An application firewall is a form of firewall that controls

input/output In computing, input/output (I/O, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, possibly a human or another information processing system. Inputs are the signals ...

system call In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...

s of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the

application layer An application layer is an abstraction layer that specifies the shared communications protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol ...

of the

OSI model The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...

, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are ''network-based'' and ''host-based''.

History

Gene Spafford of

Purdue University Purdue University is a public land-grant research university in West Lafayette, Indiana, and the flagship campus of the Purdue University system. The university was founded in 1869 after Lafayette businessman John Purdue donated land and ...

, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third-generation firewall known as an application layer firewall. Marcus Ranum's work, based on the firewall created by

Paul Vixie Paul Vixie is an American computer scientist whose technical contributions include Domain Name System (DNS) protocol design and procedure, mechanisms to achieve operational robustness of DNS implementations, and significant contributions to open ...

, Brian Reid, and Jeff Mogul, spearheaded the creation of the first commercial product. The product was released by DEC, named the DEC SEAL by

Geoff Mulligan Geoff Mulligan is an American computer scientist who developed embedded internet technology and 6LoWPAN. He was chairman of the LoRa Alliance from its creation in 2015 until 2018, was previously founder and chairman of the IPSO Alliance, is a co ...

- Secure External Access Link. DEC's first major sale was on June 13, 1991, to Dupont. Under a broader DARPA contract at TIS, Marcus Ranum, Wei Xu, and Peter Churchyard developed the Firewall Toolkit (FWTK) and made it freely available under license in October 1993. The purposes for releasing the freely available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); to "raise the bar" of firewall software being used. However, FWTK was a basic application proxy requiring the user interactions. In 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP stateful filter and socket transparent. This was the first transparent firewall, known as the inception of the third generation firewall, beyond a traditional application proxy ( the second generation firewall), released as the commercial product known as Gauntlet firewall. Gauntlet firewall was rated one of the top application firewalls from 1995 until 1998, the year it was acquired by Network Associates Inc, (NAI). Network Associates continued to claim that Gauntlet was the "worlds most secure firewall" but in May 2000, security researcher

Jim Stickley James Nelson Stickley III (born September 3, 1970) is the CEO of Stickley on Security, a co-founder and board member of TraceSecurity, Inc., and a published author.The Truth About Identity Theft – http://www.pearsonhighered.com/educator/produc ...

discovered a large vulnerability in the firewall, allowing remote access to the operating system and bypassing the security controls.

Stickley Stickley is a surname. Notable people with the surname include: *Arnold Stickley (1926–1998), English golfer *Gustav Stickley (1858–1942), American furniture manufacturer, design leader, and publisher *Jim Stickley, American businessman *Jon S ...

discovered a second vulnerability a year later, effectively ending Gauntlet firewalls' security dominance.

Description

Application layer An application layer is an abstraction layer that specifies the shared communications protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol ...

filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Address or ports and can also use information spanning across multiple connections for any given host.

Network-based application firewalls

Network-based application firewalls operate at the application layer of a TCP/IP stack and can understand certain applications and protocols such as

File Transfer Protocol The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...

(FTP),

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned ...

(DNS), or

Hypertext Transfer Protocol The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...

(HTTP). This allows it to identify unwanted applications or services using a non standard port or detect if an allowed protocol is being abused. Modern versions of network-based application firewalls can include the following technologies: * Encryption offloading * Intrusion prevention system * Data loss prevention Web application firewalls (WAF) are a specialized version of a network-based appliance that acts as a

reverse proxy In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...

, inspecting traffic before being forwarded to an associated server.

Host-based application firewalls

A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control, but is limited to only protecting the host it is running on. Control is applied by filtering on a per process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter. Due to technological limitations, modern solutions such as sandboxing are being used as a replacement of host-based application firewalls to protect system processes.

Implementations

There are various application firewalls available, including both free and open source software and commercial products.

Mac OS X

Starting with Mac OS X Leopard, an implementation of the TrustedBSD MAC framework (taken from FreeBSD), was included. The TrustedBSD MAC framework is used to sandbox services and provides a firewall layer given the configuration of the sharing services in Mac OS X Leopard and Snow Leopard. Third-party applications can provide extended functionality, including filtering out outgoing connections by app.

Linux

This is a list of security software packages for Linux, allowing filtering of application to OS communication, possibly on a by-user basis: * AppArmor *

Kerio Control Kerio Technologies, Inc. is a former technology company specializing in collaboration software and unified threat management for small and medium organizations. Founded in 2001, Kerio is headquartered in San Jose, California. In January 2017, GFI ...

- a commercial Product *

ModSecurity ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filterin ...

- also works under Windows, Mac OS X, Solaris and other versions of

Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

. ModSecurity is designed to work with the web-servers IIS, Apache2 and NGINX. * Portmaster by Safing is an activity monitoring application. It is also available on

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...

. *

Systrace Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by Ni ...

* Zorp

Windows

WinGate Wingate may refer to: Places New Zealand * Wingate, New Zealand, a suburb of Lower Hutt United Kingdom * Wingate, County Durham * Wingate Quarry, a Site of Special Scientific Interest in County Durham * Old Wingate, County Durham * Wingate ...

Network appliances

These devices may be sold as hardware, software, or virtualized network appliances. Next-Generation Firewalls: *Cisco Firepower Threat Defense *

Check Point Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security ma ...

Fortinet Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint secu ...

FortiGate Series *

Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security products, ...

SRX Series *

Palo Alto Networks Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core products is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to ...

* SonicWALL TZ/NSA/SuperMassive Series Web Application Firewalls/LoadBalancers: * A10 Networks Web Application Firewall *

Barracuda Networks Barracuda Networks, Inc. is a company providing security, networking and storage products based on network appliances and cloud services. The company's security products include products for protection against email, web surfing, web hackers an ...

Web Application Firewall/Load Balancer ADC * Citrix NetScaler *

F5 Networks F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking (ADN), application availability & performance, network security, and access & autho ...

BIG-IP Application Security Manager *

FortiWeb Series *

KEMP Technologies Kemp, Inc. was founded in 2000 in Bethpage, New York and operates in the application delivery controller industry. The company builds load balancing products which balances user traffic between multiple application servers in a physical, virtual ...

* Imperva Others: *

CloudFlare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...

* Meraki * Smoothwall * Snapt Inc

References

External links

Web Application Firewall
Open Web Application Security Project
Web Application Firewall Evaluation Criteria
from th
Web Application Security ConsortiumSafety in the cloud(s): 'Vaporizing' the Web application firewall to secure cloud computing
{{DEFAULTSORT:Application Firewall Firewall software Packets (information technology) Data security Cyberwarfare