent analysts and researchers created a common evaluation criterion for WAF adoption that is still maintained today.

Wide-scale interest in the WAF began in earnest, tied to the 2006 PCI Security Standards Council formation and compliance mandate. Major payment card
Payment card
The term payment card covers a range of different cards that can be presented by a cardholder to make a payment.-Types:Typically a payment card is backed by an account holding funds belonging to the cardholder, or offering credit to the cardholder. Payment cards can be classified into types...

 brands (AMEX, Visa, Master Card, etc.) formed PCI as a way to regulate security practices across the industry and curtail the rampant credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...

 taking place. In particular, this standard mandated that all web applications must be secure, either through secure development or use of a WAF (requirement 6.6). The OWASP Top 10 forms the backbone of this requirement.

With the increased focus on virtualization and Cloud computing to maximize existing resources, scaling of WAF technology has become the most recent milestone, marked by the 2009 white paper, Defining a dWAF to Secure Cloud Applications from art of defence and the Guidance for Critical Areas of Focus in Cloud Computing paper from the Cloud Security Alliance (CSA).

By 2010, the WAF market had matured to a market exceeding $200M in size according to Forrester. In a February 2010 report, Web Application Firewall: 2010 And Beyond, Forrester analyst Chenxi Wang wrote, "Forrester estimates the 2009 market revenue of the WAF+ market to be nearly $200 million, and the market will grow by a solid 20% in 2010. Security and risk managers can expect two WAF trends in 2010: 1) midmarket-friendly WAFs will become available, and 2) larger enterprises will gravitate toward the increasingly prevalent WAF+ solutions." She also wrote that "Imperva is the stand alone WAF leader."

Distributed web application firewalls

Distributed Web Application Firewall (also called a dWAF) is a member of the web application firewall (WAF) and Web applications security
Web Application Security
Web application security is a branch of information security that deals specifically with security of websites and web applications.At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems...

 family of technologies. Purely software-based, the dWAF architecture is designed as separate components able to physically exist in different areas of the network. This advance in architecture allows the resource consumption of the dWAF to be spread across a network rather than depend on one appliance, while allowing complete freedom to scale as needed. In particular, it allows the addition / subtraction of any number of components independently of each other for better resource management. This approach is ideal for large and distributed virtualized infrastructures such as private, public or hybrid cloud models.

Cloud-based web application firewalls

Cloud-based Web Application Firewall is also member of the web application firewall (WAF) and Web applications security
Web Application Security
Web application security is a branch of information security that deals specifically with security of websites and web applications.At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems...

 family of technologies. This technology is unique due to the fact that it is platform agnostic and does not require any hardware or software changes on the host, just a DNS change. By applying this DNS change, all web traffic is routed through the WAF where it is inspected and threats are thwarted. Cloud-based WAFs are typically centrally orchestrated, which means that threat detection information is shared among all the tenants of the service. This collaboration results in improved detection rates and lower false positives. Like other cloud-based solutions, this technology is elastic, scalable and is typically offered as a pay-as-you grow service. This approach is ideal for cloud-based web applications and small or medium sized websites that require web application security but are not willing or able to make software or hardware changes to their systems.
  • In 2010, Imperva spun out Incapsula to provide a cloud-based WAF to small to medium sized businesses.
  • Since 2011, United Security Providers provides the Secure Entry Server as an Amazon EC2 Cloud-based Web Application Firewall

Web application firewalls

  • Armorlogic
    Armorlogic
    Armorlogic is a security software company founded in 2004 by a group of leading Internet security specialists from some of the world's largest Internet security consulting companies. The Company's product range includes a web application firewall and content load balancer...

     - Profense web application firewall
  • Array Networks
    Array Networks
    Founded in 2000, and headquartered in Silicon Valley, California, Array Networks is a global technology company that addresses problems related to securely delivering enterprise applications to end users....

     - WebWall Multi-Layered Application Security
  • Barracuda Web Application Firewall
    Barracuda Networks
    Barracuda Networks, Inc. is a privately held company providing security, networking and storage solutions based on appliances and cloud services. The company’s security products include solutions for protection against email, web surfing, web hackers and instant messaging threats such as spam,...

  • Cisco
    Cisco
    Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...

