Defending layer 7: A look inside application-layer firewalls

Layer 7, the application layer of the OSI (Open System Interconnection) Model, supports application and end-user processes, such as HTTP and SMTP. Attacks at this layer present a security challenge as malicious code can masquerade as valid client requests and normal application data.

For example, a standard network firewall may only allow HTTP traffic on TCP port 80, but SQL injection attacks will be allowed through as valid HTTP requests, while spyware can run a communication channel that uses a protocol other than HTTP to an outside server listening on port 80. This means that traditional perimeter defense technologies such as packet filtering and stateful inspection are no longer adequate because they cannot distinguish between malicious and non-malicious requests and data.

So in the war against Layer 7 attacks, firewalls that provide application-layer filtering have become the tool of choice. Compared with traditional firewalls, application-layer filtering devices certainly provide better content filtering capabilities. They have the ability to examine the payload of a packet and make decisions based on content. This means that application-layer filtering systems can permit or deny specific application requests or commands, giving a far greater degree of granular control over network traffic. For example, they can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host. Many application-layer firewalls allow you to create filters to intercept, analyze or modify traffic specific to your network. This added specificity makes it easier to protect vital assets against application-layer attacks, since rules can be created to block certain types of traffic even though the malicious traffic is using an "allowed port." This not only thwarts targeted attacks, but also random worm and virus attacks, even when there is no known attack signature.

But external threats aren't your organization's only worry; there are internal threats that can travel across Layer 7 as well. Application-layer filtering systems can not only authenticate users directly, but filters can be used to implement security policy rules for viewing, analyzing, blocking, redirecting or modifying traffic. This prevents unintentional or malicious actions by employees. For example, you can configure an application-layer filter to prevent employees from downloading potentially harmful programs from the Internet, or block peer-to-peer file exchange services.

Don't put another log in the fire In order to know what to log, and indeed what to protect, you need to classify your data. By understanding what is important and what is not you can decide on what firewall rules you need and what information you want your firewall to log. This applies to both incoming and outgoing traffic. -- Michael Cobb

One important facet of the deep packet inspection capabilities of application-layer filtering systems is often overlooked: because they reach beyond network addresses and ports to examine the entire network packet, they can produce far more detailed logs. These logs can provide valuable information when dealing with security incidents and policy implementation, often providing data that may provide a warning of impending or actual attacks.

Although application-layer firewalls can analyze and block malicious traffic, the necessary processing power makes them more expensive and a lot slower than more basic network devices. It wouldn't make sense or be at all practical to scatter application-layer firewalls throughout your network wherever you needed to connect devices and LAN segments together. Instead, network switch security can play an important role in controlling which devices can connect and what they can see on your network. Switches are traditionally Layer 2 networking devices that control a device's initial access to the network. They can also be used to create virtual local area networks (vLANs), which provide performance, control of broadcast traffic and department and cluster segregation. Port security is also available on business-class switches. This is a great way to define how many and exactly which devices can connect to your switch ports, preventing people from attaching wireless access points and bypassing your security policy.

Although switch security can be labor-intensive and requires constant management, it is an important aspect of building defense-in-depth to protect your network applications. Used together switches and application-layer firewalls are key devices in protecting Layer 7, but remember to appreciate what degree of security you can achieve from your defenses. Phishing and social engineering attacks will still be able to circumvent your hardware and software security measures. This means that as is the case with all information security efforts, your last line of defense for Layer 7 is employee security awareness, and lots of it.

About the author Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

SECURITY SCHOOL MENU

  School home: Integration of Networking and Security School
  Lesson home: Using the network to secure the application layer
  Webcast: Balancing security and performance - Protecting Layer 7
  Podcast: Fact or fiction - A holistic approach to application security
  Quiz: Using the network to secure the application layer

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: Quiz: Using the network to secure the application... VIEW ALL IN THIS CATEGORY RELATED CONTENT Network Security Tactics Writing Wireshark network traffic filters Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Workstation hard drive encryption: Overdue or overkill? Wireshark tutorial: How to sniff network traffic IE 8 beta 2 security features may mark improvements for browser security Using the network to secure the application layer Quiz: Using the network to secure the application layer Balancing security and performance - Protecting Layer 7 on the network RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.