Picking the best firewall software, hardware or application
A comprehensive collection of articles, videos and more, hand-picked by our editors
Why is a proxy firewall good for application security?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
I think the best way to describe the benefits of application proxy firewalls is to look at the shortcomings of other firewall technologies. There are three general classes of firewall: packet filtering firewalls, stateful inspection firewalls or circuit-level gateways, and proxy firewalls or application-level gateways. All three analyze inbound packets against a rule base and decide to block or allow packets through based upon those rules but it's the level of analysis that differentiates them.
Packet filter, or network layer, firewalls operate at Layer 3 of the OSI (Open System Interconnection Reference) model and separate an organization's network from other domains by standing between incoming and outgoing network traffic. The firewall inspects each packet's header information and blocks or allows it through by comparing its source and destination addresses, network ports, and protocol type against a set of rules. These "stateless" firewalls make a decision for each packet based solely on the information contained in that individual packet and are not aware of any traffic patterns or data flows. This makes them susceptible to spoofing attacks and other network protocol-based attacks.
In order to evaluate an individual packet in the larger context of a network communications session stateful firewalls record all connections passing through them by operating at Layer 5 of the OSI model. By keeping track of the state of network connections they have much more complete information and can reject packets that don't match a known connection state. While stateful firewalls can block many types of attacks at the network protocol level, they can't inspect the actual payload contained in each packet as it travels between the application and its users. This allows malformed or unexpected data to reach and exploit vulnerabilities in a particular application such as a buffer overflow or SQL injection.
Enter application proxy firewalls, which operate at Layer 7 of the OSI model and have advanced inspection capabilities. These firewalls don't actually allow any packets to directly pass between an application and the user. Instead all traffic is intercepted and passed through a proxy connection. This means that there are then two connections in place: one between the user and the proxy server and another between the proxy server and the application with the proxy receiving, inspecting, and forwarding all traffic bi-directionally between the client and application. This places the firewall in the middle of the logical connection and allows it to examine the traffic, including its payload, for any signs of malicious activity at the application level.
Unlike a packet filter an application proxy understands the application it is protecting so can block forbidden commands such as dangerous SQL commands or malformed requests such as attempts to cause a buffer overflow. Moreover, data leaving the network can be analyzed and any sensitive data intercepted before it is output to the user. All this detailed knowledge of network traffic headers and payloads can also be logged to provide better auditing. New threats to an application can be tackled by changes to the firewall's rule set. This is far quicker and easier than making changes to the application itself. Other advantages include providing anonymity for systems behind the firewall while isolating security checks in a separate process and memory space. This level of filtering provides an extra layer of security to protect data, business logic and applications from flaws in their design.
Get more info on troubleshooting proxy firewall connections
Learn more about the differences between an application proxy firewall and a gateway server firewall
Related Q&A from Michael Cobb
A flaw in the open source graphics library libpng enabling denial-of-service attacks was discovered. Expert Michael Cobb explains how the ...continue reading
Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains...continue reading
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.