     - Application Control Engine (ACE) Web Application Firewall
  • Citrix NetScaler - Application Firewall
  • F5 Networks
    F5 Networks
    F5 Networks, Inc. is a networking appliances company. It is headquartered in Seattle, Washington and has development and marketing offices worldwide. It originally manufactured and sold some of the very first load balancing products...

     - Application Security Manager ASM
  • Fortinet
    Fortinet
    Fortinet is headquartered in Sunnyvale, California and specializes in network security appliances. Fortinet’s flagship product line is sold under the brand name of FortiGate.-Corporate Overview:...

     - Fortiweb web application firewall
  • Imperva
    Imperva
    Imperva , is a data security company headquartered in the United States, which provides solutions for high-value business data protection and prevents sensitive data theft from hackers and malicious insiders by securing data across three main areas: databases, file systems, and web...

     - Web Application Firewall
  • ModSecurity
    ModSecurity
    ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.- External links :**...

     - Opensource web application firewall
  • MONITORAPP
    Monitorapp
    MONITORAPP Co., Ltd. is a South Korean company, specialized in developing security solution for web applications based on traffic management technology.- Corporate Overview :- History :- Main Products :...

     - WEB INSIGHT SG Application Firewall
  • NAXSI - An open source, Web Application Firewall module for Nginx (Positive model)
  • Penta Security
    Penta Security
    Penta Security Systems, Inc. is an information technology security firm headquartered in Seoul, South Korea. Penta Security offers web application security, database security, and public key infrastructure solutions.-History:...

     - WAPPLES (Web Application Firewall)
  • Radware
    Radware
    Radware , is a provider of integrated Application delivery, Network Security and Load balancing solutions based in Tel Aviv, Israel. Radware, which is a member of the Rad Group of companies, is a public company and its shares are traded on NASDAQ.- History :...

     - AppWall Web Application Firewall
  • SonicWALL
    SonicWALL
    SonicWALL is a private company headquartered in San Jose, CA. It sells a range of internet appliances primarily directed at content control and network security. These include devices providing services for network firewalls, UTMs , VPNs , backup and recovery, and anti-spam for email...

     - SonicWALL Web Application Firewall Service
  • United Security Providers - Secure Entry Server

Combination network and application firewalls

Combination network and application firewalls typically offer fewer features than specialized application firewalls. Many of these require separate licenses to activate the full application firewall functionality.
  • Cyberoam
    Cyberoam
    Cyberoam, a division of Elitecore Technologies, is a vendor of identity-based network security products including UTM security, logging and reporting and secure remote connectivity appliances and data loss prevention software...

  • Check Point
    Check Point
    Check Point Software Technologies Ltd. is a global provider of IT security solutions. Best known for its firewall and VPN products, Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology...

     Security Gateways
  • Cisco Adaptive Security Appliance
    Cisco ASA
    In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA 5500 Series, is Cisco's line of network security devices introduced in 2005, that succeeded three existing lines of popular Cisco products:...

  • Fortinet
    Fortinet
    Fortinet is headquartered in Sunnyvale, California and specializes in network security appliances. Fortinet’s flagship product line is sold under the brand name of FortiGate.-Corporate Overview:...

     FortiGate firewalls
  • Juniper Networks
    Juniper Networks
    Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...

     SRX services gateway and SSG firewalls
  • SonicWALL
    SonicWALL
    SonicWALL is a private company headquartered in San Jose, CA. It sells a range of internet appliances primarily directed at content control and network security. These include devices providing services for network firewalls, UTMs , VPNs , backup and recovery, and anti-spam for email...

     firewalls
  • WatchGuard
    WatchGuard
    WatchGuard Technologies, a pioneer in network security appliances, is a provider of Internet security solutions for small to mid-sized businesses worldwide.-History:...

     firewalls
  • McAfee
    McAfee
    McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...

     Firewall Enterprise
  • Palo Alto Networks Next Generation of Firewall

See also

  • ModSecurity
    ModSecurity
    ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.- External links :**...

  • Computer security
    Computer security
    Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

  • Content-control software
    Content-control software
    Content-control software, also known as censorware or web filtering software, is a term for software designed and optimized for controlling what content is permitted to a reader, especially when it is used to restrict material delivered over the Web...

  • Proxy server
    Proxy server
    In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...

  • Information security
    Information security
    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

  • Application security
    Application security
    Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.Applications only...

  • Network security
    Network security
    In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...


External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK