An application firewall is a form of
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
that controls
input/output
In computing, input/output (I/O, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, possibly a human or another information processing system. Inputs are the signals ...
or
system call
In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...
s of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the
application layer
An application layer is an abstraction layer that specifies the shared communications protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol Su ...
of the
OSI model
The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...
, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are ''network-based'' and ''host-based''.
History
Gene Spafford
Eugene Howard Spafford (born 1956), known as Spaf, is an American professor of computer science at Purdue University and a computer security expert.
Spafford serves as an advisor to U.S. government agencies and corporations. In 1998, he founded ...
of
Purdue University
Purdue University is a public land-grant research university in West Lafayette, Indiana, and the flagship campus of the Purdue University system. The university was founded in 1869 after Lafayette businessman John Purdue donated land and ...
,
Bill Cheswick at
AT&T Laboratories, and
Marcus Ranum described a third-generation firewall known as an application layer firewall. Marcus Ranum's work, based on the firewall created by
Paul Vixie
Paul Vixie is an American computer scientist whose technical contributions include Domain Name System (DNS) protocol design and procedure, mechanisms to achieve operational robustness of DNS implementations, and significant contributions to open ...
,
Brian Reid, and Jeff Mogul, spearheaded the creation of the first commercial product. The product was released by DEC, named the DEC SEAL by
Geoff Mulligan
Geoff Mulligan is an American computer scientist who developed embedded internet technology and 6LoWPAN. He was chairman of the LoRa Alliance from its creation in 2015 until 2018, was previously founder and chairman of the IPSO Alliance, is a con ...
- Secure External Access Link. DEC's first major sale was on June 13, 1991, to Dupont.
Under a broader DARPA contract at TIS, Marcus Ranum, Wei Xu, and Peter Churchyard developed the Firewall Toolkit (FWTK) and made it freely available under license in October 1993. The purposes for releasing the freely available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); to "raise the bar" of firewall software being used. However, FWTK was a basic application proxy requiring the user interactions.
In 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP stateful filter and socket transparent. This was the first transparent firewall, known as the inception of
the third generation firewall, beyond a traditional application proxy (
the second generation firewall), released as the commercial product known as Gauntlet firewall. Gauntlet firewall was rated one of the top application firewalls from 1995 until 1998, the year it was acquired by Network Associates Inc, (NAI). Network Associates continued to claim that Gauntlet was the "worlds most secure firewall" but in May 2000, security researcher
Jim Stickley discovered a large vulnerability in the firewall, allowing remote access to the operating system and bypassing the security controls.
Stickley discovered a second vulnerability a year later, effectively ending Gauntlet firewalls' security dominance.
Description
Application layer
An application layer is an abstraction layer that specifies the shared communications protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol Su ...
filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Address or ports and can also use information spanning across multiple connections for any given host.
Network-based application firewalls
Network-based application firewalls operate at the application layer of a
TCP/IP stack and can understand certain applications and protocols such as
File Transfer Protocol
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and da ...
(FTP),
Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...
(DNS), or
Hypertext Transfer Protocol
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...
(HTTP). This allows it to identify unwanted applications or services using a non standard port or detect if an allowed protocol is being abused.
Modern versions of network-based application firewalls can include the following technologies:
*
Encryption offloading
*
Intrusion prevention system
An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
*
Data loss prevention
Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while ''in use'' (endpoint actions), ''in motion'' (network traffic), and ' ...
Web application firewalls (WAF) are a specialized version of a network-based appliance that acts as a
reverse proxy
In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...
, inspecting traffic before being forwarded to an associated server.
Host-based application firewalls
A host-based application firewall monitors application
system calls or other general system communication. This gives more granularity and control, but is limited to only protecting the host it is running on. Control is applied by filtering on a per process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.
Due to technological limitations, modern solutions such as
sandboxing are being used as a replacement of host-based application firewalls to protect system processes.
Implementations
There are various application firewalls available, including both free and open source software and commercial products.
