Manage Learn to apply best practices and optimize your operations.

Defending layer 7: A look inside application-layer firewalls

Run-of-the-mill network firewalls can't properly defend applications. As Michael Cobb explains, application-layer firewalls offer Layer 7 security on a more granular level, and may even help organizations to get more out of existing network devices.

This tip is part of the Integration of Networking and Security School lesson on using the network to secure the...

application layer. Visit the Using the network to secure the application layer lesson page for more learning resources.

Layer 7, the application layer of the OSI (Open System Interconnection) Model, supports application and end-user processes, such as HTTP and SMTP. Attacks at this layer present a security challenge as malicious code can masquerade as valid client requests and normal application data.

For example, a standard network firewall may only allow HTTP traffic on TCP port 80, but SQL injection attacks will be allowed through as valid HTTP requests, while spyware can run a communication channel that uses a protocol other than HTTP to an outside server listening on port 80. This means that traditional perimeter defense technologies such as packet filtering and stateful inspection are no longer adequate because they cannot distinguish between malicious and non-malicious requests and data.

So in the war against Layer 7 attacks, firewalls that provide application-layer filtering have become the tool of choice. Compared with traditional firewalls, application-layer filtering devices certainly provide better content filtering capabilities. They have the ability to examine the payload of a packet and make decisions based on content. This means that application-layer filtering systems can permit or deny specific application requests or commands, giving a far greater degree of granular control over network traffic. For example, they can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host. Many application-layer firewalls allow you to create filters to intercept, analyze or modify traffic specific to your network. This added specificity makes it easier to protect vital assets against application-layer attacks, since rules can be created to block certain types of traffic even though the malicious traffic is using an "allowed port." This not only thwarts targeted attacks, but also random worm and virus attacks, even when there is no known attack signature.

But external threats aren't your organization's only worry; there are internal threats that can travel across Layer 7 as well. Application-layer filtering systems can not only authenticate users directly, but filters can be used to implement security policy rules for viewing, analyzing, blocking, redirecting or modifying traffic. This prevents unintentional or malicious actions by employees. For example, you can configure an application-layer filter to prevent employees from downloading potentially harmful programs from the Internet, or block peer-to-peer file exchange services.

In order to know what to log, and indeed what to protect, you need to classify your data. By understanding what is important and what is not you can decide on what firewall rules you need and what information you want your firewall to log. This applies to both incoming and outgoing traffic.
Michael Cobb

One important facet of the deep packet inspection capabilities of application-layer filtering systems is often overlooked: because they reach beyond network addresses and ports to examine the entire network packet, they can produce far more detailed logs. These logs can provide valuable information when dealing with security incidents and policy implementation, often providing data that may provide a warning of impending or actual attacks.

Although application-layer firewalls can analyze and block malicious traffic, the necessary processing power makes them more expensive and a lot slower than more basic network devices. It wouldn't make sense or be at all practical to scatter application-layer firewalls throughout your network wherever you needed to connect devices and LAN segments together. Instead, network switch security can play an important role in controlling which devices can connect and what they can see on your network. Switches are traditionally Layer 2 networking devices that control a device's initial access to the network. They can also be used to create virtual local area networks (vLANs), which provide performance, control of broadcast traffic and department and cluster segregation. Port security is also available on business-class switches. This is a great way to define how many and exactly which devices can connect to your switch ports, preventing people from attaching wireless access points and bypassing your security policy.

Although switch security can be labor-intensive and requires constant management, it is an important aspect of building defense-in-depth to protect your network applications. Used together switches and application-layer firewalls are key devices in protecting Layer 7, but remember to appreciate what degree of security you can achieve from your defenses. Phishing and social engineering attacks will still be able to circumvent your hardware and software security measures. This means that as is the case with all information security efforts, your last line of defense for Layer 7 is employee security awareness, and lots of it.

About the author Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a site expert, answers user questions on application security and platform security.


  School home: Integration of Networking and Security School
  Lesson home: Using the network to secure the application layer
  Webcast: Balancing security and performance - Protecting Layer 7
  Podcast: Fact or fiction - A holistic approach to application security
  Quiz: Using the network to secure the application layer

This was last published in March 2007

Dig Deeper on Application firewall security