Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Building A Perimeter Defense With Application-Level Firewalls

Learn how application level firewalls, when carefully deployed, can build perimeter defenses and prevent hackers from exploiting vulnerabilities, such as application code, to achieve attacks.

Companies have spent a great deal of time and money securing their network perimeters but that hasn't deterred cybercriminals. Instead, they're simply bypassing those perimeter defenses and zeroing in on the weakest link in the security chain--the application layer.

By exploiting application vulnerabilities, attackers can find a treasure trove of sensitive corporate data and cause irreparable damage. Market-research firm Gartner estimates that 75 percent of attacks take place at the application layer. Attackers are exploiting application vulnerabilities not only because it's easier than defeating perimeter defenses such as stateful firewalls and IDSes, but because it's an avenue to the valuable data they want. Often, sensitive information such as names and credit card numbers reside in the application itself. Loss of this information could severely damage a company's reputation and livelihood.

How can you make sure your company doesn't fall victim to application-layer attacks? How can you prevent intruders from gaining privileged access rights to your system?

We'll show you how criminals are launching these attacks and how you can use application-layer firewalls (ALFs) to combat them.

Application-layer attacks take advantage of a gap in the protection provided by stateful firewalls--a defense that companies heavily rely on. Most stateful firewalls examine packet information in OSI layer 4 (transport) and below to provide better performance, only inspecting layer 7 packets that initialize a connection. All subsequent packets are tracked through a state table using layer 4 and below information.

This is an efficient way to track communications, but it lacks the ability to consider the application-layer commands for the entire communications session and misses abnormal application-level behavior after the initial packet. Application-layer attacks take advantage of this oversight; malicious code can travel over Internet protocols, masquerading as normal application content, and not be spotted as a security breach by perimeter defenses. For example, if only HTTP traffic is allowed out on TCP port 80, a bot could still run a communication channel that uses a protocol other than HTTP to an outside server listening on port 80. Applications can also be attacked by manipulating the logic of the application code itself.

Shoring Up the Weak Point
Your network security must maintain confidentiality, integrity and availability. Without some form of application-layer protection, this is becoming almost impossible. By employing deep-packet inspection to analyze packets not just in isolation but within the context of the overall application session, ALFs can catch malicious traffic that stateful-inspection firewalls miss, while still maintaining a stateful firewall's perspective on the overall communication flow of the network.

Application-layer filtering can also watch for attacks originating within a system, a role that has usually fallen to intrusion detection systems (IDSes); stateful inspection firewalls can leave openings for unauthorized outbound application traffic.

Deep-packet inspection technology is already inherent in many common network security products, such as IDS, intrusion prevention systems (IPSes), and anti-virus programs. IDS acts as a passive-monitoring system, only warning of suspicious activity as it's occurring, while antivirus programs warn of malicious programs before they execute. Where IDS informs of an actual attack, IPS tries to stop it. IPS solutions tend to be deployed as added security devices at the network perimeter because they don't provide network segmentation.

ALFs provide the application-layer protection of an IPS by merging IDS signatures and application protocol anomaly detection rules into the traffic-processing engine, while also allowing security zone segmentation. A number of vendors are looking to embed IPS, IDS, firewall and AV capabilities into combined systems to avoid administrators having to integrate separate products.


Inline and Parallel Firewall Protection

@exe Designing Your Defenses
How you design and implement your network security will depend on the value of the data and the resources your network protects. A stateful firewall's speed and ability to handle just about any traffic flow make it an excellent choice for a static brochure site, but it will only be one of many devices needed to protect an e-commerce site.

One of the most difficult problems you'll have in building your defenses is balancing security with system user requirements. For example, blocking all incoming e-mail attachments is the simplest and most secure way to stop e-mail-borne worms, but is probably not plausible from a business perspective. Also, because resources differ in the criticality of the data they control and the likelihood of being attacked, a layered defense is required to balance protection, cost and performance.

Firewalls deployed to implement defense- in-depth must be independent and distinct. The diagram (right) shows a theoretical layout of how network-layer stateful packet-filtering firewalls and intelligent ALFs can be deployed to segment resources with different security requirements.

As the corporate and Web subnets have different security needs, firewalls are used in parallel, each being tuned specifically for the resources sitting behind it, with the more secure but slower ALF protecting the Web subnet. The sensitive data subnet is protected by an additional inline firewall so only the Web servers can access it. Inline firewalls can cause delays if hosts are deep behind several firewalls, and they are difficult to manage. But many inline firewalls can be administered from a single console, such as Cisco Systems' PIX and Check Point Software Technologies' FireWall-1.

The grouping of resources based on their criticality continues throughout the corporate subnet with the internal workstations and servers being split by an internal router and given additional protection from any wireless and laptop devices by another ALF. As wireless and handheld peripherals now regularly connect to office networks, you need to ensure that they are secured and can't act as a platform from which an application-layer attack could be launched. Remember that even if your internal devices sit behind a firewall located on a screened subnet, they should still be hardened to withstand attacks.


Choosing An Application-Layer
There is no shortage of choice when it comes to application-layer firewalls (ALFs). Several companies, including Teros (recently acquired by Citrix Systems) and NetContinuum, offer Web application firewalls, while major vendors such as Check Point Software Technologies, Cisco Systems, Juniper Networks and Microsoft are incorporating application-layer inspection capabilities into their products.

