I think the best way to describe the benefits of application proxy firewalls is to look at the shortcomings of other firewall technologies. There are three general classes of firewall: packet filtering firewalls, stateful inspection firewalls or circuit-level gateways, and proxy firewalls or application-level gateways. All three analyze inbound packets against a rule base and decide to block or allow packets through based upon those rules but it's the level of analysis that differentiates them.
Packet filter, or network layer, firewalls operate at Layer 3 of the OSI (Open System Interconnection Reference) model and separate an organization's network from other domains by standing between incoming and outgoing network traffic. The firewall inspects each packet's header information and blocks or allows it through by comparing its source and destination addresses, network ports, and protocol type against a set of rules. These "stateless" firewalls make a decision for each packet based solely on the information contained in that individual packet and are not aware of any traffic patterns or data flows. This makes them susceptible to spoofing attacks and other network protocol-based attacks.
In order to evaluate an individual packet in the larger context of a network communications session stateful firewalls record all connections passing through them by operating at Layer 5 of the OSI model. By keeping track of the state of network connections they have much more complete information and can reject packets that don't match a known connection state. While stateful firewalls can block many types of attacks at the network protocol level, they can't inspect the actual payload contained in each packet as it travels between the application and its users. This allows malformed or unexpected data to reach and exploit vulnerabilities in a particular application such as a buffer overflow or SQL injection.
Enter application proxy firewalls, which operate at Layer 7 of the OSI model and have advanced inspection capabilities. These firewalls don't actually allow any packets to directly pass between an application and the user. Instead all traffic is intercepted and passed through a proxy connection. This means that there are then two connections in place: one between the user and the proxy server and another between the proxy server and the application with the proxy receiving, inspecting, and forwarding all traffic bi-directionally between the client and application. This places the firewall in the middle of the logical connection and allows it to examine the traffic, including its payload, for any signs of malicious activity at the application level.
Unlike a packet filter an application proxy understands the application it is protecting so can block forbidden commands such as dangerous SQL commands or malformed requests such as attempts to cause a buffer overflow. Moreover, data leaving the network can be analyzed and any sensitive data intercepted before it is output to the user. All this detailed knowledge of network traffic headers and payloads can also be logged to provide better auditing. New threats to an application can be tackled by changes to the firewall's rule set. This is far quicker and easier than making changes to the application itself. Other advantages include providing anonymity for systems behind the firewall while isolating security checks in a separate process and memory space. This level of filtering provides an extra layer of security to protect data, business logic and applications from flaws in their design.
For more information:
- Get more info on troubleshooting proxy firewall connections.
- Learn more about the differences between an application proxy firewall and a gateway server firewall.
This was first published in March 2010