Application firewall tips and tricks

Hardware vs. software
Application firewalls come in many different flavors, but really fall into two main categories: hardware and software. Hardware firewalls run on a dedicated appliance, often having a hardened operating system designed specifically for the task of firewalling. Software firewalls are installed on a general-purpose machine located between trust zones such as at the network perimeter, or in the case of a personal firewall, on the actual desktop machine.

Purpose-built hardware appliances generally deliver better performance, but are more complex to set up and configure. If you choose a software-based solution, make sure it runs on a platform your IT department is familiar with in order to avoid additional training and support issues. Software solutions often provide more flexibility than hardware solutions, but you need to ensure that the operating system the firewall is running on is patched and maintained on a regular basis.

Set up and rule sets

More information Learn about the pros and cons of application firewalls in this tip. Ease your firewall implementation issues with this architecture guide.

When it comes to setting up your firewall, most IT security books will tell you to start by denying all traffic by default, and then only allowing traffic that is expressly required -- the classic access model used in information security. However, you should be aware of how such an implicit deny rule affects and changes how a firewall behaves. For example, when a packet matches a rule in the access list, the packet is immediately dropped by a deny rule or forwarded by a permit rule. Because it isn't tested against any other rules you may have set in the access list, it is essential that you always put specific filters before general filters. Otherwise, a general rule might allow a packet access that may have been denied by a more specific rule later in the access list.

It helps if you build your set of rules in advance, putting the implicit deny rule at the end, as adding rules ad hoc can radically change how your firewall manages traffic. Approaching the access list rules from a "allow what you need" rather than "deny what you don't" perspective can also make the purpose of each rule that much more reasoned.

You should also implement rules for outbound traffic, ensuring that only packets with your network's source address leave the network. This egress filtering is essential to stop spyware and botnets from phoning home.

Whitelisting, blacklisting and auditing
Whitelists and blacklists define which sites, IP addresses, applications, etc., are to be trusted and which are not, respectively. You can use one or the other, or both. A whitelist approach is more restrictive and is ideal for a network that has a limited need for Internet access and a stable application requirement. However, while a whitelist is generally a more secure approach than a blacklist, it can give a false sense of security because malicious code can turn a trusted machine or application into an untrusted one in seconds by giving control to a hacker via Trojan or Zombie programs. Blacklists have a higher administrative overhead as they need regular updates to be effective and are of no use at all against a new unknown threat.

To help keep white and blacklists up to date, it is essential to log and audit the traffic passing through your application-layer firewall. Logs are invaluable for verifying that the firewall is operating effectively and for analyzing problems or attacks when they occur. Make sure you have the ability to audit and analyze your logs regularly. Even on a small network, the volume of traffic will create log files that are too large to manually audit, so you will need a full-featured log analyzer and the time to review its output.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   Network Security: Tools, Products, Software,   Enterprise Network Security,   Network Firewalls, Routers and Switches,   Application Firewall Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Network Firewalls, Routers and Switches How to properly implement firewall egress filtering How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.