In selecting an ALF, it's important to define the firewall's technical objectives, as they will drive the selection process and determine the required features. The objectives will be shaped by your operational requirements, security policies and a risk analysis of your network. Understanding how different application-layer attacks are carried out will also help you to choose which features are required to protect your network. To choose a firewall, you need to be able to answer the following questions:
  • What does the firewall need to do?
  • What additional features would be valuable?
  • How will it fit into your existing network?
  • How will it affect existing services and users?
Budget may be a big factor in your decision. An ALF will add to network management, requiring ongoing administrative support and proper incident handling, all of which drive up the overall cost. Also, your network can easily become clogged unless you can afford a hardware configuration that prevents the firewall from becoming a traffic bottleneck.

Software firewalls, though generally cheaper, often lack the security built into the hardened OSes of firewall appliances, and those that run on general-purpose OSes are vulnerable to the security loopholes of the underlying system. Appliance-based firewalls are typically much easier to install and configure than software-based ones, but don't mistake this for plug-and-play usability.

If your organization is short on IT expertise, the ease of installation and configuration will be important factors in your choice of firewall. You also need to assess what training may be necessary. Do the firewall vendors provide training or will you need to go to a third party? If you opt for a software-based solution, choose one that works on a platform with which your IT department is familiar in order to avoid further training and support issues.

If you intend to take advantage of an ALF's user authentication capabilities, make sure the ALF can integrate with your existing user-account database. Check to see if its logs will provide the information that your audit policy requires, such as user activity and types of traffic, and that your log analyzer can handle the output.

You will need to choose a scalable and flexible firewall if your organization has plans to grow. Software solutions often provide more flexibility than hardware solutions. If you are running a large network, then centralized management may be a critical feature so that firewall policies can be deployed and managed from a single location. Whichever firewalls you evaluate, you need to cut through the marketing hype and ensure that you understand how the firewall can meet the your organization's objectives.

--Michael Cobb
@exe Finally, the border router's packet-filtering capabilities can be used to reduce background noise. But keep in mind that you don't want to block too much, otherwise you may not get a complete view of denied packets in the firewall logs.

In some cases, placing systems on a screened subnet may not be appropriate if the firewall is too much of a bottleneck. If the data server does not contain particularly sensitive data, it could sit on the same subnet as the Web server in a general DMZ. To improve general Web performance, you could run a Web server serving static HTML pages behind a stateful firewall and put your e-commerce server, running over SSL, behind an ALF.

What and When to Filter
A simple packet filter can block most application-layer attacks if you block the port on which they are carried. But these types of attacks are so successful because they travel over protocols you need to allow within your network; they are required by your online or network services. For example, you may not allow protocols other than HTTP into your network from the Internet, but an attack launched from an e-mail attachment could travel over protocols that are allowed within your internal network, such as NetBIOS or SMTP. It makes sense to filter and protect applications using protocol traffic other than just HTTP.

Blocking only the attack's source IP address is far better than blocking all the traffic trying to use a specific port. For instance, the Blaster worm exploits the Remote Procedure Call (RPC) protocol. Looking for odd behavior in RPC sessions means that attacks over RPC can be stopped even if there is no known attack signature, or if an unpatched system is being attacked.

Another example is the Session Initiation Protocol (SIP), an application-layer protocol used for initiating multimedia interactive user sessions such as voice and instant messaging. Spam circulates using both HTTP and SMTP, and will likely infiltrate applications using SIP as hackers learn how to attack Internet calls at the application layer. Application-layer filtering of SIP-based communication is essential; they are based on unsolicited--and therefore untrusted--incoming calls.

If you use SSL to encrypt network traffic, an application-layer inspection requires decryption in order to review it. This obviously requires additional processing power to avoid any network latency, so ensure that SSL is not being used unnecessarily.

Security vs. Performance
An ALF will impact your network's capacity to deliver an acceptable level of service, but it's important that you understand exactly how it's impacting your network performance. The network interaction between applications and devices will determine the overall performance of both.

Check where you can easily improve system configurations before adding additional resources such as RAM or hardware accelerators. It may just be a poorly tuned backend database that is slow in returning data, or inappropriate settings for your SSL session cache and timeout. If you make changes to your network, like adding a VPN service to a router or firewall, review whether existing equipment has the capacity to handle the additional workload. Communication applications such as one-to-many multicasts and online training videos need bandwidth, so you need to block superfluous traffic from unauthorized applications and prevent congestion at LAN and WAN boundaries. You may need to reschedule jobs sending data over a WAN link to less busy times.


Application Security Products
Click here for a comprehensive list of Application Security Products available today (PDF).
@exe ALFs need to be resourced correctly. Handling attacks in real time creates additional tasks, such as writing logs, sending alerts and blocking IP addresses. Layer 7 dispatchers, which direct incoming client requests, could be used to direct packets to specific servers based on the content requested, allowing better strategic placement of application-layer protection. Load balancing, where work is divided between multiple devices, may also be a solution. It's a more scalable and potentially more reliable infrastructure but adds complexity and cost, particularly if you use SSL.

If you work with large, high-performance networks, make sure you are using systems such as Windows 2000 or Linux kernels 2.1.9 or later, which support RFC 1323 and use the Open Shortest Path First routing protocol instead of the Routing Information Protocol. This makes for a more efficient and stable network. But if you do not have the necessary resources or in-house skills, apply access lists on incoming interfaces to avoid routers having to make needless routing decisions.

Ultimate Solution
Application-layer attacks will continue to be a drain on corporate resources as hackers become more adept at exploiting poorly coded applications. As more rich content and complex services make their way onto the Web, so will more vulnerabilities. Closing up your application-layer holes will require baking security into software from the start. But until secure coding becomes standard practice, application-layer protection will remain a weak link that companies need to secure.

Dig Deeper on Secure software development