Traditional firewall technologies -- such as packet filtering and stateful inspection -- are no longer adequate because they cannot distinguish between malicious and non-malicious requests and data. Also, the diversity and volume of traffic is making it more difficult for pure "allow/block" rules to filter. For example, a firewall may only allow HTTP traffic on port 80, but such a restriction still lets SQL injection attacks through as valid HTTP requests. Spyware, similarly, could still run a communication channel to an outside server listening on port 80.
Firewall vendors have responded to these threats by developing application-layer firewalls. Compared with traditional firewalls, application-layer filtering devices certainly provide better content-filtering capabilities. They have the ability to examine the payload of a packet and make decisions based on content, allowing them to permit or deny specific application requests or commands. The firewall's functions give administrators a far greater degree of granular control over network traffic. For example, admins can allow or deny a specific incoming telnet command from a particular user. Many application-layer firewalls now allow you to create filters to intercept, analyze or modify traffic specific to your network, making it easier to adapt the firewall to protect your particular assets.
A firewall should be able to "learn" what is and isn't normal traffic for a specific network and adapt its behavior accordingly. The real problem to be solved, though, is putting network traffic into context. Is a sudden flood of outbound email being caused by the weekly e-newsletter going out, or by a compromised machine sending out spam? Is a request to list all database tables a hacker fingerprinting a database, or an administrator performing necessary duties? To be able to handle such situations, firewalls will need to integrate ever more closely with authentication systems and other perimeter defenses to add context to the traffic being monitored.
Combating application-layer attacks will always require more than just a firewall, though, no matter how sophisticated they become. Responsibility also lies with application development teams to ensure traffic that comes through the firewall is verified and cleansed before being passed on to application processes that it might try to subvert. Whatever firewall or perimeter defenses are in place, it is still necessary to assume all data originates from an untrusted source. Also remember firewalls will never prevent phishing and social engineering attacks. This means that -- as is the case with all information security efforts -- the last line of defense is employee security awareness.
This was first published in April 2008