Mac OS X
Starting with Mac OS X Leopard, an implementation of the TrustedBSD MAC framework (taken from FreeBSD), was included. The TrustedBSD MAC framework is used to sandbox services and provides a firewall layer given the configuration of the sharing services in Mac OS X Leopard and Snow Leopard. Third-party applications can provide extended functionality, including filtering out outgoing connections by app.
Linux
This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis:
*
AppArmor
AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...
*
Kerio Control
Kerio Technologies, Inc. is a former technology company specializing in collaboration software and unified threat management for small and medium organizations. Founded in 2001, Kerio is headquartered in San Jose, California. In January 2017, GFI ...
- a commercial Product
*
ModSecurity - also works under Windows, Mac OS X,
Solaris and other versions of
Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, ...
. ModSecurity is designed to work with the web-servers IIS, Apache2 and NGINX.
*
Portmaster by Safing
is an activity monitoring application. It is also available on
Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for se ...
.
*
Systrace
Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by N ...
*
Zorp
Windows
*
WinGate
Wingate may refer to:
Places
New Zealand
* Wingate, New Zealand, a suburb of Lower Hutt
United Kingdom
* Wingate, County Durham
* Wingate Quarry, a Site of Special Scientific Interest in County Durham
* Old Wingate, County Durham
* Wingates ...
Network appliances
These devices may be sold as hardware, software, or virtualized network appliances.
Next-Generation Firewalls:
*Cisco Firepower Threat Defense
*
Check Point
Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security managem ...
*
Fortinet
Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint secur ...
FortiGate Series
*
Juniper Networks
Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security product ...
SRX Series
*
Palo Alto Networks
Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core products is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls t ...
*
SonicWALL
SonicWall is an American cybersecurity company that sells a range of Internet appliances primarily directed at content control and network security. These include devices providing services for network firewalls, unified threat management (UTM) ...
TZ/NSA/SuperMassive Series
Web Application Firewalls/LoadBalancers:
*
A10 Networks
A10 Networks is an American public company specializing in the manufacturing of application delivery controllers (software and hardware). Founded in 2004 by Lee Chen, co-founder of Foundry Networks, A10 originally serviced just the identity mana ...
Web Application Firewall
*
Barracuda Networks
Barracuda Networks, Inc. is a company providing security, networking and storage products based on network appliances and cloud services. The company's security products include products for protection against email, web surfing, web hackers ...
Web Application Firewall/Load Balancer ADC
*
Citrix NetScaler
*
F5 Networks
F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking (ADN), application availability & performance, network security, and access & auth ...
BIG-IP Application Security Manager
*
Fortinet
Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint secur ...
FortiWeb Series
*
KEMP Technologies
Kemp, Inc. was founded in 2000 in Bethpage, New York and operates in the application delivery controller industry. The company builds load balancing products which balances user traffic between multiple application servers in a physical, virtual ...
*
Imperva
Imperva is a cyber security software and services company which provides protection to enterprise data and application software. The company is headquartered in San Mateo, California.
History
Imperva, originally named WEBcohort, was founded in 20 ...
Others:
*
CloudFlare
Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in Sa ...
*
Meraki
*
Smoothwall
Smoothwall (formerly styled as SmoothWall) is a Linux distribution designed to be used as an open source firewall. Smoothwall is configured via a web-based GUI and requires little or no knowledge of Linux to install or use.
Smoothwall is als ...
*
Snapt Inc
See also
*
ModSecurity
*
Computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
*
Content-control software
An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Content-control software dete ...
*
Proxy server
In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.
Instead of connecting directly to a server that can fulfill a reques ...
*
Information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of Risk management information systems, information risk management. It typically involves preventing or re ...
*
Application security
Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security ...
*
Network security
Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
References
External links
Web Application Firewall Open Web Application Security Project
Web Application Firewall Evaluation Criteria from th
Web Application Security ConsortiumSafety in the cloud(s): 'Vaporizing' the Web application firewall to secure cloud computing
{{DEFAULTSORT:Application Firewall
Firewall software
Packets (information technology)
Data security
Cyberwarfare