Essential Guide

Enterprise firewall protection: Where it stands, where it's headed

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q

What are the drawbacks to application firewalls?

Application-layer firewalls examine ingoing and outgoing traffic more carefully than traditional packet-filtering firewalls, so why are some holding back on deployment? In this SearchSecurity.com Q&A, Michael Cobb reveals some cost and performance issues.

Web application firewalls seem like a useful way to block application attacks, but I know of some people who are holding back on implementing them. What are the drawbacks to Web application firewalls?
The main drawbacks to Web application firewalls are cost and performance. Performance is often an issue because these tools inspect all incoming and outgoing traffic at the application layer. However, this level of examination, often referred to as deep packet inspection, examines the actual payload of a packet and provides far better content-filtering capabilities than traditional packet-filtering firewalls. With application-layer firewalls, allow or deny decisions can be based on the actual content of each packet. They can permit or reject specific applications, or specific features of an application, giving a greater degree of granular control. The firewalls can also authenticate users directly. This means, for example, that they can allow or deny a specific incoming command from a particular user.

The data from deep packet inspection also provides valuable log information that is helpful for security incidents

and policy implementation.

When the firewall reads and interprets each packet, however, the tool must consume CPU cycles. The inspection process thus takes longer than those of traditional packet-filtering firewalls and may slow down network performance.

Another disadvantage of application firewalls is that each protocol, such as HTTP, SMTP, etc., requires its own proxy application, and support for new network applications and protocols can be limited or slow to emerge. Although most firewall vendors provide generic proxy agents to support undefined network protocols or applications, the agents tend to simply allow traffic to tunnel through the firewall, negating many of the reasons for having an application firewall in the first place.

Also the increased sophistication of these firewalls makes them generally more expensive, especially compared to packet-filtering firewalls that have very little impact on network performance and are application-independent. Finally, as with any new device, Web application firewalls have installation, configuration and training needs that must be assessed.

It's easy to understand why some are hesitant about deploying an application-level firewall, particularly if time and budget restrictions are involved. However, for those running Web applications in a hostile environment, then an application-layer firewall's additional protection has become almost mandatory. I would therefore suggest defining exactly what the firewall is needed for, as this will determine the features that are require. To choose a firewall, answer the following questions:

  • What does the firewall need to do?
  • What additional services would be valuable?
  • How will it fit into their existing network?
  • How will it affect existing services and users?

    Developing an understanding of how different types of Web application attacks are carried out will help with this exercise. If you are short on firewall expertise, then ease of installation and configuration will be an important factor in the choice of firewall. Also, talk to any possible vendor about the level of support that they provide during installation, as well as throughout the deployment lifecycle of the firewall.

    More information:

  • In this presentation, Michael Cobb explains how to protect Layer 7 on your network.
  • Learn how to construct a proper application firewall rule base.
  • This was first published in May 2007

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Essential Guide

    Enterprise firewall protection: Where it stands, where it's headed

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close